Changes between Version 88 and Version 89 of S3/S3AAA

09/04/12 09:21:23 (12 years ago)
Dominic König



  • S3/S3AAA

    v88 v89  
    103103=== !OrgAuth ===
    105   * ''to be written''
     105!OrgAuth are security policies which allow multiple organizations using the same instance of Sahana Eden to control who can access their data and with which permissions.
     107The !OrgAuth policies are all based on the following base concepts:
     109  A '''person entity''' is a type of records describing business entities which involve one or more individual persons. This can be, e.g., organisations, offices, teams, and of course persons.
     111  A '''realm''' of a person entity is the set of all records controlled ("owned") by this entity (="their data"). How and why an entity gains control over a record can be defined per record type, and even as deployment options.
     113  In an organizational structure, a person entity can be a sub-unit ('''organization unit''', OU) of another person entity. E.g. an office can be a sub-unit of an organisation, or a person a sub-unit of a team.
     115In !OrgAuth policies, a user can be assigned a role ''for a realm''. That is, the permissions resulting from this role assignment are limited to the records within the realm - whilst they have no effect outside the realm.
     117!OrgAuth policies 7 and 8 also implement a hierarchy of realms, where the realm of an entity includes the realms of all its OUs.
     119!OrgAuth policy 8 additionally allows the delegation of access rights for a realm to other entities (rather than to particular users), thus facilitating controlled data sharing at the organization level.
     121A detailed description of the !OrgAuth framework can be found here:
     123   [wiki:S3AAA/OrgAuth]
    107125=== Record Ownership ===