Task #2234
Authorization policies - use selected persmissions only from transitive evaluator
100%
Description
When transitive evaluator is configured, then all owner permissions are granted transitivelly. This in not required in some UC.
Example:
- i want to read and edit subordinate (identity), but i don't want to edit all it's contracts.
Add permissions support to transitive policies (AbstractTransitiveEvaluator) - configured permissions will be used for owner permissions intersection => only selected permissions will be granted by owner.
Related issues
History
#1 Updated by Radek Tomiška 10 months ago
- Related to Task #2229: Identity projection - support edit more contracts in projection added
#2 Updated by Radek Tomiška 10 months ago
- Related to Task #1784: LRT: support multiple properties added
#3 Updated by Radek Tomiška 10 months ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
It's implemented - only selected permissions can be used from owner permissions transitively.
I've added new abstract transitive evaluator property (include-permissions), but is needed to override and implement this new feature by each evaluator (getPredicate method has to be changed and new configuration form attribute has to be used) - new behavior is implemented in IdentityContractByIdentityEvaluator only for now.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/c12ba746ded7759df8719b1f380fd6a6c6825b41
Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#abstracttransitiveevaluator
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates
Could you provide me a feedback, please?
#4 Updated by Vít Švanda 10 months ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and tested it. Works nice. Thanks for this feature.
I had one obstecle. By my mistake I configured permissions in combination IdentityContractByIdentityEvaluator and IdentityByContractEvaluator. This caused over looping. I know, this combination is totally wrong, but some validation clould be created in future for this.
#5 Updated by Radek Tomiška 10 months ago
I think so, created #2239 - hard validation in product will be better then doc.
#6 Updated by Radek Tomiška 10 months ago
- Related to Task #2239: Authorization policies - prevent to configure IdentityContractByIdentityEvaluator and IdentityByContractEvaluator simultaneously added
#7 Updated by Radek Tomiška 10 months ago
- Status changed from Resolved to Closed