3 | | //coming soon// |
| 4 | '''OrgAuth''' are two special authorisation policies based on policy 5 (table-level permissions), with the additional restriction of access permissions to records of particular organisations/facilities. |
| 5 | |
| 6 | == Restriction Level == |
| 7 | |
| 8 | ||'''Policy'''||'''Permissions are restricted to'''|| |
| 9 | ||6||records of particular organisations|| |
| 10 | ||7||records of particular facilities of particular organisations|| |
| 11 | |
| 12 | == Extended Record Ownership == |
| 13 | |
| 14 | Every organisation and every facility has an access role (auth_group entry) assigned. |
| 15 | |
| 16 | These access roles are created when the respective organisation/facility record is created, and their role-UUIDs are prefixed by either "Org_" (for organisations) or "Fac_" (for facilities). This happens automatically in CRUD and XML imports (by auth.set_record_owner()) |
| 17 | |
| 18 | Every record with an ''organisation_id'' or ''site_id'' link automatically gets these roles set for: |
| 19 | |
| 20 | - owned_by_organisation |
| 21 | - owned_by_facility |
| 22 | |
| 23 | This happens automatically in CRUD and XML imports (by auth.set_record_owner()). |
| 24 | |
| 25 | To own a record, the user must either own the record as individual (owned_by_user) or have the owner role (owned_by_role). In OrgAuth policies, the user must additionally have the access role of the owner organisation (owned_by_organisation, policy 6) or both the access role of the owner organisation ''and'' of the owner facility (owned_by_organisation+owned_by_facility, policy 7). |
| 26 | |
| 27 | == Extended Restriction of Access == |
| 28 | |
| 29 | In OrgAuth, any applicable ACL is automatically restricted to the records of those organisations (policy 6) or organisations+facilities (policy 7) for which the user has the respective access roles. This applies to both, user-ACLs (uacl) and owner-ACLs (oacl). |
| 30 | |
| 31 | It is possible to override this restriction in the ACL itself, and explicitly define for which organisation/facility the ACL shall apply (see [DelegationsofPermissions Delegations of Permissions]), or to define that the ACL shall apply for the records of ''all'' organisations/facilities (see [#GeneralDelegationsofPermissions General Delegations of Permissions]). |
| 32 | |
| 33 | == Delegations of Permissions == |
| 34 | |
| 35 | In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles. |
| 36 | |
| 37 | It is however possible to override this and define explicitly which organisation/facility the ACL shall apply for: |
| 38 | |
| 39 | Delegation of permissions to a user group (e.g. anonymous users, all authenticated users...): |
| 40 | |
| 41 | {{{ |
| 42 | # Get the access role from the organisation record |
| 43 | org_record = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role, |
| 44 | limitby=(0, 1)).first() |
| 45 | |
| 46 | # Delegate read permission for this organisation's inv_inv_item record to all authenticated users |
| 47 | update_acls(authenticated, |
| 48 | dict(t="inv_inv_item", uacl=acl.READ, organisation=org_record.owned_by_role), |
| 49 | }}} |
| 50 | |
| 51 | Can also delegate to another organisation: |
| 52 | |
| 53 | {{{ |
| 54 | # Get the access role for this organisation |
| 55 | this_org = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role, |
| 56 | limitby=(0, 1)).first() |
| 57 | |
| 58 | # Get the access role for the other organisation |
| 59 | other_org = db(db.org_organisation.id == other_org_id).select(db.org_organisation.owned_by_role, |
| 60 | limitby=(0, 1)).first() |
| 61 | |
| 62 | # Delegate read permission for this organisation's inv_inv_item record to all authenticated users |
| 63 | update_acls(other_org.owned_by_role, |
| 64 | dict(t="inv_inv_item", uacl=acl.READ, organisation=this_org.owned_by_role), |
| 65 | }}} |
| 66 | |
| 67 | == General Delegations of Permissions == |
| 68 | |
| 69 | In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles. |
| 70 | |
| 71 | This can be overridden in the ACL itself to make the ACL apply for the records of ''all'' organisations/facilities: |
| 72 | |
| 73 | {{{ |
| 74 | update_acls(authenticated, |
| 75 | dict(t="inv_inv_item", uacl=acl.READ, organisation="all"), |
| 76 | }}} |
| 77 | |
| 78 | == Organisation-dependend Role Assignments == |
| 79 | |
| 80 | It is currently not yet possible to have a role of the user only apply for the access to records of a particular organisation/facility. |
| 81 | |
| 82 | If the user has a role, then this role applies for the access to records in ''any'' organisation/facility. |
| 83 | |
| 84 | This is subject to change in future. |