Version 7 (modified by 13 years ago) ( diff ) | ,
---|
Table of Contents
OrgAuth
OrgAuth are two special authorisation policies based on policy 5 (table-level permissions), with the additional restriction of access permissions to records of particular organisations/facilities.
Restriction Level
Policy | Permissions are restricted to |
6 | records of particular organisations |
7 | records of particular facilities of particular organisations |
Extended Record Ownership
Every organisation and every facility has an access role (auth_group entry) assigned.
These access roles are created when the respective organisation/facility record is created, and their role-UUIDs are prefixed by either "Org_" (for organisations) or "Fac_" (for facilities). This happens automatically in CRUD and XML imports (by auth.set_record_owner())
Every record with an organisation_id or site_id link automatically gets these roles set for:
- owned_by_organisation
- owned_by_facility
This happens automatically in CRUD and XML imports (by auth.set_record_owner()).
To own a record, the user must either own the record as individual (owned_by_user) or have the owner role (owned_by_role). In OrgAuth policies, the user must additionally have the access role of the owner organisation (owned_by_organisation, policy 6) or both the access role of the owner organisation and of the owner facility (owned_by_organisation+owned_by_facility, policy 7).
Extended Restriction of Access
In OrgAuth, any applicable ACL is automatically restricted to the records of those organisations (policy 6) or organisations+facilities (policy 7) for which the user has the respective access roles. This applies to both, user-ACLs (uacl) and owner-ACLs (oacl).
It is possible to override this restriction in the ACL itself, and explicitly define for which organisation/facility the ACL shall apply (see Delegations of Permissions), or to define that the ACL shall apply for the records of all organisations/facilities (see General Delegations of Permissions).
Delegations of Permissions
In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles.
It is however possible to override this and define explicitly which organisation/facility the ACL shall apply for:
Delegation of permissions to a user group (e.g. anonymous users, all authenticated users...):
# Get the access role from the organisation record org_record = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_organisation, limitby=(0, 1)).first() # Delegate read permission for this organisation's inv_inv_item record to all authenticated users update_acls(authenticated, dict(t="inv_inv_item", uacl=acl.READ, organisation=org_record.owned_by_organisation))
Can also delegate to another organisation:
# Get the access role for this organisation this_org = db(db.org_organisation.id == my_org_id).select(db.org_organisation.owned_by_organisation, limitby=(0, 1)).first() # Get the access role for the other organisation other_org = db(db.org_organisation.id == other_org_id).select(db.org_organisation.owned_by_organisation, limitby=(0, 1)).first() # Delegate read permission for this organisation's inv_inv_item record to all authenticated users update_acls(other_org.owned_by_role, dict(t="inv_inv_item", uacl=acl.READ, organisation=this_org.owned_by_organisation))
General Delegations of Permissions
In OrgAuth policies, any applicable ACL is automatically restricted to the record of those organisations/facilities for which the user has the respective access roles.
This can be overridden in the ACL itself to make the ACL apply for the records of all organisations/facilities:
Delegate READ permission on inv_inv_item record of all organisations to a user group:
update_acls(authenticated, dict(t="inv_inv_item", uacl=acl.READ, organisation="all"))
Organisation-dependent Role Assignments
It is currently not yet possible to have a role of the user only apply for the access to records of a particular organisation/facility.
If the user has a role, then this role applies for the access to records in any organisation/facility.
This is subject to change in future.
Attachments (2)
- orgauth1.png (40.5 KB ) - added by 12 years ago.
- orgauth2.png (19.1 KB ) - added by 12 years ago.
Download all attachments as: .zip