Project

General

Profile

Task #2204

Authorization policies: Add permission to identity by contract (transitively)

Added by Radek Tomiška 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Category:
Authentication / Authorization
Target version:
Start date:
04/14/2020
Due date:
% Done:

100%

Estimated time:
Milestones:

Description

Add new autorization policy to add permission to identity by permission by identity contract (transitively). Permission to contract can be given by subordinate evaluator.


Related issues

Related to CzechIdM - Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contractClosed01/06/2020

Related to CzechIdM - Feature #1146: Managers should change roles only for the contracts, for which they are managersClosed01/06/2020

History

#1 Updated by Radek Tomiška 8 months ago

  • Related to Task #2002: Managers of contracts ended in the past shouldn't be able to change roles for currect contract added

#2 Updated by Radek Tomiška 8 months ago

  • Subject changed from Authorization policies: Add permission to identity by contract (transitivelly) to Authorization policies: Add permission to identity by contract (transitively)
  • Description updated (diff)
  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

I've added three new authorization evaluators:
- SubordinateContractEvaluator
- IdentityByContractEvaluator
- IdentityRoleByContractEvaluator

The main benefit is, we are able to configure permission to some of contracts (~ by contract manager) instead for the whole identity - so logged identity can see (read / update) only contracts, which he manages. + With ''IdentityRoleByContractEvaluator'' combination is able to see (edit) only roles for these contracts.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/2baf6f1f2f82f6892e5ba02016b23e9c5b00320f

Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization

Could you provide me a feedback, please?

#3 Updated by Radek Tomiška 8 months ago

  • Related to Feature #1146: Managers should change roles only for the contracts, for which they are managers added

#4 Updated by Vít Švanda 7 months ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška

I did reivew and test. Work perfectly. I found only one formal thing. Informations writte in the wiki https://wiki.czechidm.com/devel/documentation/security/dev/authorization I expected in changelog too. Or did I miss something?

#5 Updated by Radek Tomiška 7 months ago

This new evaluators can be configured optionally. Previous configuration works too, it's fully backward compatible, so I didn't add note to changelog. But I can do it, if it's needed?

#6 Updated by Radek Tomiška 7 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

This feature is fully backward compatible, change log is not needed.

#7 Updated by Radek Tomiška 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top