ESciDoc Access Rights

Work in progress

Related discussion[edit]

Rule of thumb: a component cannot be retrieved only if the user has no privilege to view it's enclosing item

Item status FROM	Item version status FROM	Method	Item status TO	Version status TO
pending	pending	submit	submitted	submitted
submitted	submitted	revise	in-revision	in-revision
submitted	submitted	release	released	released
in-revision	in-revision	submit	submitted	submitted
released	released	update(new version created)	released	pending
released	pending	submit	released	submitted
released	submitted	release	released	released
released	any	withdraw	withdrawn	any

Item status FROM	Item version status FROM	Method	Item status TO	Version status TO
pending	pending	submit	submitted	submitted
submitted	submitted	revise	submitted	in-revision
submitted	submitted	release	released	released
submitted	in-revision	submit	submitted	submitted
submitted	in-revision	release	released	released
released	released	revise	released	in-revision
released	in-revision	release	released	released
released	any	release	withdrawn	any(as before)

Item status - the public-status of the item. Item may have different public status then the status of the last version of the item.
Version status - the status of the last version of the item
Who may access - Name of the role or group that can access the content associated with the component of the item.
Where is role defined - The eSciDoc resource type for which the role or group has been associated when granting privilege for access
Which access level - The access level that the component should have specified in order to be retrievable by the role or group specified in "Who may access" column. (Any is used in case when the access level is not limitation if user is granted with appropriate role)

Depositor - user who can create items in the repository and manage items (including components and their content) she created in accordance with the overall workflow rules.
DataAdmin - user who has the possibility to create items and manage items (including components and their content) independently from their ownership and in accordance with the overall workflow rules.
QARole - placeholder for roles in the system that are responsible for the quality assurance of the data e.g. Metadata editor, Moderator, Authority, Rights checking.
Collaborator - placeholder for user-groups in the system that can access the content under specified conditions of item and version statuses.

Audience - general placeholder for roles / groups in the system
- Internal - access level is allowed for above mentioned roles of Depositor, DataAdmin, QARole
- Public - no access level restriction
- Group - Groups of users (account users, unregistered users) that can be authorized via single criteria or combination of:
  - List of organizational units (or IP address of the OU)
  - List of account users
  - Key/Certificate based (unregistered user)

Audience and Collaborator groups differ by their access rights during the Item workflow.

Item status	Who may access	Where is access level defined	Check for access level
pending	Depositor (only if owner) DataAdmin	Context	No
pending	Colaborator	Component (thus Item implicitly)	No
submitted, in-revision	Depositor (if owner) DataAdmin QARole	Context	No
submitted	Colaborator	Component (thus item implicitly)	No
released	Depositor (if owner) DataAdmin QARole	Context	No
released	Colaborator	Component (thus item implicitly)	No
released	Audience	Component (thus item implicitly)	Yes => Access level can be Public XOR Internal* XOR Group*
withdrawn	Depositor (if owner) DataAdmin QARole	Context	Any

Item A is created by Depositor D in context C and consist of:
- Component C1
- Component C2

Depositor D gives access to Colaborator User U and to Colaborator Person P and to Colaborator Department DEP