[[TOC]] = OrgAuth = '''OrgAuth''' are two special authorisation policies based on policy 5 (table-level permissions), with the additional restriction of access permissions to records of particular organisations/facilities. == Restriction Level == ||'''Policy'''||'''Permissions are restricted to'''|| ||6||records of particular organisations|| ||7||records of particular facilities of particular organisations|| == Extended Record Ownership == Every organisation and every facility has an access role (auth_group entry) assigned. These access roles are created when the respective organisation/facility record is created, and their role-UUIDs are prefixed by either "Org_" (for organisations) or "Fac_" (for facilities). This happens automatically in CRUD and XML imports (by auth.set_record_owner()) Every record with an ''organisation_id'' or ''site_id'' link automatically gets these roles set for: - owned_by_organisation - owned_by_facility This happens automatically in CRUD and XML imports (by auth.set_record_owner()). To own a record, the user must either own the record as individual (owned_by_user) or have the owner role (owned_by_role). In OrgAuth policies, the user must additionally have the access role of the owner organisation (owned_by_organisation, policy 6) or both the access role of the owner organisation ''and'' of the owner facility (owned_by_organisation+owned_by_facility, policy 7). == Extended Restriction of Access == In OrgAuth, any applicable ACL is automatically restricted to the records of those organisations (policy 6) or organisations+facilities (policy 7) for which the user has the respective access roles. This applies to both, user-ACLs (uacl) and owner-ACLs (oacl). It is possible to override this restriction in the ACL itself, and explicitly define for which organisation/facility the ACL shall apply (see [#DelegationsofPermissions Delegations of Permissions]), or to define that the ACL shall apply for the records of ''all'' organisations/facilities (see [#GeneralDelegationsofPermissions General Delegations of Permissions]). == Delegations of Permissions == In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles. It is however possible to override this and define explicitly which organisation/facility the ACL shall apply for: Delegation of permissions to a user group (e.g. anonymous users, all authenticated users...): {{{ # Get the access role from the organisation record org_record = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_organisation, limitby=(0, 1)).first() # Delegate read permission for this organisation's inv_inv_item record to all authenticated users update_acls(authenticated, dict(t="inv_inv_item", uacl=acl.READ, organisation=org_record.owned_by_organisation)) }}} Can also delegate to another organisation: {{{ # Get the access role for this organisation this_org = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_organisation, limitby=(0, 1)).first() # Get the access role for the other organisation other_org = db(db.org_organisation.id == other_org_id).select(db.org_organisation.owned_by_organisation, limitby=(0, 1)).first() # Delegate read permission for this organisation's inv_inv_item record to all authenticated users update_acls(other_org.owned_by_role, dict(t="inv_inv_item", uacl=acl.READ, organisation=this_org.owned_by_organisation)) }}} == General Delegations of Permissions == In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles. This can be overridden in the ACL itself to make the ACL apply for the records of ''all'' organisations/facilities: Delegate READ permission on inv_inv_item record of ''all'' organisations to a user group: {{{ update_acls(authenticated, dict(t="inv_inv_item", uacl=acl.READ, entity="all")) }}} == Organisation-dependent Role Assignments == It is currently not yet possible to have a role of the user only apply for the access to records of a particular organisation/facility. If the user has a role, then this role applies for the access to records in ''any'' organisation/facility. This is subject to change in future.