Changes between Version 17 and Version 18 of S3/S3AAA/OrgAuth
- Timestamp:
- 09/04/12 09:44:46 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
S3/S3AAA/OrgAuth
v17 v18 5 5 == Realms == 6 6 7 Records can be "owned" by person entities (organisations, offices, teams, persons etc.). This is implemented as an additional meta-field "owned_by_entity", which takes a pe_id (Person Entity ID). All records "owned" by a person entity are called the '''realm''' of this person entity. 7 === Person Entities === 8 8 9 In OrgAuth policies, any role assignment for a user (and thus all the permissions the user receives out of the respective role) can be restricted to a realm.9 A '''person entity''' is a type of records describing business entities which involve one or more individual persons. This can be, e.g., organisations, offices, teams, and of course persons. 10 10 11 In policy 7 and above, realms are hierarchical. That is, the realm of an entity includes all the realms of all organisation units (OU) of this entity. 11 === Organisation Units === 12 12 13 In policy 8, person entities can allow other person entities (and any of their organisation units) to access their realm with the permissions of a certain role. This mechanism is called "delegation".13 In an organizational structure, a person entity can be a sub-unit (organization unit, OU) of another person entity. E.g. an office can be a sub-unit of an organisation, or a person a sub-unit of a team. 14 14 15 === Roles and Realms === 16 17 The realm of a person entity is the set of all records controlled ("owned") by this entity (="their data"). Which entity gains control over a record can be defined per record type, and even as deployment options. The realm which a particular record belongs to is encoded as person entity ID (pe_id) in the owned_by_entity field in this record. 18 19 In all !OrgAuth policies, a role assignment for a user (and thus all the permissions the user receives out of this role) can be restricted to a particular realm. 20 21 === Realm Hierarchy === 22 23 In policies 7 and 8, realms are '''hierarchical'''. That is, the realm of an entity includes all the realms of all organisation units (OU) of this entity. 24 25 === Access Delegation === 26 27 OrgAuth policy 8 additionally allows the '''delegation''' of access rights for a realm to other entities (rather than to particular users), thus facilitating controlled data sharing at the organization level. 15 28 == Restriction Level == 16 29