ESciDoc User Account Filter
Filter for Users, Privileges and Roles
- We need the possibility to filter for users, roles and scopes of roles.
- retrieve list of objects for which user has been granted with role X
- retrieve list of roles which user has been granted on item/container X
- the latter shall return also the roles which are granted to the context of item/container X
- retrieve list of users that have grant on object X
We need a new interface-method in the user-account-handler that takes a filter-parameter that can contain:
- One or more userIds
- One or more roleIds
- One or more objectIds
- --Natasa 15:24, 17 February 2009 (UTC)Proposal MPDL in addition:
- i.e. any parameter (with exception of grant/revocation remarks) in role-grant table that is used at present (in case of dates with from/to parameters)--Natasa 15:24, 17 February 2009 (UTC)
Result will be an xml that contains a list of grants .
- for us it is acceptable to have the complete records from the role-grant table that satisfy the filter criteria--Natasa 15:24, 17 February 2009 (UTC)
The userIds/roleIds/objectIds... delivered by the filter are concatenated with and.
The list of same id-types delivered by the filter are concatenated with or.
Example: filter contains 2 userIds and 2 roleIds. This results in:
(userId=user1 or userId=user2) and (roleId=role1 or roleId=role2)
Structure of the filter-xml
<filter name="revokerId">escidoc:item2312</filter> </param>
Structure of the result-xml
list of grants accourding to grants-schema is returned Implementation needs a schema-change of grants-schema: -grants-schema doesnt contain id of user/group. We need to add element userId and element groupId for the new filter-function -add new root-element grant-list to grants-schema
NOTE: grant-schema is used by the following methods of the user-account-handler: -createGrant -retrieveCurrentGrants -retrieveGrant
Questions + Remarks
- Should we additionally allow providing the name of the role in the filter instead of the id?
- As we agreed on today's video conference it should only be the role-id