Difference between revisions of "ESciDoc Authorization Authentication"
Jump to navigation
Jump to search
m |
|||
| Line 2: | Line 2: | ||
===Core services=== | |||
Core services authorize each method of a core service based on a role definition. A role definition can be: | Core services authorize each method of a core service based on a role definition. A role definition can be: | ||
| Line 12: | Line 10: | ||
More details on the core service authorization concept in [https://zim01.gwdg.de/repos/smc/tags svn, framework_release, cpt_authorization_authentication] | More details on the core service authorization concept in [https://zim01.gwdg.de/repos/smc/tags svn, framework_release, cpt_authorization_authentication] | ||
At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. | |||
These roles are in general derived from some basic requirements of the solutions for PubMan and SWB. | |||
A role for the core services is specified as a set of (Resource, Action, Conditions): | |||
# Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method | |||
# Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.) | |||
# Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy) | |||
Revision as of 09:41, 15 October 2007
Please use this page to discuss in general on the authorization mechanisms for core services, solutions etc.
Core services[edit]
Core services authorize each method of a core service based on a role definition. A role definition can be:
- unlimited (i.e. administrator - can invoke any service method operation)
- limited (i.e. based on properties of the resource )
More details on the core service authorization concept in svn, framework_release, cpt_authorization_authentication
At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. These roles are in general derived from some basic requirements of the solutions for PubMan and SWB.
A role for the core services is specified as a set of (Resource, Action, Conditions):
- Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method
- Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.)
- Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy)
- How solutions authorize?
- What solutions authorize?