tutorial:adm:add_permissions

Permissions setting for a role

Look up a role you wish to assign a permission to and open its detail - Roles → Role detail. Then continue to the Permissions tab.

 role permissions list

To add permissions for actions in CzechIdM to a role, click on the Add button. The following attributes can then be set:  a new role permission

The following attributes can be set:

  • Role (Read Only) – the name of the role, whose permission for CzechIdM you would like to change.
  • Entity type – A form in GUI of an object type in CzechIdM, for which you would like to edit the permission. For example, to add the permission to display the audit logs to the holder of the role, select the item Audit.
  • Permission – The type of permission which you would like to assign to the holder of the role for an agenda / entity selected in the previous step. The typical permissions are reading/removing/creating etc. Some agendas, such as Audit, do not allow any selection of permissions (it is read-only), that is why this box can be in grey colour as well.
  • Order – If the user has more permissions from more roles, the order is determined by the order of evaluations of these permissions. The logical principle of or is applied. If the user has role A, which permits reading subordinates, and role B, which permits editing subordinates, then the user has both the permission to read as well as to edit his subordinates. However, the permissions can be restricted using an evaluator in the next attribute Evaluation type. In that case, the order set in this attribute will be applied.
  • Description – an optional description
  • Inactive – a permission marked this way will not be valid upon saving. This selection is used mainly when you would like to prepare a set of permissions with a future starting date of validity, for instance.
  • Evaluator type – This item is sometimes called the evaluator as well. Evaluators are used to delimit a group of objects (Agenda / Entity type), for which the holders of the role get a permission. If the chosen entity type is Users (IdMIdentity), then e.g. SubordinatesEvaluator can be chosen and role holders will get permission to manage their subordinates. Some entity types, e.g. Audit, do not allow selecting Evaluation type since they relate directly to a given form in GUI or object instance.