| Both sides previous revision
Previous revision
Next revision
|
Previous revision
Last revision
Both sides next revision
|
devel:documentation:security:dev:authorization [2021/06/16 10:14]
husniko [RoleGuaranteeEvaluator] |
devel:documentation:security:dev:authorization [2022/03/29 07:50]
doischert [ReportByReportTypeEvaluator] |
| * ''DELETE'' - log deleting | * ''DELETE'' - log deleting |
| * ''EXECUTE'' - execute operations (start, cancel etc.) | * ''EXECUTE'' - execute operations (start, cancel etc.) |
| * ''GroupPermission'' - a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base permissions it contains => what can be done with the given type. | * ''GroupPermission'' - a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base persemissions it contains => what can be done with the given type. |
| <note>By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.</note> <note>A Special group is **APP**, which is meant for the application administrators - the authority **APP_ADMIN** is created by linking a group with a base permission. The authority owns all the permissions in the application. </note> | <note>By linking a group with a base permission we get an authority - for example ROLE_READ, IDENTITY_WRITE.</note> <note>A Special group is **APP**, which is meant for the application administrators - the authority **APP_ADMIN** is created by linking a group with a base permission. The authority owns all the permissions in the application. </note> |
| * ''AuthorizationPolicy'' - a policy according to which the permissions for a specific agenda (attribute ''groupPermission'') and specific domain type (attribute ''authorizableType'') are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attribute ''ConfigurationMap'') and which base permissions (attribute ''basePermissions'') can be acquired if the evaluation passes. | * ''AuthorizationPolicy'' - a policy according to which the permissions for a specific agenda (attribute ''groupPermission'') and specific domain type (attribute ''authorizableType'') are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attribute ''ConfigurationMap'') and which base permissions (attribute ''basePermissions'') can be acquired if the evaluation passes. |
| |
| For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. | For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts. |
| | |
| | ==== ReportByReportTypeEvaluator ==== |
| | |
| | @since 12.2.0 Gives currently logged identity permission to work with a specified report. The report is specified by executor name (e. g., 'identity-report'). Only one report can be used; if you need to give access to multiple reports, create the permission multiple times. This evaluator limits which report executors are returned as available by ReportManager. For generated reports, the user is able to see EVERY report of the type which was created. To download a report, a simple READ permission is not enough, a CREATE or ADMIN permission is needed. |
| | |
| |
| ==== SelfReportEvaluator ==== | ==== SelfReportEvaluator ==== |