Changes between Version 2 and Version 3 of S3/S3AAA/OrgAuth


Ignore:
Timestamp:
08/26/11 10:16:57 (10 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • S3/S3AAA/OrgAuth

    v2 v3  
     1[[TOC]]
    12= OrgAuth =
    23
    3 //coming soon//
     4'''OrgAuth''' are two special authorisation policies based on policy 5 (table-level permissions), with the additional restriction of access permissions to records of particular organisations/facilities.
     5
     6== Restriction Level ==
     7
     8||'''Policy'''||'''Permissions are restricted to'''||
     9||6||records of particular organisations||
     10||7||records of particular facilities of particular organisations||
     11
     12== Extended Record Ownership ==
     13
     14Every organisation and every facility has an access role (auth_group entry) assigned.
     15
     16These access roles are created when the respective organisation/facility record is created, and their role-UUIDs are prefixed by either "Org_" (for organisations) or "Fac_" (for facilities). This happens automatically in CRUD and XML imports (by auth.set_record_owner())
     17
     18Every record with an ''organisation_id'' or ''site_id'' link automatically gets these roles set for:
     19
     20  - owned_by_organisation
     21  - owned_by_facility
     22
     23This happens automatically in CRUD and XML imports (by auth.set_record_owner()).
     24
     25To own a record, the user must either own the record as individual (owned_by_user) or have the owner role (owned_by_role). In OrgAuth policies, the user must additionally have the access role of the owner organisation (owned_by_organisation, policy 6) or both the access role of the owner organisation ''and'' of the owner facility (owned_by_organisation+owned_by_facility, policy 7).
     26
     27== Extended Restriction of Access ==
     28
     29In OrgAuth, any applicable ACL is automatically restricted to the records of those organisations (policy 6) or organisations+facilities (policy 7) for which the user has the respective access roles. This applies to both, user-ACLs (uacl) and owner-ACLs (oacl).
     30
     31It is possible to override this restriction in the ACL itself, and explicitly define for which organisation/facility the ACL shall apply (see [DelegationsofPermissions Delegations of Permissions]), or to define that the ACL shall apply for the records of ''all'' organisations/facilities (see [#GeneralDelegationsofPermissions General Delegations of Permissions]).
     32
     33== Delegations of Permissions ==
     34
     35In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles.
     36
     37It is however possible to override this and define explicitly which organisation/facility the ACL shall apply for:
     38
     39Delegation of permissions to a user group (e.g. anonymous users, all authenticated users...):
     40
     41{{{
     42    # Get the access role from the organisation record
     43    org_record = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role,
     44                                                                limitby=(0, 1)).first()
     45
     46    # Delegate read permission for this organisation's inv_inv_item record to all authenticated users
     47    update_acls(authenticated,
     48                dict(t="inv_inv_item", uacl=acl.READ, organisation=org_record.owned_by_role),
     49}}}
     50
     51Can also delegate to another organisation:
     52
     53{{{
     54    # Get the access role for this organisation
     55    this_org = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role,
     56                                                              limitby=(0, 1)).first()
     57
     58    # Get the access role for the other organisation
     59    other_org = db(db.org_organisation.id == other_org_id).select(db.org_organisation.owned_by_role,
     60                                                                  limitby=(0, 1)).first()
     61
     62    # Delegate read permission for this organisation's inv_inv_item record to all authenticated users
     63    update_acls(other_org.owned_by_role,
     64                dict(t="inv_inv_item", uacl=acl.READ, organisation=this_org.owned_by_role),
     65}}}
     66
     67== General Delegations of Permissions ==
     68
     69In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles.
     70
     71This can be overridden in the ACL itself to make the ACL apply for the records of ''all'' organisations/facilities:
     72
     73{{{
     74    update_acls(authenticated,
     75                dict(t="inv_inv_item", uacl=acl.READ, organisation="all"),
     76}}}
     77
     78== Organisation-dependend Role Assignments ==
     79
     80It is currently not yet possible to have a role of the user only apply for the access to records of a particular organisation/facility.
     81
     82If the user has a role, then this role applies for the access to records in ''any'' organisation/facility.
     83
     84This is subject to change in future.