Difference between revisions of "ESciDoc User Group Handler"

From MPDLMediaWiki
Jump to navigation Jump to search
Line 47: Line 47:
</resources></BLOCKQUOTE>
</resources></BLOCKQUOTE>
</group>
</group>
[[Category:eSciDoc]]

Revision as of 06:45, 2 October 2008

General Concept[edit]

We need to enable the grouping of users. These groups are held in the System. It is possible to grant one or more roles to a group. Groups can consist of:

  • All users belonging to one or more organizational units and their child organizational units.
  • A list of users defined by their userId.
  • A list of groups defined by their groupId.
  • A list of Attributes that come as User-Credentials from Shibboleth
  • mixed lists of orgUnitIds, userIds, groupIds and Shibboleth-Attributes.

Core System needs a GroupHandler that enables creating, updating, deletion and retrieval of groups. It must be possible to grant roles to groups. It also must be possible to restrict a granted role to a scope (eg a particular item). When a user calls a method in the framework, not only the policies of the granted roles of the user are evaluated but also the policies of all granted roles of all groups the user belongs to.

Requirements[edit]

  • define a new group by providing lists of userIds a/o groupIds a/o organizational unit ids a/o shibboleth-attributes.
  • update a group by changing the ids (org-unit, user or group)
  • activate/deactivate a group
  • delete a group
  • retrieve a group
  • retrieve filtered list of groups. Filter-criteria:
    • userId
      • returns all groups the user with given userId belongs to.
    • attributeId (organizationalUnitId, userId, groupId)
      • returns all groups that include given attributeId
  • grant roles for a group.
  • revoke role-grants for a group.
  • When requesting a method in the framework, also evaluate the policies of the groups the user belongs to.

XML[edit]

<group id=”escidoc:345” last-modification-date=”2008-09-30”>

<properties>

<creation-date>2008-05-23</creation-date>

<created-by>escidoc:2121</created-by>
<modified-by>escidoc:2121</modified-by>
<name>my first group</name>
<description>my first group</description>

<active>true</active>

</properties>
<members>

<member type=”organizational-unit”>escidoc:123</member>

<member name=”user-account” type=”internal”>escidoc:456</member>
<member name=”group” type=”internal”>escidoc:99</member>

<member name=”department” type=”shibboleth-attribute”>smth from shibboleth</member>

</members>

<resources>

<current-grants>

…….

</current-grants>

</resources>

</group>

Logging-in system for computer networks

Extensible Markup Language

Retrieved from "https://colab.mpdl.mpg.de/mw010/index.php?title=ESciDoc_User_Group_Handler&oldid=21919"