Authorization internals
The authorization in nevisIDM can be customized by adding or modifying roles. To do this, it is helpful to understand the mechanism.
Customization is usually done by the integration partner, and the internals may change.
Authorization checks are executed every time you access an object. If some operation on one object implies access to other objects, the authorization for the implied operation will be checked, too.
The functional authorization comes from the nevisIDM roles of the executing user and determines if the operation is allowed at all. The data authorization is a property of the role assignment and determines which objects the role is valid for.
When an operation on an object is checked for authorization, the presence of a certain elementary right is checked. Then, it is checked whether at least one of the assignments to those privileges includes the target object in its data authorization part.