Allow logging in as company only for executive manager
Closed this issue · 1 comments
samo98 commented
ÚPVS has some roles which allow multiple users log as single company.
In our case we want to allow submit invoices only for executive manager and substitutes set in our application.
Ideally ÚPVS could create new roles for invoice submitting, but AFAIK it is not possible
We need to figure out right property in ÚPVS response indicating executive manager and forbid others to log in
samo98 commented
Check saml assertion of logged user
There is Delegation Type attribute which can be one of following values:
- 0 - zastupovanie zo zákona
- 1 - plné zastupovanie
- 2 - čiastočné zastupovanie (iba vybrané činnosti)
- 3 - zastupovanie orgánov činných v trestnom konaní
- 4 - zastupovanie IOM
- 5 - zastupovanie KC
- 7 - Zastupovanie Inštitúcie VS
We should allow to log in for users with delegation type 0.