Feature #2408
closed
Evaluator and new permissions for delegation: Create delegation only from subordinates and yourself
100%
Description
We'd like to extend delegations with new permission evaluator that allows manager/guarantor (directly set or calculated from org. structure) to create new delegation from subordinate (source) users to any identity (target). It's important to user the manager/subordinates filters, not just let the user create delegation from any identity he/she can see. We have users that can see and ask for role change for more users than just their subordinates, e. g. for the whole department. However, we don't want these users to be able to create a new delegation from anybody they can see.
We'd also like to extend delegations with new permission evaluator that allows any user in IDM to create delegation from himself/herself to any identity in IDM.
With combination of these evaluators the manager/guarantor will be able to create delegation only from himself/herself and from his/her own subordinates.
Updated by Vít Švanda over 3 years ago
- Subject changed from Evaluator for delegation: Create delegation only from subordinates and yourself to Evaluator and new permissions for delegation: Create delegation only from subordinates and yourself
Updated by Vít Švanda over 3 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 0 to 90
Implemented.
- I created new permissions DELEGATE and DELEGATOR for identity. This permissions controlls what can be selected in new delegation.
- For allow create a new delegation I created new evaluator 'DelegationDefByDelegatorAndDelegateEvaluator'. This evaluator allows create/delete (depends on the settings) delegation if logged users has IdentityBasePermission.DELEGATOR for delegator and IdentityBasePermission.DELEGATE for delegate.
- To ensure that the user without update permission on himself can delete their delegations, I created two new evaluators 'SelfDelegationDefinitionByDelegateEvaluator' and 'SelfDelegationDefinitionByDelegatorEvaluator'.
Tests are included.
I created init processor 'InitDelegationRoleProcessor' for create default role 'delegationRole', because the default configuration of permissions has 10 evaluators now.
Doc: https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_delegations
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/6c8f84dc382d4b9484e0ad954fa43d8e0e25f44a
Updated by Radek Tomiška over 3 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 90 to 100
I did test and code review, it's awesome, thx!
Note: Could you please add Delegation product role to doc here too :) - https://wiki.czechidm.com/devel/documentation/architecture/dev/events/init-data#product_provided_roles
Updated by Radek Tomiška over 3 years ago
- Status changed from Resolved to Closed