Authorization policies
Base interfaces and classes
BasePermission
- a base permission; can be added in modules; basic permissions for the IdM core, which are identical for both permissions for access into agendas and for permissions for data:ADMIN
- administration - includes all operations ⇒ wildcard - there is no need to list all the operations (seeIdmAuthorityHierarchy
)COUNT
- number of records - The number of entities that match the filter. We do not have to have permissions for reading a agenda and details.AUTOCOMPLETE
- displaying of data in the autocomplete. We do not have to have permissions for reading a agenda but we need to select it somewhere from a menu (e.g. when requesting a role we can select it but if we had only this permission, we would not see the role in the role agenda). This permission enables reading a "trimmed" detail (we might limit this).READ
- a permission for reading the whole log - the log is displayed in the agenda.CREATE
- creating of new logs in the agendaUPDATE
- log updatingDELETE
- log deletingEXECUTE
- execute operations (start, cancel etc.)
GroupPermission
- a group (target) permission (e.g. USER, ROLE …). A group of base permissions. This group is assigned specific domain classes (e.g. IdMRole) and determines which base permissions it contains ⇒ what can be done with the given type.By linking a group with a base permission we get an authority - for example ROLEREAD, IDENTITYWRITE.A Special group is APP, which is meant for the application administrators - the authority APP_ADMIN is created by linking a group with a base permission. The authority owns all the permissions in the application.AuthorizationPolicy
- a policy according to which the permissions for a specific agenda (attributegroupPermission
) and specific domain type (attributeauthorizableType
) are evaluated. It determines an evaluator (AuthorizationEvaluator) with specific settings (attributeConfigurationMap
) and which base permissions (attributebasePermissions
) can be acquired if the evaluation passes.Policies are assigned to individual roles and thanks to that the logged in user also gets them (relation identity - IR - role - policy).AuthorizationEvaluator
- authorization "evaluator" - it is basically an implementation of the individual types of the rule described above. Each evaluator carries information about which domain type and which setting it supports. Some can also be universal for more domain types (e.g. children ofBaseEntity
). In order to simplify the implementation of a rule, the classAbstractAuthorizationEvaluator
has been created, which can be simply inherited when adding another rule. The main evaluators will be described below. The main evaluator methods, which must be implemented (or overloaded fromAbstractAuthorizationEvaluator
):supports(authorizableType)
- which doamin type is supported by the evaluatorsupportsPermissions()
- returns true if the assigned permissions are supported. False - it defines them itself internally (e.g.AbstractTransitiveEvaluator
).getAuthorities(policy)
- returns a set of operations (the setBasePermission
), which the currently logged in identity could perform according to the given policy (e.g. READ, UPDATE).getPermissions(policy, authorizable)
- returns a set of operations (the setBasePermission
), which the currently logged in identity can perform with a given domain object according to the given policy (e.g. READ, UPDATE)evaluate(policy, authorizable, permission)
- this is just sort of a shortcut - it returns true if the currently logged in identity can perform the given operation according to the given policy (in practice -contains
to the set above)getPredicate(…)
- returns a jpa criteria predicate, which can be "stuck" onto a where clause ⇒ the query then returns a result which can be paged and ordered. The result contains data, which we have permissions for according to the given policy. It is recommended to write the predicates as subqueries withexists
, to prevent problems with joining tables (if, of course, it is not something simple).AuthorizableService
- an interface for labeling a service working with entities that it supports evaluating of policies for permissions for data. This has been added mainly because of backward compatibility - permissions for data are linked to individual agendas one by one. The policies can thus be configured only for domain types with services supporting this interface.AuthorizationManager
- loads and evaluates the set policies for the logged in identity throughout the application:- loads all the active policies according to the assigned user roles
- connects predicates according to the policies into the where clause when searching or auto-completing data (
AuthorizableService.findSecured(…)
) - evaluates available operations over the given domain objects on the level of REST
controllers
.
AuthorizationEvaluator
implementation class ⇒ when evaluator implementation is renamed or moved into different package, then authorization policy with modified evaluator has to be reconfigured too (or change script has to be provided).
getPermissions
or getPredicate
evaluator's method, don't forget to check identity is logged in securityService.isAuthenticated()
, if evaluator cannot be used in public endpoints.
getPredicate
evaluator's method, don't forget to check policy has evaluated permission assigned hasPermission(policy, permission)
.
Additional base permissions
For some entities was added additional base permissions, which extends BasePermission
above.
Identity
PASSWORDCHANGE
- permission is evaluated, when identity's password is changed.CHANGEPERMISSION
- permission is evaluated, when identity's permissions is changed ⇒CHANGEPERMISSION
on identity gives permissionsREAD
,CREATE
,UPDATE
,DELETE
to identity's role requests.
Base authorization evaluators
AbstractAuthorizationEvaluator
Adds the default implementation of the AuthorizationEvaluator
methods. It is used as a parent for the other evaluators.
AbstractTransitiveEvaluator
Serves as a parent for evaluating permissions according to the derived objects - for example, I have a permission for the assigned role if I have a permission for the identity, etc. See the children of this abstract class below (IdentityContractByIdentityEvaluator
).
BasePermissionEvaluator
Serves for assigning the configured permission for the configured domain type - for all the data of the given type. It can be used when we want to give an access to an agenda including the access to all data. It is used, for example, for an admin with the configuration - any type (permissions for all the Identifiable
children) + BasePermission.ADMIN
. It can also be used for assigning the base permission for displaying data during autocomplete (see BasePermission.AUTOCOMPLETE
above).
BasePermissionEvaluator
is also used for simple sharing of an agenda which does not support permissions for data yet. Agendas which do not support permissions for data yet are not linked to the domain object, which can be see on the front-end as well. No other evaluator can be selected for these agendas
UuidEvaluator
"Shares" the object with the given uuid. It is suitable when we are not able to configure another, more general rule - simply put - when somebody needs to see only one log from the whole agenda, it can be "shared" via the identifier (it would be nice not to enter the uuid directly in the configuration but to use autocomplete … coming soon).
CodeableEvaluator
"Shares" the object with the given identifier so that it is possible to enter uuid of the code of the given entity. For this evaluator, it is necessary to choose the entity type for which it is intended - does not work across entities.
SelfIdentityEvaluator
Gives currently logged user a permission to work with his own identity.
SubordinatesEvaluator
A permission for identities which are my subordinates. Overloadable filters are used for evaluating subordinates or managers.
IdentityContractByIdentityEvaluator
Gives a permission for industrial relations according to the permission for identity ⇒ e.g. if I have a permission to read an identity, I have a permission to read its IR. AbstractTransitiveEvaluator
is used here.
ContractGuaranteeByIdentityContractEvaluator
Gives a permission for guarantees of a industrial relation (setting a guarantee "directly") according to the permission for a industrial relation ⇒ e.g. If I have a permission to read IR, I have a permission to read its guarantees. AbstractTransitiveEvaluator
is used here. If I have a permission to edit IR, I have a permission to edit (add or delete) its assigned guarantees.
IdentityRoleByIdentityEvaluator
Gives a permission for assigned roles according to the permission for the identity ⇒ e.g. If I have a permission to read an identity, I have a permission to read its assigned roles. AbstractTransitiveEvaluator
is used here. If I have a permission to edit the identity, I have a permission to edit (add or delete) its assigned roles.
RoleGuaranteeEvaluator
Gives a permission to work with roles which I guarantee. Role guarantee can be configured by:
- identity - concrete identity can be selected as role guarantee
- role - identities with selected role assigned will be role guarantees.
This evaluator solves both ways (or).
AuthorizationPolicyByRoleEvaluator
Gives a permission for authorization policies according to the permission for a role ⇒ e.g. if I have a permission to read a role, I have permission the authorization policies assigned to it. If I have a permission to edit a role, I have a permission to edit (add or delete) authorization policies assigned to it.
RoleTreeNodeByRoleEvaluator
Gives a permission for automatic roles according to the permission for a role ⇒ e.g. if I have a permission to read a role, I have a permission to read the automatic roles assigned to it. if I have a permission to edit a role, I have a permission to edit (add or delete) the automatic roles assigned to it.
ConfigurationEvaluator
Gives a permission for application configuration (read, set…). If we want to get permissions for the secured configuration items, we need to set the parameter secured
to true
.
RoleCanBeRequestedEvaluator
Assigns permissions for a role according to the role attribute "canBeRequested". This means that if I have a role with this evaluator, I will get permissions only for those roles the attribute of which "canBeRequested" is set to true.
RoleAccountByRoleEvaluator
Gives a permission for accounts in system according to the permission for the role ⇒ e.g. If I have a permission to read a role, I have a permission to read its accounts in system. AbstractTransitiveEvaluator
is used here.
RoleCatalogueAccountByRoleCatalogueEvaluator
Gives a permission for accounts in system according to the permission for the role catalogue ⇒ e.g. If I have a permission to read a role catalogue, I have a permission to read its accounts in system. AbstractTransitiveEvaluator
is used here.
SelfRoleRequestEvaluator
Gives currently logged user a permission to work with his own role requests. This functionality can be configured another way - by combination RoleRequestByIdentityEvaluator
and SelfIdentityEvaluator
with adding permission CHANGEPERMISSION
. CHANGEPERMISSION
on identity gives permissions READ
, CREATE
, UPDATE
, DELETE
to identity's role requests automatically.
RoleRequestByIdentityEvaluator
Gives a permission for role requests according to the permission for the identity ⇒ e.g. If I have a permission to read a identity, I have a permission to read its role requests. CHANGEPERMISSION
on identity is wildcard here - it gives permissions READ
, CREATE
, UPDATE
, DELETE
to identity's role requests. AbstractTransitiveEvaluator
is used here.
RoleRequestByWfInvolvedIdentityEvaluator
Gives a permission to work with role requests which I has to approve. All involved identities (approver, applicant, implementer …) will have this permission. This policy is needed for workflow approval, where approver doesn't have a permission to read applicant. Approver will be applicant's manager (guarantee) in more cases, but even some "stranger" can have approval task assigned.
TreeAccountByRoleEvaluator
Gives a permission for accounts in tree node according to the permission for the role ⇒ e.g. If I have a permission to read a role, I have a permission to read its accounts in tree node. AbstractTransitiveEvaluator
is used here.
FormAttributteByDefinitionEvaluator
Gives a permission for form attributes according to the permission for the form definition ⇒ e.g. If I have a permission to read a form definition, I have a permission to read its attributes. AbstractTransitiveEvaluator
is used here.
VsRequestByImplementerEvaluator
For show requests only for assigned implementers. With this evaluator can user show and edit only requests where is implementer (directly or from roles).
ReadAccountByIdentityEvaluator
For show accounts only for identities witch have relation (via identity-account entity) on the accounts. With this evaluator can user show accounts where is owner.
IdentityAccountByAccountEvaluator
For show identity-accounts only for identities witch have permissions on the accounts. With this evaluator can user show and edit only identity-accounts where is owner for the accounts.
SelfReportEvaluator
Gives currently logged identity a permission to work with his own reports ⇒ logged identity is report creator.
IdentityFormValueEvaluator
@since 8.2.0
Permissions to identity form attribute values. By definition (main if not specified) and attrinute codes (all if not specified).
Evaluating authorization policies for identity extended form attributes has to be enabled by configuration. Configure permissions for form definitions together with this evaluator - FORMDEFINITION_AUTOCOMPLETE
is needed for read / update form values in this definition.
Parameters
- Form definition (
form-definition
) - Select definition, which contains attributes. Main definition will be used as default. - Attributes (
attributes
) - Add permission to attributes. All attributes from selected form definition will be used as default. All attributes or attribute codes (use comma as separator). - Logged user only (
self-only
) - Add permission to currently logged user only. Logged user doesn't get permissions to other users attributes. - By permission to update user (
owner-update
) - Add permission to attributes of users, which can be updated by the logged user (for example, when logged user can update identity, then he can update attributes too). - By permission to read user (
owner-read
) - Add permission to attributes of users, which can be read by the logged user (for example, when logged user can read identity, then he can update attributes).
RoleCatalogueRoleByRoleEvaluator
@since 9.0.0
Permissions to assigned role catalogue relations by role. If i have permission to role, i have permission to role catalogue relations.
RoleCompositionBySubRoleEvaluator
@since 9.0.0
Permissions to business roles by sub role. If i have permission to role, i have permission to business roles (compositions) with this role defined in sub role relation.
RoleCompositionBySuperiorRoleEvaluator
@since 9.0.0
Permissions to business roles by superior role. If i have permission to role, i have permission to business roles (compositions) with this role defined in superior role relation.
RoleGuaranteeByRoleEvaluator
@since 9.0.0
Permissions to assigned guarantees (by identity) by role.
RoleGuaranteeRoleByRoleEvaluator
@since 9.0.0
Permissions to assigned guarantees (by role) by role.
ContractPositionByIdentityContractEvaluator
@since 9.1.0
Permissions to assigned other contract positions by identity contract. If i have permission to identity contract, i have permission to other contract positions.
Default policies
The configuration of default permissions for agendas and data for all logged in users is carried out through the default role according to the application configuration. The default role can have, similarly to other roles, configured permissions for agendas and data. After logging in, these permissions will be filled in the context of the logged-in user (authorities and authorization policies) - the role itself does not figure in the assigned roles of the user. The default role can be used mainly for adding base permissions for the autocomplete (of roles, identities) and the like.
Examples of configuration
Default settings of permissions for an identity profile
This is a typical setting for the userRole - regular user as defined in the installation package.
If we want to read an identity profile including its assigned roles and IR, to enable password change and to request roles, it is possible to set the default role authorization policies as follows:
- Permission to read one's own identity: Users (IdmIdentity) | Displaying in autocomplete, reading, change password, manage authorizations | SelfIdentityEvaluator
- Permission to read the assigned identity roles: Roles assigned to users (IdmIdentityRole)| - | IdentityRoleByIdentityEvaluator
- Permission to read contracts according to identity: Industrial relations (IdmIdentityContract) | - | IdentityContractByIdentityEvaluator
- Permission to read other contract positions according to contract: Other contract positions (IdmContractPosition) | - | ContractPositionByIdentityContractEvaluator
- Permission to read guarantees of IR: Industrial relation guarantees (IdmContractGuarantee) | - | ContractGuaranteeByIdentityContractEvaluator
- Permission to read one's own role requests: Role requests (IdmRoleRequest) | Read, Delete, Update, Create | SelfRoleRequestEvaluator
- Permission to read role requests according to identity: Requests for assigned roles (IdmRoleRequest) | - | RoleRequestByIdentityEvaluator
- Permission to read role requests in workflow approval: Requests for assigned roles (IdmRoleRequest) | Read, Update, Create, Delete | RoleRequestByWfInvolvedIdentityEvaluator
- Permission to read and execute for tasks: Workflow - tasks | Read, Execute | BasePermissionEvaluator (since the version 7.7.0)
- Enabling the autocomplete for entities:
- User profile (picture) (IdmProfile) | Displaying in autocomplete, selections | BasePermissionEvaluator
- Users (IdmIdentity) | Displaying in autocomplete, selections | BasePermissionEvaluator
- Role (IdmRole) | Displaying in autocomplete, selections | RoleCanBeRequestedEvaluator (this is necessary to filter roles by the "Can be requested" attribute in the role requests).
- Role catalog (IdmRoleCatalogue) | Displaying in autocomplete, selections | BasePermissionEvaluator
- Industrial relations (IdmIdentityContract) | Displaying in autocomplete, selections | BasePermissionEvaluator
- Structure types (IdmTreeType) | Displaying in autocomplete, selections | BasePermissionEvaluator
- Tree nodes (IdmTreeNode) | Displaying in autocomplete, selections | BasePermissionEvaluator
- Accounts (AccAccount) | - | ReadAccountByIdentityEvaluator (← use this only when using acc module)
- Identity accounts (AccIdentityAccount) | - | IdentityAccountByAccountEvaluator (← use this only when using acc module)
- Connected systems | Displaying in autocomplete, selections | BasePermissionEvaluator
- Permission to read automatic role requests in workflow approval: Requests for automatic roles (IdmAutomaticRoleRequest) | Read, Update, Create, Delete | AutomaticRoleRequestByWfInvolvedIdentityEvaluator ( It's good to have autocomplete permission to IdmAutomaticRoleAttribute and IdmRoleTreeNode.)
- Permission to autocomplete form definitions (eav attributes on detail for identities, roles, etc): Forms - definitions (IdmFormDefinition) | Displaying in autocomplete, selections | BasePermissionEvaluator
If you want to enable the managers of the users to read their subordinates and change their permissions, add following permissions to the userRole:
- Users (IdmIdentity) | Manage authorizations, View in select box (autocomplete), Read | SubordinatesEvaluator
Settings of permissions for the Helpdesk role
The Helpdesk role as defined in the installation package should have following additional permissions:
- Permission to read and change passwords of all identities: Users (IdmIdentity) | Displaying in autocomplete, selections, reading, change password, count | BasePermissionEvaluator
- Permission to read audit: Audit | Read | BasePermissionEvaluator
- Permission to see sent notifications: Notifications | Read | BasePermissionEvaluator
- add permissions to see the provisioning queue and archive
Default settings of permissions for a role detail
If we want to read and edit roles where we are a guarantee, including the assigned permissions, automatic roles and accounts on target system, the authorization policies can be set as follows:
- Permission to read guaranteed roles: Role (IdmRole) | Reading, Editing | RoleGuaranteeEvaluator
- Permission to read configured role guarantees:
- Role authorizers - by identity (IdmRoleGuarantee) | - | RoleGuaranteeByRoleEvaluator
- Role authorizers - by role (IdmRoleGuaranteeRole) | - | RoleGuaranteeRoleByRoleEvaluator
- Permission to read automatic roles (tree) by role: Automatic roles (IdmRoleTreeNode) | - | RoleTreeNodeByRoleEvaluator
- Permission to read automatic roles (attributes) by role:
- Automatic roles (attributes) (IdmAutomaticRoleAttribute) | Read | BasePermissionEvaluator
- Rules for automatic roles (attributes) (IdmAutomaticRoleAttributeRule)| Read | BasePermissionEvaluator
- Permissions to read request for automatic roles (both):
- Requests for automatic roles (IdmAutomaticRoleRequest) | Read | BasePermissionEvaluator
- Requests for automatic roles (rules of the attributes) (IdmAutomaticRoleAttributeRuleRequest) | - | AutomaticRoleRuleRequestByRequestEvaluator
- Permission to read permissions by role: Permission (IdmAuthorizationPolicy) | - | AuthorizationPolicyByRoleEvaluator
- Permission to read accounts: Accounts in system | Read | BasePermissionEvaluator
- Permission to read accounts relations by role: Role accounts (AccRoleAccount) | - | RoleAccountByRoleEvaluator
- Permission to read assigned catalogue items by role: Role catalog - assigned roles (IdmRoleCatalogueRole) | - | RoleCatalogueRoleByRoleEvaluator
- Permission to read defined business roles (role composition):
- Business roles definition (IdmRoleComposition) | - | RoleCompositionBySuperiorRoleEvaluator
- Business roles definition (IdmRoleComposition) | - | RoleCompositionBySubRoleEvaluator
Secure identity form (extended) attribute values
If we want to enable for currently logged identity update only for some form attributes (e.g phone) from some form definition (e.g. from main definition) on identity detail (tab more information), the authorization policies can be set as follows:
- Enable authorization policies support for identity form values by configuration.
- Permission to autocomplete main form definition: Forms - definitions (IdmFormDefiniton) | Displaying in autocomplete, selections | UuidEvaluator - enter main definition (for identities) identifier
- Permission to update phone attribute: Forms - values (IdmIdentityFormValue) | Read, Update | IdentityFormValueEvaluator - select form definition, enter 'phone' as attributes and check logged user only checkbox.
Employing policies for a new domain type - entity
To employ permissions for data for a new domain type it is necessary:
- to implement the interface
AuthorizableService
for the service working with entities - is needed to use correctGroupPermission
and entity type - don't reuse groups and entity types from different agendas. This requires the repository not to search for log via hql queries but via jpa criteria api (this is the main adjustment for the existing services where all the filters need to be rewritten). An example can be found inDefaultIdmAuthorizationPolicyService
. - To implement a new rule if the universal ones (see above) do not suffice. In order to simplify the implementation of a new rule, the class
AbstractAuthorizationEvaluator
has been created, which can be simply inherited when adding another rule. Example:
/** * Adds permission for create new role only * */ @Component @Description("Adds permission for create new role") public class RoleWriteNewOnlyEvaluator extends AbstractAuthorizationEvaluator<IdmRole> { @Override public Set<String> getPermissions(AuthorizationPolicy policy, IdmRole entity) { Set<String> permissions = super.getPermissions(policy, entity); permissions.add(IdmBasePermission.CREATE.getName()); return permissions; } }
- the rest is taken care of by
AuthenticationManager
, which finds all implementations of the rules according to the application context, offers supported types and so on.