ESciDoc Authorization Authentication

Please use this page to discuss in general on the authorization mechanisms for core services, solutions etc.

Core services[edit]

Core services authorize each method of a core service based on a role definition. A role definition can be:

• unlimited (i.e. administrator - can invoke any service method operation)
• limited (i.e. based on properties of the resource )

More details on the core service authorization concept in svn, framework_release, cpt_authorization_authentication

At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. These roles are in general derived from some basic requirements of the solutions for PubMan and SWB.

A limited role for the core services is specified as a set of (Resource, Action, Conditions):

• Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method
• Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.)
• Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy)

1. How solutions authorize?
2. What solutions authorize?