Automatic role request
Automatically assigned roles have a significant safety impact. When creating, editing, or deleting, it is necessary that the process is approved. For this purpose, an agenda for requests for change of automatic roles has been created.
Processes of defined by the role criticality is defined here.
Only processes approve-role-by-guarantee
and approve-role-by-guarantee-security
supported approving for automatic roles.
Security configuration
If we want to an identity, which can administer automatic role requests, we set authorization policies as follows:
- Permission to all requests: Requests for automatic roles (IdmAutomaticRoleRequest) | Admin |
BasePermissionEvaluator
- Permission to all requests rules: Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | |
AutomaticRoleRuleRequestByRequestEvaluator
- Permission to read all exists automatic role by attributes: Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read |
BasePermissionEvaluator
- Permission to read all exists automatic role rules by attributes: Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule) | Read |
BasePermissionEvaluator
- Permission to read all exists automatic role by tree: Automatic roles (organization structure) (IdmRoleTreeNode) | Read |
BasePermissionEvaluator
Policies can be configured by custom needs. This example enables all operations with requests.
Request approver
If we want to an identity can approve automatic role request, we can use IdmAutomaticRoleRequest|Read|AutomaticRoleRequestByWfInvolvedIdentityEvaluator
authorization policy evaluator. This evaluator grants permission to read requests (in WF task), which can be approved by logged identity. It's good to have autocomplete permission to IdmAutomaticRoleAttribute
and IdmRoleTreeNode
.