Allow logging in as company only for executive manager

Question

Allow logging in as company only for executive manager

Closed this issue 4 years ago · 1 comments

ÚPVS has some roles which allow multiple users log as single company.
In our case we want to allow submit invoices only for executive manager and substitutes set in our application.

Ideally ÚPVS could create new roles for invoice submitting, but AFAIK it is not possible

We need to figure out right property in ÚPVS response indicating executive manager and forbid others to log in

Answer 1 · 2021-03-13T19:21:51.000Z

Check saml assertion of logged user
There is Delegation Type attribute which can be one of following values:

0 - zastupovanie zo zákona
1 - plné zastupovanie
2 - čiastočné zastupovanie (iba vybrané činnosti)
3 - zastupovanie orgánov činných v trestnom konaní
4 - zastupovanie IOM
5 - zastupovanie KC
7 - Zastupovanie Inštitúcie VS

We should allow to log in for users with delegation type 0.