Authorization policies overview

An authorization policy determines what permissions a CzechIdM user has. A policy is assigned to a role, and everyone with this role thus gains the permissions defined by the policy.

Assigning permissions in CzechIdM via ordinary roles enables managing permissions for CzechIdM using a standard mechanism

The default role "User" gives implicit permissions that all CzechIdM users have. This role is not assigned explicitly, it is simply default and is always applied (see the following chapter). A whole new agenda of authorization policies = permissions for data and agendas has been tied to a role. Assigning permissions grants access both to agendas on the front-end (or rather REST endpoints on the back-end), and to permissions for retrieving data (make records in these accessible agendas) to the logged-in user. Permissions for agendas (REST endpoints) are assessed based on the set permissions.

The main idea is that if an agenda supports a permission for data, then we cannot see any data in the default state. To see some data we need to get/ comply with a configured policy, which we get based on our assigned roles. To evaluate the overall makeup of permissions, there is an OR operator in place: we add permissions for data.

How permissions for agendas and for data work together

To see some data, we need to have at least one role with a policy assigning the permissions.

Real life example:
Say, we have an agenda of roles. To be able to select from the roles dial (e.g. when requesting roles) we need to be permitted to access an agenda of autocomplete for roles Role - AUTOCOMPLETE or Displaying in autocomplete, selections, for instance with the evaluation type BasePermissionEvaluator.