Authorization policies overview
An authorization policy determines what permissions a CzechIdM user has. A policy is assigned to a role, and everyone with this role thus gains the permissions determined by the policy.
Assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM by a standard mechanism
The default role "User" gives implicit permissions that all CzechIdM users have. This role is not assigned explicitly, it is simply default and is always applied (see the following chapter). A whole new agenda of authorization policies = permissions for data and agendas has been tied to a role. Assigning permissions grants access both to agendas on the front-end (or rather REST endpoints on the back-end), and to permissions for retrieving data (make records in these accessible agendas) to the logged-in user. Permissions for agendas (REST endpoints) are assessed based on the set permissions.
How permissions for agendas and for data work together
To see some data, we need to have at least one role with a policy assigning the permissions.
Say, we have an agenda of roles. To be able to select from the roles dial (e.g. when requesting roles) we need to be permitted to access an agenda of autocomplete for roles
Role - AUTOCOMPLETE
or Displaying in autocomplete, selections, for instance with the evaluation type BasePermissionEvaluator
.