Rights Management

From MapbenderWiki

Contents 1 Rights Management 1.1 Entities 1.2 The 'access' Relationship 1.2.1 implementation 1.2.2 implications 1.2.3 public access 1.3 The 'owns' Relationship 1.3.1 implementation 1.3.2 implications 1.4 The 'member of' Relationship 1.4.1 implementation 1.4.2 implications 1.5 The 'contains ' Relationship 1.5.1 implementation 1.5.2 implications 1.6 Capabilites

Rights Management

Entities

• User
• Group
• Application
• WMS
• WFS

The 'access' Relationship

[GROUP] 'has access to' [APPLICATION] [USER] 'has access to' [APPLICATION]

implementation

The table 'gui_mb_user' defines this relationship between a user and an application if the 'type' column is set to anything other than 'owner' The same is true for groups and gui_mb_group.

implications

This means that if a User, or a Group the User is a Member of have this relationship with an application, the user may view an application.

public access

PROBABLY NOT TRUE (in the code):

Additionally, if an application is marked as public (by having the 'public' column set to true), all users have a 'access' relationship with an application.

The 'owns' Relationship

[USER] 'owns' [USER] [USER] 'owns' [APPLICATION] [USER] 'owns' [GROUP] [GROUP] 'owns' [APPLICATION] [USER] 'owns' [WMS] [USER] 'owns' [WFS] [USER] 'owns' [CAT]

implementation

The 'owner' column in the tables user,group,wms,wfs,cat contains the userId of the User that has an 'owner'-relationship with the entity in question.

The table 'gui_mb_user' defines this relationship between a user and an application if the 'type' column is set to the string 'owner' The same is true for groups and gui_mb_group.

implications

This means that if a User, or a Group the User is a Member of, have this relationship with an application, the User may view, update and delete the application.

The 'member of' Relationship

implementation

The table 'mb_user_mb_group' associates UserIds with GroupIds

implications

This means that a User is a Member of a Group.

The 'contains ' Relationship

implementation

gui_element has a fkey_gui_id pointing to it's containing application.

gui_wms has a fkey_wms_id pointing to the wms that should be 'contained'in the application fkey_gui_id points to.

...

implications

The starting point for a 'contains'-relationship is the application.

If the User has an 'owner'-relationship with an application, the user may create and delete 'contains'-relationships. For example, creating and deleting an Element, or adding/removing a WMS to/from an application.

A User automatically has an 'access'-relationship with a 'contained' entitiy if she has 'access' to the 'containing' application.

Capabilites

Basically certain actions are allowed if a user has access to an application that contains an element that executes an action.

If a User has 'access' to an Element she may execute it. The server side of the Element must check that:

- The User actually has 'access' to an Element (how?) - The User has the proper rights, derived from the relationships described above, especially the 'owns' relationship

[USER] 'may execute' [ELEMENT]