Project

General

Profile

Actions

Task #2204

closed

Authorization policies: Add permission to identity by contract (transitively)

Added by Radek Tomiška almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Authentication / Authorization
Target version:
Start date:
04/14/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Add new autorization policy to add permission to identity by permission by identity contract (transitively). Permission to contract can be given by subordinate evaluator.


Related issues

Related to IdStory Identity Manager - Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contractClosedRadek Tomiška01/06/2020

Actions
Related to IdStory Identity Manager - Feature #1146: Managers should change roles only for the contracts, for which they are managersClosedRadek Tomiška01/06/2020

Actions
Actions #1

Updated by Radek Tomiška almost 4 years ago

  • Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added
Actions #2

Updated by Radek Tomiška almost 4 years ago

  • Subject changed from Authorization policies: Add permission to identity by contract (transitivelly) to Authorization policies: Add permission to identity by contract (transitively)
  • Description updated (diff)
  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

I've added three new authorization evaluators:
- SubordinateContractEvaluator
- IdentityByContractEvaluator
- IdentityRoleByContractEvaluator

The main benefit is, we are able to configure permission to some of contracts (~ by contract manager) instead for the whole identity - so logged identity can see (read / update) only contracts, which he manages. + With ''IdentityRoleByContractEvaluator'' combination is able to see (edit) only roles for these contracts.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/2baf6f1f2f82f6892e5ba02016b23e9c5b00320f

Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization

Could you provide me a feedback, please?

Actions #3

Updated by Radek Tomiška almost 4 years ago

  • Related to Feature #1146: Managers should change roles only for the contracts, for which they are managers added
Actions #4

Updated by Vít Švanda almost 4 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška

I did reivew and test. Work perfectly. I found only one formal thing. Informations writte in the wiki https://wiki.czechidm.com/devel/documentation/security/dev/authorization I expected in changelog too. Or did I miss something?

Actions #5

Updated by Radek Tomiška almost 4 years ago

This new evaluators can be configured optionally. Previous configuration works too, it's fully backward compatible, so I didn't add note to changelog. But I can do it, if it's needed?

Actions #6

Updated by Radek Tomiška almost 4 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

This feature is fully backward compatible, change log is not needed.

Actions #7

Updated by Radek Tomiška almost 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF