Task #2204
closed
Authorization policies: Add permission to identity by contract (transitively)
100%
Description
Add new autorization policy to add permission to identity by permission by identity contract (transitively). Permission to contract can be given by subordinate evaluator.
Related issues
Updated by Radek Tomiška over 4 years ago
- Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added
Updated by Radek Tomiška over 4 years ago
- Subject changed from Authorization policies: Add permission to identity by contract (transitivelly) to Authorization policies: Add permission to identity by contract (transitively)
- Description updated (diff)
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
I've added three new authorization evaluators:
- SubordinateContractEvaluator
- IdentityByContractEvaluator
- IdentityRoleByContractEvaluator
The main benefit is, we are able to configure permission to some of contracts (~ by contract manager) instead for the whole identity - so logged identity can see (read / update) only contracts, which he manages. + With ''IdentityRoleByContractEvaluator'' combination is able to see (edit) only roles for these contracts.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/2baf6f1f2f82f6892e5ba02016b23e9c5b00320f
Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization
Could you provide me a feedback, please?
Updated by Radek Tomiška over 4 years ago
- Related to Feature #1146: Managers should change roles only for the contracts, for which they are managers added
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Radek Tomiška
I did reivew and test. Work perfectly. I found only one formal thing. Informations writte in the wiki https://wiki.czechidm.com/devel/documentation/security/dev/authorization I expected in changelog too. Or did I miss something?
Updated by Radek Tomiška over 4 years ago
This new evaluators can be configured optionally. Previous configuration works too, it's fully backward compatible, so I didn't add note to changelog. But I can do it, if it's needed?
Updated by Radek Tomiška over 4 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
This feature is fully backward compatible, change log is not needed.
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed