ESciDoc Authorization Authentication
Please use this page to discuss in general on the authorization mechanisms for core services, solutions etc.
Core services[edit]
Core services authorize each method of a core service based on a role definition. A role definition can be:
- unlimited (i.e. administrator - can invoke any service method operation)
- limited (i.e. based on properties of the resource )
More details on the core service authorization concept in svn, framework_release, cpt_authorization_authentication
At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. These roles are in general derived from some basic requirements of the solutions for PubMan and SWB.
A limited role for the core services is specified as a set of (Resource, Action, Conditions):
- Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method
- Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.)
- Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy)
- How solutions authorize?
- What solutions authorize?