wiki:S3/S3AAA/OrgAuth

Version 3 (modified by Dominic König, 10 years ago) ( diff )

--

OrgAuth

OrgAuth are two special authorisation policies based on policy 5 (table-level permissions), with the additional restriction of access permissions to records of particular organisations/facilities.

Restriction Level

PolicyPermissions are restricted to
6records of particular organisations
7records of particular facilities of particular organisations

Extended Record Ownership

Every organisation and every facility has an access role (auth_group entry) assigned.

These access roles are created when the respective organisation/facility record is created, and their role-UUIDs are prefixed by either "Org_" (for organisations) or "Fac_" (for facilities). This happens automatically in CRUD and XML imports (by auth.set_record_owner())

Every record with an organisation_id or site_id link automatically gets these roles set for:

  • owned_by_organisation
  • owned_by_facility

This happens automatically in CRUD and XML imports (by auth.set_record_owner()).

To own a record, the user must either own the record as individual (owned_by_user) or have the owner role (owned_by_role). In OrgAuth policies, the user must additionally have the access role of the owner organisation (owned_by_organisation, policy 6) or both the access role of the owner organisation and of the owner facility (owned_by_organisation+owned_by_facility, policy 7).

Extended Restriction of Access

In OrgAuth, any applicable ACL is automatically restricted to the records of those organisations (policy 6) or organisations+facilities (policy 7) for which the user has the respective access roles. This applies to both, user-ACLs (uacl) and owner-ACLs (oacl).

It is possible to override this restriction in the ACL itself, and explicitly define for which organisation/facility the ACL shall apply (see Delegations of Permissions), or to define that the ACL shall apply for the records of all organisations/facilities (see General Delegations of Permissions).

Delegations of Permissions

In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles.

It is however possible to override this and define explicitly which organisation/facility the ACL shall apply for:

Delegation of permissions to a user group (e.g. anonymous users, all authenticated users...):

    # Get the access role from the organisation record
    org_record = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role,
                                                                limitby=(0, 1)).first()

    # Delegate read permission for this organisation's inv_inv_item record to all authenticated users
    update_acls(authenticated,
                dict(t="inv_inv_item", uacl=acl.READ, organisation=org_record.owned_by_role),

Can also delegate to another organisation:

    # Get the access role for this organisation
    this_org = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_role,
                                                              limitby=(0, 1)).first()

    # Get the access role for the other organisation
    other_org = db(db.org_organisation.id == other_org_id).select(db.org_organisation.owned_by_role,
                                                                  limitby=(0, 1)).first()

    # Delegate read permission for this organisation's inv_inv_item record to all authenticated users
    update_acls(other_org.owned_by_role,
                dict(t="inv_inv_item", uacl=acl.READ, organisation=this_org.owned_by_role),

General Delegations of Permissions

In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles.

This can be overridden in the ACL itself to make the ACL apply for the records of all organisations/facilities:

    update_acls(authenticated,
                dict(t="inv_inv_item", uacl=acl.READ, organisation="all"),

Organisation-dependend Role Assignments

It is currently not yet possible to have a role of the user only apply for the access to records of a particular organisation/facility.

If the user has a role, then this role applies for the access to records in any organisation/facility.

This is subject to change in future.

Attachments (2)

Download all attachments as: .zip

Note: See TracWiki for help on using the wiki.