ESciDoc User Group Handler
General Concept[edit]
We need to enable the grouping of users. These groups are held in the System. It is possible to grant one or more roles to a group. Groups can consist of:
- All users belonging to one or more organizational units and their child organizational units.
- A list of users defined by their userId.
- A list of groups defined by their groupId.
- A list of Attributes that come as User-Credentials from Shibboleth
- mixed lists of orgUnitIds, userIds, groupIds and Shibboleth-Attributes.
Core System needs a GroupHandler that enables creating, updating, deletion and retrieval of groups. It must be possible to grant roles to groups. It also must be possible to restrict a granted role to a scope (eg a particular item). When a user calls a method in the framework, not only the policies of the granted roles of the user are evaluated but also the policies of all granted roles of all groups the user belongs to.
- all distinct policies (sometimes a same policy can be granted also via group and directly
- when evaluating, which policies will have a priority - direct user and then group policies?
Requirements for the Group handler[edit]
- define a new group by providing lists of IDs (userIds a/o groupIds a/o organizational unit ids ) a/o shibboleth-attributes.
- update a group by changing the ids (org-unit, user or group)
- activate/deactivate a group
- delete a group
- retrieve a group
- retrieve filtered list of groups. Filter-criteria:
- userId
- returns all groups the user with given userId belongs to.
- attributeId (organizationalUnitId, userId, groupId)
- returns all groups that include given attributeId
- userId
- grant roles for a group.
- revoke role-grants for a group.
Requirements for the Authorization[edit]
- When requesting a method in the framework, also evaluate the policies of the groups the user belongs to.
User group Handler interface[edit]
XML[edit]
<group id=”escidoc:345” last-modification-date=”2008-09-30”>
<properties>
<creation-date>2008-05-23</creation-date>
<created-by>escidoc:2121</created-by>
<modified-by>escidoc:2121</modified-by>
<name>my first group</name>
<description>my first group</description>
<active>true</active>
</properties>
<members>
<member type=”organizational-unit”>escidoc:123</member>
<member name=”user-account” type=”internal”>escidoc:456</member>
<member name=”group” type=”internal”>escidoc:99</member>
<member name=”department” type=”shibboleth-attribute”>smth from shibboleth</member>
</members>
<resources>
<current-grants>
…….
</current-grants>
</resources>
</group>
- question on member element => is it member type of is member name attribute? I assume is typo-error and everywhere is member-type? --Natasa 10:04, 2 October 2008 (UTC)