You are viewing the documentation for an outdated or unreleased devel version.
This page is also available in versions: 8.0, 8.1, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.7 (current), devel

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
devel:documentation:security:dev:authorization [2019/05/16 09:23]
tomiskar [Settings of permissions for the Helpdesk role]
devel:documentation:security:dev:authorization [2019/08/15 14:48] (current)
kopro [Default settings of permissions for an identity profile]
Line 73: Line 73:
   * ''​PASSWORDCHANGE''​ - permission is evaluated, when identity'​s password is changed.   * ''​PASSWORDCHANGE''​ - permission is evaluated, when identity'​s password is changed.
   * ''​CHANGEPERMISSION''​ - permission is evaluated, when identity'​s permissions is changed => ''​CHANGEPERMISSION''​ on identity gives permissions ''​READ'',​ ''​CREATE'',​ ''​UPDATE'',​ ''​DELETE''​ to identity'​s role requests.   * ''​CHANGEPERMISSION''​ - permission is evaluated, when identity'​s permissions is changed => ''​CHANGEPERMISSION''​ on identity gives permissions ''​READ'',​ ''​CREATE'',​ ''​UPDATE'',​ ''​DELETE''​ to identity'​s role requests.
 +  * ''​MANUALLYDISABLE''​- Deactivate identity manually. Enables bulk action and quick dashboard button.
 +  * ''​MANUALLYENABLE''​- Activate identity manually. Enables bulk action and quick dashboard button.
  
 ===== Base authorization evaluators ===== ===== Base authorization evaluators =====
Line 293: Line 295:
  
 ==== Default settings of permissions for an identity profile ==== ==== Default settings of permissions for an identity profile ====
 +
 +<note tip>From version 9.7.3 is'n feature manually disabled and manually enabled for user allowed by permission Identity UPDATE. But exits own permissions for each operation (MANUALLYDISABLE and MANUALLYENABLE)</​note>​
  
 This is a typical setting for the **userRole** - regular user as defined in the [[..:​..:​..:​..:​instalacni_balicek#​definice_opravneni_v_identity_manageru|installation package]]. This is a typical setting for the **userRole** - regular user as defined in the [[..:​..:​..:​..:​instalacni_balicek#​definice_opravneni_v_identity_manageru|installation package]].
Line 306: Line 310:
   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator   * Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator
   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)   * Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)
-  * Permission to read and change indetity profile: Identity profile | Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)+  * Permission to read and change indetity profile: Identity profile ​(IdmProfile) ​| Read, Update, Create | SelfProfileEvaluator (since the version 9.2.0)
   * Enabling the autocomplete for entities:   * Enabling the autocomplete for entities:
     * User profile (picture) (IdmProfile) | Displaying in autocomplete,​ selections | BasePermissionEvaluator     * User profile (picture) (IdmProfile) | Displaying in autocomplete,​ selections | BasePermissionEvaluator
Line 318: Line 322:
     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator ​      ​**(<​- use this only when using acc module)**     * Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator ​      ​**(<​- use this only when using acc module)**
     * Connected systems | Displaying in autocomplete,​ selections | BasePermissionEvaluator ​     * Connected systems | Displaying in autocomplete,​ selections | BasePermissionEvaluator ​
-  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possible ​in wrong place.+  * Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.). The permission is possibly ​in wrong place.
   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete,​ selections | BasePermissionEvaluator   * Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete,​ selections | BasePermissionEvaluator