Difference between revisions of "ESciDoc Authorization Authentication"
Jump to navigation
Jump to search
| Line 6: | Line 6: | ||
Core services authorize each method of a core service based on a role definition. A role definition can be: | Core services authorize each method of a core service based on a role definition. A role definition can be: | ||
* unlimited (i.e. administrator - can invoke any service method operation) | |||
* limited (i.e. based on properties of the resource ) | |||
More details on the core service authorization concept in [https://zim01.gwdg.de/repos/smc/tags svn, framework_release, cpt_authorization_authentication] | More details on the core service authorization concept in [https://zim01.gwdg.de/repos/smc/tags svn, framework_release, cpt_authorization_authentication] | ||
| Line 14: | Line 14: | ||
These roles are in general derived from some basic requirements of the solutions for PubMan and SWB. | These roles are in general derived from some basic requirements of the solutions for PubMan and SWB. | ||
A role for the core services is specified as a set of (Resource, Action, Conditions): | A limited role for the core services is specified as a set of (Resource, Action, Conditions): | ||
* Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method | |||
* Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.) | |||
* Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy) | |||
Revision as of 09:42, 15 October 2007
Please use this page to discuss in general on the authorization mechanisms for core services, solutions etc.
Core services[edit]
Core services authorize each method of a core service based on a role definition. A role definition can be:
- unlimited (i.e. administrator - can invoke any service method operation)
- limited (i.e. based on properties of the resource )
More details on the core service authorization concept in svn, framework_release, cpt_authorization_authentication
At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. These roles are in general derived from some basic requirements of the solutions for PubMan and SWB.
A limited role for the core services is specified as a set of (Resource, Action, Conditions):
- Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method
- Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.)
- Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy)
- How solutions authorize?
- What solutions authorize?