Changes between Version 55 and Version 56 of S3/S3AAA


Ignore:
Timestamp:
02/08/11 19:48:12 (11 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • S3/S3AAA

    v55 v56  
    104104In tables which do not define either of these meta-fields, ownership rules are not applied ({{{uacl}}} only).
    105105
     106==== Ownership vs. Access Permission ====
     107
     108NOTE: '''Ownership''' for a record and '''access permissions''' on this record are independent from each other!
     109
     110The fact alone that a user owns a record doesn't give him any permissions on that record. He still needs to have a role assigned for which an ACL definition exists which gives him permissions on that table.
     111
     112But that also means that the role which determines the user's ownership of a record, and the role which determines the user's effective access permissions for that record, do not have to be the same (in fact, the ownership-determining role doesn't need to have any permissions on the table at all): the effective permissions would still be applied as per the most permissive role the user is assigned to.
     113
     114Example:
     115
     116Have these things:
     117  1. A role ''OrgX Staff'', which is routinely assigned to staff members of organisation ''X''
     118  2. A role ''Boss'', which is assigned to all organisation admins (independent of the organisation!)
     119  3. A role ''Clerk'', which is assigned to all helpdesk officers (independent of the organisation!)
     120  4. A record ''Y'' in the table ''aaa_bbbbb'', which has its {{{owned_by}}} field set to ''OrgX Staff''
     121  5. An ACL for the ''aaa_bbbbb'' table, which sets {{{(uacl=CREATE, oacl=ALL)}}} for the ''Boss'' role
     122  6. An ACL for the ''aaa_bbbbb'' table, which sets {{{(uacl=NONE, oacl=READ)}}} for the ''Clerk'' role
     123
     124With this configuration, a user who has the ''OrgX Staff'' role, would own record ''Y''. But this role doesn't give him any permission to access the record (no ACL defined on ''aaa_bbbbb'' for role ''OrgX Staff'').
     125
     126If the user would have both, the ''OrgX Staff'' and the ''Boss'' roles, then he would own the record ''Y'' (as per {{{owned_by}}}) and also be permitted to {{{read}}}, {{{update}}} and {{{delete}}} this record (as per ACL for ''Boss''), and additionally, he could add new records to ''aaa_bbbbb''.
     127
     128If instead the user would have the ''OrgX Staff'' and the ''Clerk'' roles, then he would also own the record ''Y'' (as per {{{owned_by}}}), but just be permitted to {{{read}}} that record (as per ACL for ''Clerk'').
     129
     130If the user would only be ''Boss'', then he could only create new records in ''aaa_bbbbb'', but could not access record ''Y'' (since that would require ownership of that record).
     131
     132If the user would only be ''Clerk'', then he could not see record ''Y'' at all. And he could not either create new records in ''aaa_bbbbb''.
    106133=== Restrictions ===
    107134