| 105 | | * ''to be written'' |
| | 105 | !OrgAuth are security policies which allow multiple organizations using the same instance of Sahana Eden to control who can access their data and with which permissions. |
| | 106 | |
| | 107 | The !OrgAuth policies are all based on the following base concepts: |
| | 108 | |
| | 109 | A '''person entity''' is a type of records describing business entities which involve one or more individual persons. This can be, e.g., organisations, offices, teams, and of course persons. |
| | 110 | |
| | 111 | A '''realm''' of a person entity is the set of all records controlled ("owned") by this entity (="their data"). How and why an entity gains control over a record can be defined per record type, and even as deployment options. |
| | 112 | |
| | 113 | In an organizational structure, a person entity can be a sub-unit ('''organization unit''', OU) of another person entity. E.g. an office can be a sub-unit of an organisation, or a person a sub-unit of a team. |
| | 114 | |
| | 115 | In !OrgAuth policies, a user can be assigned a role ''for a realm''. That is, the permissions resulting from this role assignment are limited to the records within the realm - whilst they have no effect outside the realm. |
| | 116 | |
| | 117 | !OrgAuth policies 7 and 8 also implement a hierarchy of realms, where the realm of an entity includes the realms of all its OUs. |
| | 118 | |
| | 119 | !OrgAuth policy 8 additionally allows the delegation of access rights for a realm to other entities (rather than to particular users), thus facilitating controlled data sharing at the organization level. |
| | 120 | |
| | 121 | A detailed description of the !OrgAuth framework can be found here: |
| | 122 | |
| | 123 | [wiki:S3AAA/OrgAuth] |
