wiki:AuthModule/Requirements

Version 1 (modified by jvelde, 14 years ago) (diff)

--

AuthModule Requirements list

Authentication

  • Forms of Authentication:
    • Database (user-pass) (must)
    • OpenID (could)
    • IP-based (could)
    • LDAP-based + specific flavors like RUG and UMCG login (should)
  • Registration of users includes email verification (must)
  • Users should be able to login and logout (must)
  • Users should be able to change their passwords (must)
  • Make implementations of Login singletons so that they can be accessed everywhere (must)

Authorization

  • Resources are tables, rows, columns, query-sets (e.g. only the Lengths in rows where Length > 1.80m), files (for pipelines)
  • Subjects are users, groups, public users (unauthenticated) and exactly one administrator
  • Permissions include read, write (also implies delete), execute (for pipelines) and ownership
  • Modifying (insert, delete, alter) a column is not supported.
  • Modifying a row needs write rights on the row.
  • Resources must have exactly one owner; this can either be a user (must) or a group (should). The latter option is not preferable for us and needs to be set explicitly by the administrator.
  • Permissions are provided for resources x subjects. (must)
  • The administrator has all permissions excluding ownership on all resources. (must)
  • Authenticated users can request permissions for resources. Requests are sent to the user or group with ownership rights of the resource. (must)
  • Groups can be created by users who have write rights on the MolgenisGroup? table. The administrator is the owner of the MolgenisGroup? table and can delegate rights to other users. (must)
  • In case of an UpdateDatabase? all permissions are reset (except for administrator).
  • The public user has by default no reading permissions on any resource, unless explicitly set by the administrator. (should)
  • Administrator can pass on permissions from parent tables to child tables and between xref-linked tables with a toggle button. (should)