Feature #1146
closed
Managers should change roles only for the contracts, for which they are managers
Added by Alena Peterová over 6 years ago.
Updated over 4 years ago.
Description
This is a security feature.
The scenario:
- The user has 2 contracts
- First contract has a manager A, the second contract the manager B
- The manager A requests a role change. He can assign or remove roles to/from both contracts.
The manager A should be able to change the roles only for the first contract.
The manager B should be able to change the roles only for the second contract.
Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.
- Related to Task #1085: Display the contract in the tasks of the role request added
- Description updated (diff)
- Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added
- Related to Task #2204: Authorization policies: Add permission to identity by contract (transitively) added
- Status changed from New to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- Target version set to 10.3.0
- % Done changed from 0 to 90
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 50
One requirement from description is not implemented:
Also in the approval round for role requests - approval by manager - there should be only the manager of the contract, for which are the roles requested.
- Related to Task #2220: Split role request approval by contract managers added
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 50 to 90
I've added base permission 'CHANGEPERMISSION' to contracts. This permission can be granted per contract instead adding it to whole identity.
When role request is created by contract manager, then he can change or add assigned role just for his contracts (other assigned roles can be shown only - buttons are disabled).
Role request approval fits with UC, when role request is created by manager (~approval round by manager is skipped autoamatically).
For role request approval, when two or more diffierent managers are involved (e.g. role request is created by adminstrator), new ticket #2220 was created.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/cd95affc6511b31559e3d6c9a4377c072934eab8
Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates
Could you please provide me a feedback?
Note: Base permission 'CHANGEPERMISSION' to contracts should be granted automatically by user role (~IdentityContractByIdentityEvaluator), so no additional configuration is needed for backward compatibility. But I've added note into change log too.
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and test. Works perfectly. Manager can change permission only for his contracts now. I appreciate implementatio of "addPermissions" feature. This prevent redundant request on the BE. Thanks for that.
- Status changed from Resolved to Closed
- Related to Feature #2926: Bulk action: Assign role to identity for contract managers and role guarantees added
Also available in: Atom
PDF