Changes between Version 88 and Version 89 of S3/S3AAA


Ignore:
Timestamp:
09/04/12 09:21:23 (9 years ago)
Author:
Dominic König
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • S3/S3AAA

    v88 v89  
    103103=== !OrgAuth ===
    104104
    105   * ''to be written''
     105!OrgAuth are security policies which allow multiple organizations using the same instance of Sahana Eden to control who can access their data and with which permissions.
     106
     107The !OrgAuth policies are all based on the following base concepts:
     108
     109  A '''person entity''' is a type of records describing business entities which involve one or more individual persons. This can be, e.g., organisations, offices, teams, and of course persons.
     110
     111  A '''realm''' of a person entity is the set of all records controlled ("owned") by this entity (="their data"). How and why an entity gains control over a record can be defined per record type, and even as deployment options.
     112
     113  In an organizational structure, a person entity can be a sub-unit ('''organization unit''', OU) of another person entity. E.g. an office can be a sub-unit of an organisation, or a person a sub-unit of a team.
     114
     115In !OrgAuth policies, a user can be assigned a role ''for a realm''. That is, the permissions resulting from this role assignment are limited to the records within the realm - whilst they have no effect outside the realm.
     116
     117!OrgAuth policies 7 and 8 also implement a hierarchy of realms, where the realm of an entity includes the realms of all its OUs.
     118
     119!OrgAuth policy 8 additionally allows the delegation of access rights for a realm to other entities (rather than to particular users), thus facilitating controlled data sharing at the organization level.
     120
     121A detailed description of the !OrgAuth framework can be found here:
     122
     123   [wiki:S3AAA/OrgAuth]
    106124
    107125=== Record Ownership ===