| 3 | | //coming soon// |
| | 4 | '''OrgAuth''' are two special authorisation policies based on policy 5 (table-level permissions), with the additional restriction of access permissions to records of particular organisations/facilities. |
| | 5 | |
| | 6 | == Restriction Level == |
| | 7 | |
| | 8 | ||'''Policy'''||'''Permissions are restricted to'''|| |
| | 9 | ||6||records of particular organisations|| |
| | 10 | ||7||records of particular facilities of particular organisations|| |
| | 11 | |
| | 12 | == Extended Record Ownership == |
| | 13 | |
| | 14 | Every organisation and every facility has an access role (auth_group entry) assigned. |
| | 15 | |
| | 16 | These access roles are created when the respective organisation/facility record is created, and their role-UUIDs are prefixed by either "Org_" (for organisations) or "Fac_" (for facilities). This happens automatically in CRUD and XML imports (by auth.set_record_owner()) |
| | 17 | |
| | 18 | Every record with an ''organisation_id'' or ''site_id'' link automatically gets these roles set for: |
| | 19 | |
| | 20 | - owned_by_organisation |
| | 21 | - owned_by_facility |
| | 22 | |
| | 23 | This happens automatically in CRUD and XML imports (by auth.set_record_owner()). |
| | 24 | |
| | 25 | To own a record, the user must either own the record as individual (owned_by_user) or have the owner role (owned_by_role). In OrgAuth policies, the user must additionally have the access role of the owner organisation (owned_by_organisation, policy 6) or both the access role of the owner organisation ''and'' of the owner facility (owned_by_organisation+owned_by_facility, policy 7). |
| | 26 | |
| | 27 | == Extended Restriction of Access == |
| | 28 | |
| | 29 | In OrgAuth, any applicable ACL is automatically restricted to the records of those organisations (policy 6) or organisations+facilities (policy 7) for which the user has the respective access roles. This applies to both, user-ACLs (uacl) and owner-ACLs (oacl). |
| | 30 | |
| | 31 | It is possible to override this restriction in the ACL itself, and explicitly define for which organisation/facility the ACL shall apply (see [DelegationsofPermissions Delegations of Permissions]), or to define that the ACL shall apply for the records of ''all'' organisations/facilities (see [#GeneralDelegationsofPermissions General Delegations of Permissions]). |
| | 32 | |
| | 33 | == Delegations of Permissions == |
| | 34 | |
| | 35 | In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles. |
| | 36 | |
| | 37 | It is however possible to override this and define explicitly which organisation/facility the ACL shall apply for: |
| | 38 | |
| | 39 | Delegation of permissions to a user group (e.g. anonymous users, all authenticated users...): |
| | 40 | |
| | 41 | {{{ |
| | 42 | # Get the access role from the organisation record |
| | 43 | org_record = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role, |
| | 44 | limitby=(0, 1)).first() |
| | 45 | |
| | 46 | # Delegate read permission for this organisation's inv_inv_item record to all authenticated users |
| | 47 | update_acls(authenticated, |
| | 48 | dict(t="inv_inv_item", uacl=acl.READ, organisation=org_record.owned_by_role), |
| | 49 | }}} |
| | 50 | |
| | 51 | Can also delegate to another organisation: |
| | 52 | |
| | 53 | {{{ |
| | 54 | # Get the access role for this organisation |
| | 55 | this_org = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role, |
| | 56 | limitby=(0, 1)).first() |
| | 57 | |
| | 58 | # Get the access role for the other organisation |
| | 59 | other_org = db(db.org_organisation.id == other_org_id).select(db.org_organisation.owned_by_role, |
| | 60 | limitby=(0, 1)).first() |
| | 61 | |
| | 62 | # Delegate read permission for this organisation's inv_inv_item record to all authenticated users |
| | 63 | update_acls(other_org.owned_by_role, |
| | 64 | dict(t="inv_inv_item", uacl=acl.READ, organisation=this_org.owned_by_role), |
| | 65 | }}} |
| | 66 | |
| | 67 | == General Delegations of Permissions == |
| | 68 | |
| | 69 | In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles. |
| | 70 | |
| | 71 | This can be overridden in the ACL itself to make the ACL apply for the records of ''all'' organisations/facilities: |
| | 72 | |
| | 73 | {{{ |
| | 74 | update_acls(authenticated, |
| | 75 | dict(t="inv_inv_item", uacl=acl.READ, organisation="all"), |
| | 76 | }}} |
| | 77 | |
| | 78 | == Organisation-dependend Role Assignments == |
| | 79 | |
| | 80 | It is currently not yet possible to have a role of the user only apply for the access to records of a particular organisation/facility. |
| | 81 | |
| | 82 | If the user has a role, then this role applies for the access to records in ''any'' organisation/facility. |
| | 83 | |
| | 84 | This is subject to change in future. |
