Task #1917
closed
Copying roles from users - add "Can Be Requested" permission
100%
Description
Version 9.7.10
When copying assigned roles from users, it ignores the CANBEREQUESTED permission. So I can copy and assign all roles, not only the roles which I can add by standard role selection.
E.g. manager can see all his subordinates and should be able to assign only "requestable" roles to them. But if one of his subordinates has superAdminRole, the manager can effectively assign this role as well.
Updated by Radek Tomiška over 4 years ago
- Tracker changed from Defect to Task
I supose this feature was designed this way, see:
https://wiki.czechidm.com/tutorial/adm/copying
where all assigned roles and even automatic and sub roles can be copied.
Feature 'Copy of roles' only creates role request, but this request should be approved by workflow, where roles can be removed (e.g. superAdminRole) - it's approver responsibility (if i remeber it right, this was conclusion about this feature).
I'm not sure, if this change is ok for all implementations, we need to analyze this new requirement at first. It goes against original requirements => we will not be able copy automatic and sub roles.
Updated by Alena Peterová over 4 years ago
We consulted this in the team - we agreed that we expect, that the permission "Can be requested" determines, if the role can be added by the role request. It doesn't matter if I choose roles by adding them directly, or by copying them from somebody else.
Our expectation was that if the role can't be requested, then nobody except Admin can assign it. So we usually don't set approval process for non-requestable roles; we thought it's not needed. I see it as a workaround for this situation.
"we will not be able copy automatic and sub roles" - This is not exactly true. We have some roles, that can be requested manually and at the same time, some group of users has these roles automatically assigned. I expect that users can copy only the roles, which Can be requested. It doesn't matter if the "example" user has them automatically, or manually.
Updated by Radek Tomiška over 4 years ago
- Status changed from New to In Progress
- Target version set to Rhyolite (9.7.12)
Updated by Radek Tomiška over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 80 to 90
I've added new authorization policy ''IdentityRoleByRoleEvaluator'' - adds ''Can be requested'' permission to assigned roles. This permission is required now for copying of roles feature (roles will be disabled for copying, if this permission is not configured).
If you want to enable copying all assigned roles (the same behavior as before), then add ''BasePermissionEvaluator'' with permission ''CANBEREQUESTED'' for all assigned roles (''IdmIdentityRole'' entity).
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/74ac7b985c03c861eeac19d87be8741db36e809e
Doc:
https://wiki.czechidm.com/tutorial/adm/copying
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_an_identity_profile
https://github.com/bcvsolutions/CzechIdMng/blob/hotfix-9.7.12/CHANGELOG.md#9712
Could you do a feedback, please?
Updated by Radek Tomiška over 4 years ago
- Subject changed from Copying roles from users ignores "Can Be Requested" permission to Copying roles from users - add "Can Be Requested" permission
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did test and review. Code looks great (interesting idea with disable a nodes and double call). Thanks for that.
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed