Evaluators for IdmIdentity

Evaluator that is given a tree node and provides permissions towards identities with contracts on this tree node or nodes below it.

If given the id of the tree node marked blue as its parameter, this evaluator will give the user permissions to all the identities marked green.

Tree node - id of the root tree node from which to look for users.

Evaluator that is given a form projection and gives permissions to all the users with this form projection assigned. In case it is given null as its parameter, it will give the user permissions to all identities without an assigned form projection.

Form projection - id of the form projection from which to look for users

Gives a user permissions to their managers, either by tree structure or by contract guarantee relations.

Both tree structures and contract guarantee relations only work for direct managers, i.e. user doesn't see the managers of their managers.

To the user marked blue, the evaluator will give permissions to the identities marked green.

Gives an user permissions for their own identity.

Evaluator that gives the user permissions to all identities that have assigned contracts that the user has permissions for.

This evaluator gives the user permissions to all identities with roles that this user is a guarantee of, using both guarantees by role and direct role guarantees.

It does not consider roles held through accounts neither when considering which roles are guaranteed by the user nor when looking for identities with those roles.

User marked with blue will be given permissions to all the users marked green.

Grants the user permissions to subordinates through both tree structures and direct contract guarantees. Both tree structures and contract guarantee relations only work for direct managers, i.e. user doesn't see the subordinates of their subordinates.

The user marked blue would be given permissions for all the identities marked green.

Evaluator that gives permissions to all direct guarantees of the subordinates (optionally restricted to a form projection) of the logged in user. Criteria for subordinates are the same as for SubordinateEvaluator. Guarantees of the subordinates are found using direct guarantees only, tree structures are ignored. If no projection is set, it is not used in the evaluator at all - it is not possible to configure the evaluator to restrict the search only to subordinates that have no form projection.

The user marked blue would be given permissions for all the identities marked green (assuming the identities at the bottom of the image have the appropriate form projection if one is set).

Form projection - id of the form projection that the subordinates will be filtered by.