-
Notifications
You must be signed in to change notification settings - Fork 0
Permissions
There are three mechanisms that control the access to entities and actions that a user can perform.
- The property
Entity.visibility - The collection
entity-permission - The collection
user-permission(likely to be renamedaction-permission)
This property is used to identify whether an Entity is Public or Private. While it is debatable whether this information should be part of the Entity object, it enable to quickly identify whether an Entity can be shown to a user before even making queries to the collection entity-permission.
The property Entity.visibility is used only for the HTTP verb GET that is used to list entities or show a specific entity.
This collection keeps the records of the access type that a User has for a given Entity. There are currently three types of access defined: Read, Write, and Admin. The couple (User, Entity) is unique in this collection, which means that the user has either Read or Write or Admin access for a given entity. Therefore,
- a user with
Readaccess can see the entity - a user with
Writeaccess can see and write to the entity - a user with
Adminaccess can see, write and admin the entity
This collection enables to allow a user to perform specific actions that may otherwise be reserve to a portal admin. Example of action permission values are createTool, disableUser, etc. The implementation of this mechanism is currently on stand-by as it is not a project requirement.
The permission strategy in place to access different types of Entities depends on the types of entities.
Here only the information about the targeted entity is used to determine whether the user can read, write, or admin it.
Entity types: Project
The user can see the entity if its visibility is set to Public. If the value is set to Private, the collection entity-permission is used to determine if the user has at least the permission Read. The user must have the permission Write or Admin to respectively write and write/admin the entity.
Entities such as Resources and Insights are associated to a Project. By default, Resources and Insights inherit the permission from the Project they are associated to. Therefore, the standard permission verification described above is not performed on the entity targeted, but instead on the associated Project object.
A similar approach is implemented for Threads that are assigned to an Entity (Project, Tool, Resource, etc.).
Enhancement: In a future release of the portal, user would be able to create Local permissions for Resources and Insights, for example. This way it will be possible to publicly release a Report (a type of Insight) without making the entire project public.
Data Catalogs and Tool are Entities that are currently considered as publicly accessible. Only a portal admin can write/admin these entities.
Enhancement: In a future release of the portal, users should be able to create their own Tool, for example, and share them with other users.