Project

General

Profile

Task #2234

Authorization policies - use selected persmissions only from transitive evaluator

Added by Radek Tomiška 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Radek Tomiška
Category:
Authentication / Authorization
Target version:
10.3.0
Start date:
04/29/2020
Due date:
% Done:

100%

Estimated time:
Milestones:

Description

When transitive evaluator is configured, then all owner permissions are granted transitivelly. This in not required in some UC.

Example:
- i want to read and edit subordinate (identity), but i don't want to edit all it's contracts.

Add permissions support to transitive policies (AbstractTransitiveEvaluator) - configured permissions will be used for owner permissions intersection => only selected permissions will be granted by owner.

Related issues

Related to CzechIdM - Task #2229: Identity projection - support edit more contracts in projectionClosed04/23/2020

Related to CzechIdM - Task #1784: LRT: support multiple propertiesClosed08/07/2019

Related to CzechIdM - Task #2239: Authorization policies - prevent to configure IdentityContractByIdentityEvaluator and IdentityByContractEvaluator simultaneouslyNew05/06/2020

History

#1 Updated by Radek Tomiška 7 months ago

  • Related to Task #2229: Identity projection - support edit more contracts in projection added

#2 Updated by Radek Tomiška 7 months ago

  • Related to Task #1784: LRT: support multiple properties added

#3 Updated by Radek Tomiška 7 months ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda
  • % Done changed from 0 to 90

It's implemented - only selected permissions can be used from owner permissions transitively.
I've added new abstract transitive evaluator property (include-permissions), but is needed to override and implement this new feature by each evaluator (getPredicate method has to be changed and new configuration form attribute has to be used) - new behavior is implemented in IdentityContractByIdentityEvaluator only for now.

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/c12ba746ded7759df8719b1f380fd6a6c6825b41

Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#abstracttransitiveevaluator
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates

Could you provide me a feedback, please?

#4 Updated by Vít Švanda 7 months ago

  • Status changed from Needs feedback to Resolved
  • Assignee changed from Vít Švanda to Radek Tomiška
  • % Done changed from 90 to 100

I did review and tested it. Works nice. Thanks for this feature.

I had one obstecle. By my mistake I configured permissions in combination IdentityContractByIdentityEvaluator and IdentityByContractEvaluator. This caused over looping. I know, this combination is totally wrong, but some validation clould be created in future for this.

#5 Updated by Radek Tomiška 7 months ago

I think so, created #2239 - hard validation in product will be better then doc.

#6 Updated by Radek Tomiška 7 months ago

  • Related to Task #2239: Authorization policies - prevent to configure IdentityContractByIdentityEvaluator and IdentityByContractEvaluator simultaneously added

#7 Updated by Radek Tomiška 7 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF

Go to top