Skip to main content

Role Based Access Model

Principles

Resource (Resource):

  • an abstract entity

Permission (Recht):

  • a name for a resource to call an action on (get/list/create/update/delete/...)
  • also for a resource property to get/create/update
  • can be managed by the customer
  • in principle the customer has all permissions to all resources but must manage them
  • application internal permissions are not affected (eg. orga must match the session orga)

Role (Rolle):

  • has a list of Permissions (Role-Resource-Assignment)
  • can inherit from another Role
  • can define conditions to be matched
  • is a resource
  • when Orga is created populate Orga Roles from pre-defined Roles

Principal Group (Berechtigungsgruppe):

  • has a list of Accounts
  • has a list of Roles (Principal-Role-Assignment)
  • is a resource
  • when Orga is created populate Principal Groups from pre-defined Principal Groups (empty account list)
  • the following Principal Groups are pre-defined:
    • users: access organization and accounts, manage their own account
    • operators: create jobs, manage their own jobs, view tasks
    • implementors: create tasks, manager their own tasks, view workers
    • automators: create worker, tasks and jobs, manage their own only
    • administrators: manage orga, jobs, tasks, worker, view roles and principal groups
    • licensee: view usage
    • authorizers: manager roles and principal groups

New Entity Models / Resources

Role

  • id/ident/descr
  • list of permissions
  • parent Role

Principal Group

  • id/ident/descr
  • list of Accounts
  • (list of service accounts)
  • list of Roles

Conditions

  • depend on the context (eg. the session or the current resource)
  • are mapped to perl expressions

Permission Resolution Algorithm

Resolve if resource.method() is allowed (resource = entity_name)

  1. get all roles for the principal, follow inheritance
  2. get all rules for these roles
  3. match if entity_name.method() exists
  4. match if all conditions for resource match
  5. match if all conditions w/o resource match

$resource is resolved to the entity object

$session is resolved to the current session object