ESciDoc User Account Filter

=Filter for Users, Privileges and Roles=

General Concept

 * We need the possibility to filter for users, roles and scopes of roles.

Requirements

 * retrieve list of objects for which user has been granted with role X
 * retrieve list of roles which user has been granted on item/container X
 * the latter shall return also the roles which are granted to the context of item/container X
 * retrieve list of users that have grant on object X

Realization
We need a new interface-method in the user-account-handler that takes a filter-parameter that can contain:


 * One or more userIds
 * One or more roleIds
 * One or more objectIds


 * --Natasa 15:24, 17 February 2009 (UTC)Proposal MPDL in addition:


 * Revocation-date-from
 * Revocation-date-to
 * granted-date-from
 * granted-date-to
 * creator-id
 * revoker-id
 * i.e. any parameter (with exception of grant/revocation remarks) in role-grant table that is used at present (in case of dates with from/to parameters)--Natasa 15:24, 17 February 2009 (UTC)

Result will be an xml that contains a list of grants.
 * for us it is acceptable to have the complete records from the role-grant table that satisfy the filter criteria--Natasa 15:24, 17 February 2009 (UTC)

The userIds/roleIds/objectIds... delivered by the filter are concatenated with and.

The list of same id-types delivered by the filter are concatenated with or.

Example: filter contains 2 userIds and 2 roleIds. This results in:

(userId=user1 or userId=user2) and (roleId=role1 or roleId=role2)

Structure of the filter-xml
escidoc:user2312

escidoc:group2312

escidoc:role2312

escidoc:item2312

active

1980-01-28T07:00:00.000+01:00

2009-01-28T07:00:00.000+01:00

1980-01-28T07:00:00.000+01:00

2009-01-28T07:00:00.000+01:00

escidoc:item2312

escidoc:item2312

Structure of the result-xml
list of grants accourding to grants-schema is returned Implementation needs a schema-change of grants-schema: -grants-schema doesnt contain id of user/group. We need to add element userId and element groupId for the new filter-function -add new root-element grant-list to grants-schema

NOTE: grant-schema is used by the following methods of the user-account-handler: -createGrant -retrieveCurrentGrants -retrieveGrant

Questions + Remarks

 * Should we additionally allow providing the name of the role in the filter instead of the id?
 * As we agreed on today's video conference it should only be the role-id