https://wiki.czechidm.com/ 2026-05-02T13:41:14+00:00 https://wiki.czechidm.com/ https://wiki.czechidm.com/_media/wiki/logo.png text/html 2025-09-02T14:47:31+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/authorization/evaluators?rev=1756824451&do=diff Introduction Evaluators are used to provide permissions for database entities to users, they determine what any user can see and do in IdM. An user is assigned one or multiple roles and each role is assigned one or multiple authorization policies. Each authorization policy says "for X kind of entity, give the user permissions A, B and C according to evaluator C". When resolving permissions, the user gets a given permission for a given entity if at least one authorization policy with that permis… text/html 2020-05-07T17:09:29+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/authorization/identity_evaluator_by_work_position?rev=1588871369&do=diff Identity by tree node evaluator The evaluator gives permissions for all identities that has contract position on selected tree node by evaluator configuration or positions that exists recursively under the given tree node. Permissions and work position can be defined by frontend agenda. text/html 2025-09-04T10:18:03+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/authorization/idmidentity?rev=1756981083&do=diff Evaluators for IdMIdentity IdentityByTreeNodeEvaluator @since 2.1.0 Evaluator that is given a tree node and provides permissions towards identities with contracts on this tree node or nodes below it. If given the id of the tree node marked with the arrow as its parameter, this evaluator will give the user permissions to all the identities marked green. text/html 2020-05-07T06:18:15+00:00 Anonymous (anonymous@undisclosed.example.com) https://wiki.czechidm.com/devel/documentation/security/dev/authorization/role_evaluator_by_role_catalogue?rev=1588832295&do=diff Role by role catalogue evaluator The evaluator gives permissions for all roles that is inside defined catalogue or below. at least in one role catalogue that is accessible There is example of role catalogue and child's of the catalogue: