Project

General

Profile

Actions

Feature #1146

closed

Managers should change roles only for the contracts, for which they are managers

Added by Alena Peterová over 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Roles
Target version:
Start date:
01/06/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

This is a security feature.
The scenario:
  • The user has 2 contracts
  • First contract has a manager A, the second contract the manager B
  • The manager A requests a role change. He can assign or remove roles to/from both contracts.

The manager A should be able to change the roles only for the first contract.
The manager B should be able to change the roles only for the second contract.

Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.


Related issues

Related to IdStory Identity Manager - Task #1085: Display the contract in the tasks of the role requestClosedOndřej Kopr04/26/2018

Actions
Related to IdStory Identity Manager - Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contractClosedRadek Tomiška01/06/2020

Actions
Related to IdStory Identity Manager - Task #2204: Authorization policies: Add permission to identity by contract (transitively)ClosedRadek Tomiška04/14/2020

Actions
Related to IdStory Identity Manager - Task #2220: Split role request approval by contract managersNewVít Švanda04/20/2020

Actions
Related to IdStory Identity Manager - Feature #2926: Bulk action: Assign role to identity for contract managers and role guaranteesClosedRadek Tomiška09/01/2021

Actions
Actions #2

Updated by Alena Peterová over 6 years ago

  • Related to Task #1085: Display the contract in the tasks of the role request added
Actions #3

Updated by Alena Peterová over 6 years ago

  • Description updated (diff)
Actions #6

Updated by Marcel Poul almost 5 years ago

  • Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added
Actions #7

Updated by Radek Tomiška over 4 years ago

  • Related to Task #2204: Authorization policies: Add permission to identity by contract (transitively) added
Actions #8

Updated by Radek Tomiška over 4 years ago

  • Status changed from New to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • Target version set to 10.3.0
  • % Done changed from 0 to 90

I accidentally implemented this together with #2204 - it covers this UC too :).
I improved default authorization policies setting for userRole:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates

Could you provide me a feedback please?

Actions #9

Updated by Radek Tomiška over 4 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 50

One requirement from description is not implemented:
Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.

Actions #10

Updated by Radek Tomiška over 4 years ago

  • Related to Task #2220: Split role request approval by contract managers added
Actions #11

Updated by Radek Tomiška over 4 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 50 to 90

I've added base permission 'CHANGEPERMISSION' to contracts. This permission can be granted per contract instead adding it to whole identity.
When role request is created by contract manager, then he can change or add assigned role just for his contracts (other assigned roles can be shown only - buttons are disabled).

Role request approval fits with UC, when role request is created by manager (~approval round by manager is skipped autoamatically).

For role request approval, when two or more diffierent managers are involved (e.g. role request is created by adminstrator), new ticket #2220 was created.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/cd95affc6511b31559e3d6c9a4377c072934eab8

Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates

Could you please provide me a feedback?

Note: Base permission 'CHANGEPERMISSION' to contracts should be granted automatically by user role (~IdentityContractByIdentityEvaluator), so no additional configuration is needed for backward compatibility. But I've added note into change log too.

Actions #12

Updated by Vít Švanda over 4 years ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and test. Works perfectly. Manager can change permission only for his contracts now. I appreciate implementatio of "addPermissions" feature. This prevent redundant request on the BE. Thanks for that.

Actions #13

Updated by Radek Tomiška over 4 years ago

  • Status changed from Resolved to Closed
Actions #14

Updated by Radek Tomiška over 3 years ago

  • Related to Feature #2926: Bulk action: Assign role to identity for contract managers and role guarantees added
Actions

Also available in: Atom PDF