Project

General

Profile

Feature #1146

Managers should change roles only for the contracts, for which they are managers

Added by Alena Peterová over 2 years ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Category:
Roles
Target version:
Start date:
01/06/2020
Due date:
% Done:

100%

Estimated time:
Milestones:

Description

This is a security feature.
The scenario:
  • The user has 2 contracts
  • First contract has a manager A, the second contract the manager B
  • The manager A requests a role change. He can assign or remove roles to/from both contracts.

The manager A should be able to change the roles only for the first contract.
The manager B should be able to change the roles only for the second contract.

Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.


Related issues

Related to CzechIdM - Task #1085: Display the contract in the tasks of the role requestClosed04/26/2018

Related to CzechIdM - Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contractClosed01/06/2020

Related to CzechIdM - Task #2204: Authorization policies: Add permission to identity by contract (transitively)Closed04/14/2020

Related to CzechIdM - Task #2220: Split role request approval by contract managersNew04/20/2020

History

#2 Updated by Alena Peterová over 2 years ago

  • Related to Task #1085: Display the contract in the tasks of the role request added

#3 Updated by Alena Peterová over 2 years ago

  • Description updated (diff)

#6 Updated by Marcel Poul 11 months ago

  • Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added

#7 Updated by Radek Tomiška 8 months ago

  • Related to Task #2204: Authorization policies: Add permission to identity by contract (transitively) added

#8 Updated by Radek Tomiška 8 months ago

  • Status changed from New to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • Target version set to 10.3.0
  • % Done changed from 0 to 90

I accidentally implemented this together with #2204 - it covers this UC too :).
I improved default authorization policies setting for userRole:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates

Could you provide me a feedback please?

#9 Updated by Radek Tomiška 8 months ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 50

One requirement from description is not implemented:
Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.

#10 Updated by Radek Tomiška 7 months ago

  • Related to Task #2220: Split role request approval by contract managers added

#11 Updated by Radek Tomiška 7 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 50 to 90

I've added base permission 'CHANGEPERMISSION' to contracts. This permission can be granted per contract instead adding it to whole identity.
When role request is created by contract manager, then he can change or add assigned role just for his contracts (other assigned roles can be shown only - buttons are disabled).

Role request approval fits with UC, when role request is created by manager (~approval round by manager is skipped autoamatically).

For role request approval, when two or more diffierent managers are involved (e.g. role request is created by adminstrator), new ticket #2220 was created.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/cd95affc6511b31559e3d6c9a4377c072934eab8

Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates

Could you please provide me a feedback?

Note: Base permission 'CHANGEPERMISSION' to contracts should be granted automatically by user role (~IdentityContractByIdentityEvaluator), so no additional configuration is needed for backward compatibility. But I've added note into change log too.

#12 Updated by Vít Švanda 7 months ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and test. Works perfectly. Manager can change permission only for his contracts now. I appreciate implementatio of "addPermissions" feature. This prevent redundant request on the BE. Thanks for that.

#13 Updated by Radek Tomiška 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top