Feature #2408
closed
Evaluator and new permissions for delegation: Create delegation only from subordinates and yourself
Added by Vladimír Kotýnek over 4 years ago.
Updated about 4 years ago.
Description
We'd like to extend delegations with new permission evaluator that allows manager/guarantor (directly set or calculated from org. structure) to create new delegation from subordinate (source) users to any identity (target). It's important to user the manager/subordinates filters, not just let the user create delegation from any identity he/she can see. We have users that can see and ask for role change for more users than just their subordinates, e. g. for the whole department. However, we don't want these users to be able to create a new delegation from anybody they can see.
We'd also like to extend delegations with new permission evaluator that allows any user in IDM to create delegation from himself/herself to any identity in IDM.
With combination of these evaluators the manager/guarantor will be able to create delegation only from himself/herself and from his/her own subordinates.
- Subject changed from Evaluator for delegation: Create delegation only from subordinates and yourself to Evaluator and new permissions for delegation: Create delegation only from subordinates and yourself
- Status changed from New to In Progress
- Status changed from In Progress to Needs feedback
- Assignee changed from Vít Švanda to Radek Tomiška
- % Done changed from 0 to 90
Implemented.
- I created new permissions DELEGATE and DELEGATOR for identity. This permissions controlls what can be selected in new delegation.
- For allow create a new delegation I created new evaluator 'DelegationDefByDelegatorAndDelegateEvaluator'. This evaluator allows create/delete (depends on the settings) delegation if logged users has IdentityBasePermission.DELEGATOR for delegator and IdentityBasePermission.DELEGATE for delegate.
- To ensure that the user without update permission on himself can delete their delegations, I created two new evaluators 'SelfDelegationDefinitionByDelegateEvaluator' and 'SelfDelegationDefinitionByDelegatorEvaluator'.
Tests are included.
I created init processor 'InitDelegationRoleProcessor' for create default role 'delegationRole', because the default configuration of permissions has 10 evaluators now.
Doc: https://wiki.czechidm.com/devel/documentation/security/dev/authorization#default_settings_of_permissions_for_delegations
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/6c8f84dc382d4b9484e0ad954fa43d8e0e25f44a
- Status changed from Needs feedback to Resolved
- Assignee changed from Radek Tomiška to Vít Švanda
- % Done changed from 90 to 100
Thanks. I completed a wiki page.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
