Feature #1146
closed
Managers should change roles only for the contracts, for which they are managers
100%
Description
The scenario:
- The user has 2 contracts
- First contract has a manager A, the second contract the manager B
- The manager A requests a role change. He can assign or remove roles to/from both contracts.
The manager A should be able to change the roles only for the first contract.
The manager B should be able to change the roles only for the second contract.
Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.
Related issues
Updated by Alena Peterová over 6 years ago
- Related to Task #1085: Display the contract in the tasks of the role request added
Updated by Marcel Poul almost 5 years ago
- Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added
Updated by Radek Tomiška over 4 years ago
- Related to Task #2204: Authorization policies: Add permission to identity by contract (transitively) added
Updated by Radek Tomiška over 4 years ago
- Status changed from New to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- Target version set to 10.3.0
- % Done changed from 0 to 90
I accidentally implemented this together with #2204 - it covers this UC too :).
I improved default authorization policies setting for userRole:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates
Could you provide me a feedback please?
Updated by Radek Tomiška over 4 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 50
One requirement from description is not implemented:
Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.
Updated by Radek Tomiška over 4 years ago
- Related to Task #2220: Split role request approval by contract managers added
Updated by Radek Tomiška over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 50 to 90
I've added base permission 'CHANGEPERMISSION' to contracts. This permission can be granted per contract instead adding it to whole identity.
When role request is created by contract manager, then he can change or add assigned role just for his contracts (other assigned roles can be shown only - buttons are disabled).
Role request approval fits with UC, when role request is created by manager (~approval round by manager is skipped autoamatically).
For role request approval, when two or more diffierent managers are involved (e.g. role request is created by adminstrator), new ticket #2220 was created.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/cd95affc6511b31559e3d6c9a4377c072934eab8
Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates
Could you please provide me a feedback?
Note: Base permission 'CHANGEPERMISSION' to contracts should be granted automatically by user role (~IdentityContractByIdentityEvaluator), so no additional configuration is needed for backward compatibility. But I've added note into change log too.
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and test. Works perfectly. Manager can change permission only for his contracts now. I appreciate implementatio of "addPermissions" feature. This prevent redundant request on the BE. Thanks for that.
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed
Updated by Radek Tomiška over 3 years ago
- Related to Feature #2926: Bulk action: Assign role to identity for contract managers and role guarantees added