Difference between revisions of "ESciDoc User Group Handler"

From MPDLMediaWiki
Jump to navigation Jump to search
 
Line 83: Line 83:
<selector name=”user-account” type=”internal”>escidoc:456</selector><br>
<selector name=”user-account” type=”internal”>escidoc:456</selector><br>
<selector name=”user-group” type=”internal”>escidoc:99</selector><br>
<selector name=”user-group” type=”internal”>escidoc:99</selector><br>
<selector name=”department” type=”user-attribute”>smth from shibboleth</selector></BLOCKQUOTE>
<selector name=”department” type=”user-attribute”>smth from shibboleth, LDAP or an internal user attribute</selector></BLOCKQUOTE>
</selectors><br>
</selectors><br>
<resources>
<resources>

Latest revision as of 12:31, 11 September 2009

General Concept[edit]

We need to enable the grouping of users. These groups are held in the System. It is possible to grant one or more roles to a group. Groups can consist of:

  • All users belonging to one or more organizational units and their child organizational units.
  • A list of users defined by their userId.
  • A list of groups defined by their groupId.
  • A list of Attributes that come as User-Credentials from Shibboleth
  • mixed lists of orgUnitIds, userIds, groupIds and Shibboleth-Attributes.

Core System needs a GroupHandler that enables creating, updating, deletion and retrieval of groups. It must be possible to grant roles to groups. It also must be possible to restrict a granted role to a scope (eg a particular item). When a user calls a method in the framework, not only the policies of the granted roles of the user are evaluated but also the policies of all granted roles of all groups the user belongs to.

all distinct policies (sometimes a same policy can be granted also via group and directly--Natasa 21:29, 3 October 2008 (UTC)
when evaluating, which policies will have a priority - direct user and then group policies?--Natasa 21:29, 3 October 2008 (UTC)

Requirements for the Group handler[edit]

  • define a new group by providing lists of IDs (userIds a/o groupIds a/o organizational unit ids ) a/o shibboleth-attributes.
  • update a group by changing the ids (org-unit, user or group)
  • activate/deactivate a group
  • delete a group
  • retrieve a group
  • retrieve filtered list of groups. Filter-criteria:
    • userId
      • returns all groups the user with given userId belongs to.
    • attributeId (organizationalUnitId, userId, groupId)
      • returns all groups that include given attributeId
  • grant roles for a group.
  • revoke role-grants for a group.

Requirements for the Authorization[edit]

  • When requesting a method in the framework, also evaluate relevant policies of the groups the user belongs to.

User group Handler interface[edit]

Handler methods[edit]

  • create
    • to create the group and define group label and the group description (group labels unique)
    • creates the group with the properties and the selectors but not the grants
    • maybe it would be also nice to provide smth like type of the group (OU, USER, SHIB, MIXED) - not certain
  • retrieve
    • to retrieve the group by id or label. returned xml contains properties, selectors and grants.
  • update
    • to update the group
    • only properties are updateable via this method, not the selectors or the grants
  • delete
    • to delete the group (only if inactive)
  • addSelectors
    • to add group selectors (list of object Ids a/o Shibboleth attributes)
  • removeSelectors
    • to remove group selectors (list of object Ids a/o Shibboleth attributes)
  • retrieveSelectors (not in first release)
    • to retrieve group selectors and give information on status for object ids (selectors filtered for a specific criteria)
      • filter criteria (multiple to be allowed): list of object ids a/o Shibboleth attributes (do you have a requirement for that?)
yes, :) --Natasa 14:36, 26 February 2009 (UTC)
  • activate
  • deactivate
  • createGrant
    • to grant a group with a role for a scope
  • revokeGrant
    • to revoke a given grant from the group
  • revokeGrants
    • to revoke a list or all grants from the group
  • retrieveGrants with filterXml
    • to retrieve the active (default)/non active Grants of the group
  • retrieveUserGroups
    • to retrieve a list of groups, their description, status and members (groups filtered for a specific criteria)
      • filter criteria (multiple to be allowed): list of object ids a/o Shibboleth attributes

XML[edit]

<user-group id=”escidoc:345” last-modification-date=”2008-09-30”>

<properties>

<creation-date>2008-05-23</creation-date>

<created-by>escidoc:2121</created-by>
<modified-by>escidoc:2121</modified-by>
<name>my first group</name>
<description>my first group</description>
<label>unique label</label>
<type>OU, USER, SHIB, MIXED</type>

<active>true</active>

</properties>
<selectors>

<selector name=”organizational-unit” type=”internal”>escidoc:123</selector>

<selector name=”user-account” type=”internal”>escidoc:456</selector>
<selector name=”user-group” type=”internal”>escidoc:99</selector>

<selector name=”department” type=”user-attribute”>smth from shibboleth, LDAP or an internal user attribute</selector>

</selectors>
<resources>

<current-grants>

…….

</current-grants>

</resources>

</user-group>


  • question on member element => is it member type of is member name attribute? I assume is typo-error and everywhere is member-type? --Natasa 10:04, 2 October 2008 (UTC)