Task #2234
closed
Authorization policies - use selected persmissions only from transitive evaluator
100%
Description
When transitive evaluator is configured, then all owner permissions are granted transitivelly. This in not required in some UC.
Example:
- i want to read and edit subordinate (identity), but i don't want to edit all it's contracts.
Add permissions support to transitive policies (AbstractTransitiveEvaluator) - configured permissions will be used for owner permissions intersection => only selected permissions will be granted by owner.
Related issues
Updated by Radek Tomiška over 4 years ago
- Related to Task #2229: Identity projection - support edit more contracts in projection added
Updated by Radek Tomiška over 4 years ago
- Related to Task #1784: LRT: support multiple properties added
Updated by Radek Tomiška over 4 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 0 to 90
It's implemented - only selected permissions can be used from owner permissions transitively.
I've added new abstract transitive evaluator property (include-permissions), but is needed to override and implement this new feature by each evaluator (getPredicate method has to be changed and new configuration form attribute has to be used) - new behavior is implemented in IdentityContractByIdentityEvaluator only for now.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/c12ba746ded7759df8719b1f380fd6a6c6825b41
Doc:
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#abstracttransitiveevaluator
https://wiki.czechidm.com/devel/documentation/security/dev/authorization#manager_and_subordinates
Could you provide me a feedback, please?
Updated by Vít Švanda over 4 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 90 to 100
I did review and tested it. Works nice. Thanks for this feature.
I had one obstecle. By my mistake I configured permissions in combination IdentityContractByIdentityEvaluator and IdentityByContractEvaluator. This caused over looping. I know, this combination is totally wrong, but some validation clould be created in future for this.
Updated by Radek Tomiška over 4 years ago
I think so, created #2239 - hard validation in product will be better then doc.
Updated by Radek Tomiška over 4 years ago
- Related to Task #2239: Authorization policies - prevent to configure IdentityContractByIdentityEvaluator and IdentityByContractEvaluator simultaneously added
Updated by Radek Tomiška over 4 years ago
- Status changed from Resolved to Closed