Changes between Version 17 and Version 18 of S3/S3AAA/OrgAuth


Ignore:
Timestamp:
09/04/12 09:44:46 (12 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • S3/S3AAA/OrgAuth

    v17 v18  
    55== Realms ==
    66
    7 Records can be "owned" by person entities (organisations, offices, teams, persons etc.). This is implemented as an additional meta-field "owned_by_entity", which takes a pe_id (Person Entity ID). All records "owned" by a person entity are called the '''realm''' of this person entity.
     7=== Person Entities ===
    88
    9 In OrgAuth policies, any role assignment for a user (and thus all the permissions the user receives out of the respective role) can be restricted to a realm.
     9A '''person entity''' is a type of records describing business entities which involve one or more individual persons. This can be, e.g., organisations, offices, teams, and of course persons.
    1010
    11 In policy 7 and above, realms are hierarchical. That is, the realm of an entity includes all the realms of all organisation units (OU) of this entity.
     11=== Organisation Units ===
    1212
    13 In policy 8, person entities can allow other person entities (and any of their organisation units) to access their realm with the permissions of a certain role. This mechanism is called "delegation".
     13In an organizational structure, a person entity can be a sub-unit (organization unit, OU) of another person entity. E.g. an office can be a sub-unit of an organisation, or a person a sub-unit of a team.
    1414
     15=== Roles and Realms ===
     16
     17The realm of a person entity is the set of all records controlled ("owned") by this entity (="their data"). Which entity gains control over a record can be defined per record type, and even as deployment options. The realm which a particular record belongs to is encoded as person entity ID (pe_id) in the owned_by_entity field in this record.
     18
     19In all !OrgAuth policies, a role assignment for a user (and thus all the permissions the user receives out of this role) can be restricted to a particular realm.
     20
     21=== Realm Hierarchy ===
     22
     23In policies 7 and 8, realms are '''hierarchical'''. That is, the realm of an entity includes all the realms of all organisation units (OU) of this entity.
     24
     25=== Access Delegation ===
     26
     27OrgAuth policy 8 additionally allows the '''delegation''' of access rights for a realm to other entities (rather than to particular users), thus facilitating controlled data sharing at the organization level.
    1528== Restriction Level ==
    1629