Permission - How to allow users editing of some EAVs
Since IdM version 8.2.0, it is possible to define permissions not only for identity as a whole, but also for individual attributes. This means that it is now possible for one user to view (or edit) all his attributes, and only one attribute for the other.
This tutorial shows how to set authorization policies for individual attributes.
Enable authorization policies
First of all you must enable authorization policies for identity EAV by this configuration - idm.sec.core.identity.formAttributes.secured=true (Settings → Configuration → Add new configuration item)
Add permissions to the userRole
UserRole is a special role that contains permissions for all users.
Add permissions to the userRole and select the form for which you want to manage authorization policies. (Roles → userRole → Permissions → Add new permission).
- Entity type: Forms - definitions (IdmFormDefinition)
- Permissions: View in selectbox (Autocomplete)
- Evaluator type: FormDefinitionUuidEvaluator
- Form definition: Fill in name of the form for which you want to manage authorization policies. For example default - IdmIdentity.
Add permissions for a specific attribute. Also can be used repeatedly for multiple attributes.
- Entity type: Forms - values (IdmIdentityFormValue)
- Permissions: Select permissions which you want to set for the specific attribute.
- Evaluator type: IdentityFormValueEvaluator - If you do not see this evaluator log out and log in again
- Form definition: Name of the form for which you manage authorization policies.
- Attributes: Fill in the code of the attribute for which you want to set this permission or leave empty if you want to use all form attributes.
- Logged user only: True or false. Add permission to currently logged user only. Logged user doesn't get permissions to other users attributes.
- By permission to update user: True or false. Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too).
- By permission to read user: True or false. Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes).
Example - One editable attribute
In the following example, we will show specific settings to allow the editing of one attribute - Data anonymization by which the user determines whether he wants to anonymize his data in the connected system or not. All other attributes are loaded from the connected system.
1.Enable authorization policies for identity EAV by this configuration - idm.sec.core.identity.formAttributes.secured=true (Settings → Configuration → Add new configuration item)
2.Add permissions to the userRole and select IdmIdentity form for which you want to manage authorization policies. (Roles → userRole → Permissions → Add new permission).
- Entity type: Forms - definitions (IdmFormDefinition)
- Permissions: View in selectbox (Autocomplete)
- Evaluator type: FormDefinitionUuidEvaluator
- Form definition: IdmIdentity
3.Add read permissions for all IdmIdentity form attributes.
- Entity type: Forms - values (IdmIdentityFormValue)
- Permissions: Select read
- Evaluator type: IdentityFormValueEvaluator - If you do not see this evaluator log out and log in again
- Form definition: IdmIdentity
- Attributes: Leave empty because we want to use all form attributes
- Logged user only: True - Add permission to currently logged user only. Logged user doesn't get permissions to other users attributes.
- By permission to update user: False
- By permission to read user: False
4.Add edit and read permissions for a Data anonymization attribute.
- Entity type: Forms - values (IdmIdentityFormValue)
- Permissions: Read, Update
- Evaluator type: IdentityFormValueEvaluator
- Form definition: IdmIdentity
- Attributes: Editable attribute
- Logged user only: True - Add permission to currently logged user only. Logged user doesn't get permissions to other users attributes.
- By permission to update user: False
- By permission to read user: False
5.That is all. Now users will only be able to edit this attribute.