Ticket #1065 (new enhancement) — at Initial Version
[super] Change Authorization System
Reported by: | johnlawrenceaspden | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | ckan-v1.6 |
Component: | ckan | Keywords: | |
Cc: | dread | Repository: | ckan |
Theme: | none |
Description
- Change name of AuthzGroup? to UserGroup? to reflect what it is for
- Get rid of Roles, and replace them with direct assignment of actions, even though there are many actions, and extensions can add arbitrary ones.
- Debatable whether we should cut the number of actions to correspond to the three roles defined by the base system.
- Change UserGroups? so that they can have a hierarchical structure,
More info on Hierarchy change
e.g. UserGroup? NHS contains the User nhsysadmin, as well as the UserGroups? SURREY and BERKS, which themselves contain users.
One user in SURREY is Simon the Sysadmin, who has permissions on the whole system. His permissions should not leak out to other users or groups, and user permissions generally should not.
Each Group has permissions over various objects.
A user has permissions in his own right, and also has the permissions of his own group, and of all the groups contained in his group, and so on recursively.
Algorithm:
possible(user, action, package):
if user has permission for action on package
or any of have that permission
or any of his groups group-children (but not user-children), and so on recursively have the permission.