Difference between revisions of "ESciDoc User Group Handler"

From MPDLMediaWiki
Jump to navigation Jump to search
Line 62: Line 62:
***filter criteria (multiple to be allowed): list of object ids a/o Shibboleth attributes
***filter criteria (multiple to be allowed): list of object ids a/o Shibboleth attributes


=XML=
==XML==
<group id=”escidoc:345” last-modification-date=”2008-09-30”>
<group id=”escidoc:345” last-modification-date=”2008-09-30”>
<BLOCKQUOTE><properties>
<BLOCKQUOTE><properties>

Revision as of 21:27, 3 October 2008

General Concept[edit]

We need to enable the grouping of users. These groups are held in the System. It is possible to grant one or more roles to a group. Groups can consist of:

  • All users belonging to one or more organizational units and their child organizational units.
  • A list of users defined by their userId.
  • A list of groups defined by their groupId.
  • A list of Attributes that come as User-Credentials from Shibboleth
  • mixed lists of orgUnitIds, userIds, groupIds and Shibboleth-Attributes.

Core System needs a GroupHandler that enables creating, updating, deletion and retrieval of groups. It must be possible to grant roles to groups. It also must be possible to restrict a granted role to a scope (eg a particular item). When a user calls a method in the framework, not only the policies of the granted roles of the user are evaluated but also the policies of all granted roles of all groups the user belongs to.

all distinct policies (sometimes a same policy can be granted also via group and directly
when evaluating, which policies will have a priority - direct user and then group policies?

Requirements for the Group handler[edit]

  • define a new group by providing lists of IDs (userIds a/o groupIds a/o organizational unit ids ) a/o shibboleth-attributes.
  • update a group by changing the ids (org-unit, user or group)
  • activate/deactivate a group
  • delete a group
  • retrieve a group
  • retrieve filtered list of groups. Filter-criteria:
    • userId
      • returns all groups the user with given userId belongs to.
    • attributeId (organizationalUnitId, userId, groupId)
      • returns all groups that include given attributeId
  • grant roles for a group.
  • revoke role-grants for a group.

Requirements for the Authorization[edit]

  • When requesting a method in the framework, also evaluate the policies of the groups the user belongs to.

User group Handler interface[edit]

Handler methods[edit]

  • createGroup
    • to create the group and define group label and the group description (group labels unique)
    • maybe it would be also nice to provide smth like type of the group (OU, USER, SHIB, MIXED) - not certain
  • retrieveGroup
    • to retrieve the group by id or label
  • updateGroup
    • to update the group
  • deleteGroup
    • to delete the group (only if inactive)
  • add group member(s)
    • to add group members (list of object Ids a/o Shibboleth attributes)
  • remove group member(s)
    • to remove group members (list of object Ids a/o Shibboleth attributes)
  • retrieveMembers
    • to retrieve group members and give information on status for object ids (members filtered for a specific criteria)
      • filter criteria (multiple to be allowed): list of object ids a/o Shibboleth attributes
  • activate
  • deactivate
  • createGrant
    • to grant a group with a role for a scope
  • revokeGrant
    • to revoke a given grant from the group
  • revokeGrants
    • to revoke a list or all grants from the group
  • retrieveGrants
    • to retrieve the active (default)/non active Grants of the group
  • retrieveGroups
    • to retrieve a list of groups, their description, status and members (groups filtered for a specific criteria)
      • filter criteria (multiple to be allowed): list of object ids a/o Shibboleth attributes

XML[edit]

<group id=”escidoc:345” last-modification-date=”2008-09-30”>

<properties>

<creation-date>2008-05-23</creation-date>

<created-by>escidoc:2121</created-by>
<modified-by>escidoc:2121</modified-by>
<name>my first group</name>
<description>my first group</description>

<active>true</active>

</properties>
<members>

<member type=”organizational-unit”>escidoc:123</member>

<member name=”user-account” type=”internal”>escidoc:456</member>
<member name=”group” type=”internal”>escidoc:99</member>

<member name=”department” type=”shibboleth-attribute”>smth from shibboleth</member>

</members>

<resources>

<current-grants>

…….

</current-grants>

</resources>

</group>


  • question on member element => is it member type of is member name attribute? I assume is typo-error and everywhere is member-type? --Natasa 10:04, 2 October 2008 (UTC)