Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
tutorial:adm:codeable_permission [2019/05/02 05:17]
kopro typo fix 		tutorial:adm:codeable_permission [2019/05/20 09:01] (current)
fiserp proofreading
Line 1: Line 1:
 ====== Create evaluator with restrictions on one entity ===== ====== Create evaluator with restrictions on one entity =====
-{{tag> evaluator evaluators restrictions restrict codeable }} 
  
-Codeable evaluator is useful for restriction on selected entity. For example if you want that one user see only one another user with defined username or uuid, or for restrict that user see only this role defined by code or uuid.+{{tag>authorization certificate codeable evaluator evaluators restrict restrictions}}
  
-In this tutorial is described how to admin creates new evaluator that allow see only specific entity.+Codeable evaluator is useful for restricting privileges on selected entity. For example, if you want one user to be able to see only other user (with defined username or uuid), or for restricting that user to see only a role (defined by code or uuid). 
 + 
 +This tutorial describes how admin can create a new evaluator to achieve that.
  
 ===== Define evaluator with restriction for one identity (user) ===== ===== Define evaluator with restriction for one identity (user) =====
-There is describes how to create evaluator that restrict permission to see only one identity (user).+This section describes how to create evaluator that restricts permission to see only one identity (user).
  
 ==== Step 1. - Get username of user ==== ==== Step 1. - Get username of user ====
Line 15: Line 16:
  
 ==== Step 2. - Create codeable evaluator for role ==== ==== Step 2. - Create codeable evaluator for role ====
-For next step must exists role. For this role will be created new evaluator. If you don't have role please create one. For this role go to submenu **Permission** and then add new evaluator by button **Add**.+For this step role must exist so we can hook a new evaluator to this role. If you don't have such a roleplease create one. Once you have a rolego to its submenu **Permission** and then add new evaluator by button **Add**.
 {{ :tutorial:adm:eval001.png |}} {{ :tutorial:adm:eval001.png |}}
  
 ==== Step 3. - Define new evaluator ==== ==== Step 3. - Define new evaluator ====
-On modal window select entity type as **IdmIdentity**. Evaluator type select **CodeableEvaluator** and then will be shown evaluator configuration with one option **identifier**. Into identifier can be put uuid or username.+On modal windowselect
 +  * Entity type**IdmIdentity**. 
 +  * Evaluator type**CodeableEvaluator** 
 + 
 +Then, application will display an evaluator configuration dialog with one option marked **identifier**. Put UUID or username of an user (identiti) into this field.
  
 {{ :tutorial:adm:eval002.png |}} {{ :tutorial:adm:eval002.png |}}
  
-And after save new evaluator will be shown in evaluators table:+Save the new evaluator. If the action was successful, you can verify new evaluator in the list of active evaluators
 + 
 +{{ :tutorial:adm:eval02.png |}}
  
-{{ :tutorial:adm:eval003.png |}} 
  
 ==== Step 4. - Add role to user ==== ==== Step 4. - Add role to user ====
-After this role will be added to user. User will saw identity with username john.doe in all identities.+Choose some other user (the user you want to give the permission to) and add him the role you configured. This user now obtains a new permission as defined in the evaluator. 
 + 
 +{{ :tutorial:adm:roleadd001.png |}} 
 + 
 +{{ :tutorial:adm:eval003.png |}}
  
 +==== Step 5. - Result ====
 +Final result. We assigned a role to the **richard.roe**. This user now can see the **john.doe** identity in IdM.
 {{ :tutorial:adm:eval004.png |}} {{ :tutorial:adm:eval004.png |}}
  
  
 ===== Define evaluator with restriction for access to one certification authority ===== ===== Define evaluator with restriction for access to one certification authority =====
 +This tutorial is similar to the first one. Instead of an identity, we grant user a permission to work with some certificate authority. For example, this restriction can be used for adding permissions to request certificates only from particular certificate authority authority. If you have multiple CAs defined, you can create one role for each of your CAs an then assign those roles to users as necessary.
  
 ==== Step 1. - Get code of certification authority ==== ==== Step 1. - Get code of certification authority ====
-In first step we must get code of certification authority.+Get the **code** of certification authority.
  
-<note important>Code as identifier can be used from version 1.3.0 crt module. For lower version you must use ID (UUID) of certification authorityID can be found in webrowser URL.</note>+<note important>**Code** can be used in 1.3.0 (and later) version of crt module. If you use lower version of crt module, you have to use UUID as an identifierUUID can be found in browser URL when you open the certificate authority detail page.</note>
  
 {{ :tutorial:adm:eval010.png |}} {{ :tutorial:adm:eval010.png |}}
  
 ==== Step 2. - Create codeable evaluator for role ==== ==== Step 2. - Create codeable evaluator for role ====
-For next step must exists role. For this role will be created new evaluator. If you don'have role please create one. For this role go to submenu **Permission** and then add new evaluator by button **Add**.+For this step you have to have a role created (if you do not have such a rolecreate it). We will now hook an evaluator to the role. For thisgo to role'submenu **Permission** and then add new evaluator by clicking the **Add** button.
  
 {{ :tutorial:adm:eval011.png |}} {{ :tutorial:adm:eval011.png |}}
  
 ==== Step 3. - Define new evaluator ==== ==== Step 3. - Define new evaluator ====
-On modal window select entity type as **CrtAuthority**. Evaluator type select **CodeableEvaluator** and then will be shown evaluator configuration with one option **identifier**. Into identifier can be put uuid or code of certification authority.+On modal windowselect
 +  * Entity type**CrtAuthority**. 
 +  * Evaluator type**CodeableEvaluator**
 + 
 +Application will display an evaluator configuration dialog with one option marked **identifier**. Fill in the identificator of certificate authority.
  
 {{ :tutorial:adm:eval012.png |}} {{ :tutorial:adm:eval012.png |}}
  
-And after save new evaluator will be shown in evaluators table:+Save new evaluator. If everything is ok, you can see it in the list of existing evaluators.
  
 {{ :tutorial:adm:eval013.png |}} {{ :tutorial:adm:eval013.png |}}
  
 ==== Step 4. - Add role to user ==== ==== Step 4. - Add role to user ====
-After this role will be added to user. User will saw only this certification authority.+Add a role to some user. This user will now obtain a permission to work with particular certificate authority (determined by CA identification in the evaluator).
  
-{{ :tutorial:adm:eval014.png |}}+{{ :tutorial:adm:roleadd02.png |}}
  
-This restriction of certification authority can be used for add permission for request certificates only by one authority.+{{ :tutorial:adm:roleadd22.png |}} 
 + 
 + 
 +==== Step 5. - Result ==== 
 +Final result - user can see only the certification authority you want him to see. 
 + 
 +{{ :tutorial:adm:eval014.png |}}
  • by kopro