ESciDoc User Group Handler

From MPDLMediaWiki
Jump to: navigation, search

General Concept

We need to enable the grouping of users. These groups are held in the System. It is possible to grant one or more roles to a group. Groups can consist of:

  • All users belonging to one or more organizational units and their child organizational units.
  • A list of users defined by their userId.
  • A list of groups defined by their groupId.
  • A list of Attributes that come as User-Credentials from ShibbolethLogging-in system for computer networks
  • mixed lists of orgUnitIds, userIds, groupIds and ShibbolethLogging-in system for computer networks-Attributes.

Core System needs a GroupHandler that enables creating, updating, deletion and retrieval of groups. It must be possible to grant roles to groups. It also must be possible to restrict a granted role to a scope (eg a particular item). When a user calls a method in the framework, not only the policies of the granted roles of the user are evaluated but also the policies of all granted roles of all groups the user belongs to.

all distinct policies (sometimes a same policy can be granted also via group and directly--Natasa 21:29, 3 October 2008 (UTCCoordinated Universal Time)
when evaluating, which policies will have a priority - direct user and then group policies?--Natasa 21:29, 3 October 2008 (UTCCoordinated Universal Time)

Requirements for the Group handler

  • define a new group by providing lists of IDs (userIds a/o groupIds a/o organizational unit ids ) a/o shibboleth-attributes.
  • update a group by changing the ids (org-unit, user or group)
  • activate/deactivate a group
  • delete a group
  • retrieve a group
  • retrieve filtered list of groups. Filter-criteria:
    • userId
      • returns all groups the user with given userId belongs to.
    • attributeId (organizationalUnitId, userId, groupId)
      • returns all groups that include given attributeId
  • grant roles for a group.
  • revoke role-grants for a group.

Requirements for the Authorization

  • When requesting a method in the framework, also evaluate relevant policies of the groups the user belongs to.

User group Handler interface

Handler methods

  • create
    • to create the group and define group label and the group description (group labels unique)
    • creates the group with the properties and the selectors but not the grants
    • maybe it would be also nice to provide smth like type of the group (OUOrganizational Unit, USER, SHIB, MIXEDMigration to Intermediate XML for Electronic Data) - not certain
  • retrieve
    • to retrieve the group by id or label. returned xml contains properties, selectors and grants.
  • update
    • to update the group
    • only properties are updateable via this method, not the selectors or the grants
  • delete
    • to delete the group (only if inactive)
  • addSelectors
    • to add group selectors (list of object Ids a/o ShibbolethLogging-in system for computer networks attributes)
  • removeSelectors
    • to remove group selectors (list of object Ids a/o ShibbolethLogging-in system for computer networks attributes)
  • retrieveSelectors (not in first release)
    • to retrieve group selectors and give information on status for object ids (selectors filtered for a specific criteria)
      • filter criteria (multiple to be allowed): list of object ids a/o ShibbolethLogging-in system for computer networks attributes (do you have a requirement for that?)
yes, :) --Natasa 14:36, 26 February 2009 (UTCCoordinated Universal Time)
  • activate
  • deactivate
  • createGrant
    • to grant a group with a role for a scope
  • revokeGrant
    • to revoke a given grant from the group
  • revokeGrants
    • to revoke a list or all grants from the group
  • retrieveGrants with filterXml
    • to retrieve the active (default)/non active Grants of the group
  • retrieveUserGroups
    • to retrieve a list of groups, their description, status and members (groups filtered for a specific criteria)
      • filter criteria (multiple to be allowed): list of object ids a/o ShibbolethLogging-in system for computer networks attributes

XMLExtensible Markup Language

<user-group id=”escidoc:345” last-modification-date=”2008-09-30”>

<properties>
<creation-date>2008-05-23</creation-date>

<created-by>escidoc:2121</created-by>
<modified-by>escidoc:2121</modified-by>
<name>my first group</name>
<description>my first group</description>
<label>unique label</label>
<type>OUOrganizational Unit, USER, SHIB, MIXEDMigration to Intermediate XML for Electronic Data</type>

<active>true</active>

</properties>

<selectors>
<selector name=”organizational-unit” type=”internal”>escidoc:123</selector>

<selector name=”user-account” type=”internal”>escidoc:456</selector>
<selector name=”user-group” type=”internal”>escidoc:99</selector>

<selector name=”department” type=”user-attribute”>smth from shibboleth, LDAPLightweight Directory Access Protocol or an internal user attribute</selector>

</selectors>
<resources>

<current-grants>
…….
</current-grants>
</resources>

</user-group>


  • question on member element => is it member type of is member name attribute? I assume is typo-error and everywhere is member-type? --Natasa 10:04, 2 October 2008 (UTCCoordinated Universal Time)