Changes between Initial Version and Version 1 of AuthModule/TechDesign


Ignore:
Timestamp:
2011-01-31T15:19:14+01:00 (14 years ago)
Author:
jvelde
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AuthModule/TechDesign

    v1 v1  
     1= Auth Module design docs =
     2
     3== User interface mock-up ===
     4
     5''Table: !ObservedValue''
     6
     7|| || read || write || execute || ownership ||
     8|| User1 || x || x || x || x ||
     9|| User2 || x || || x || -(?) ||
     10|| Group1 || || x || || -(?) ||
     11|| Group2 || x || x || x || -(?) ||
     12|| ... || || || || ||
     13|| Admin || x || x || x || - ||
     14
     15== Low-level specifications for the Authorization module ==
     16Goal: to have a first version of the Authorization module that fulfills at least the 'must' requirements.
     17
     18=== Static permissions: entity and field level ===
     19
     20The expected user interface is a switch board were the admin can tick which entities, fields or screens the user has permissions on.
     21For example:
     22{{{
     23Role: lab worker
     24
     25Permission:
     26Entity             Read     Write   Execute  Ownership
     27Investigation      [x]      [ ]     [ ]      [ ]
     28Sample             [x]      [x]     [ ]      [x]
     29etc
     30}}}
     31
     32Proposed solution:
     33 * Users will be stored in the !MolgenisUser table. Furthermore, there will be one Administrator and one Public User.
     34 * Table rights: these will be managed through a new bridge table in which each row links to a !MolgenisEntity (through its name) and a !MolgenisUser. There will also be a field 'rights' that details the kind of authorization (an enum consisting of read, write, execute and owner). This way we can achieve many-to-many relationships.
     35 * Column rights: these we can achieve through an extra, optional field in the Table rights table. This field can contain a name of a field (column) in the table in question. If none is supplied, the entry is supposed to hold for all fields in the table. If one is supplied, the entry is supposed to hold only for the specified field. There can be multiple entries in the bridge table for a certain table. In that case, the more detailed entries (about columns) take precedence over the more general ones (about tables as a whole).
     36
     37Proposed solution (rewritten to see if we understand each other):
     38* !MogenisEntity and !MolgenisField and !MolgenisScreen are subclasses of !MolgenisElement. [[BR]]Thus we have an extensible way to define elements we want to set permissions on.
     39> Q: Do we really need to distinguish between !MogenisEntity and !MolgenisField and !MolgenisScreen? Why not simply add further fields to MolgenisEntity?
     40>> A: Yes, use !MogenisEntity and !MolgenisField and !MolgenisScreen because we have them anyway as part of Molgenis.
     41* !MolgenisRole can have zero or more !MolgenisPermission, with each permission being a tuple [role: xref->MolgenisRole, element:xref->MolgenisModelElement, permission: enum[read,write,execute,ownership]]. [[BR]]Thus we can assign permissions to role
     42* !MolgenisUser extends !MolgenisRole with password to enable authentication. [[BR]]Thus we can easily assign permissions to an individual.
     43* !MolgenisUser can have multiple !MolgenisRole and !MolgenisRole can have multiple !MolgenisUser. [[BR]]Thus we can easily assign a set of permissions to multiple individuals.
     44> Q: Why could !MolgenisUser's have multiple !MolgenisRole's, i.e. why is the relation between !MolgenisUser and !MolgenisGroup not enough?
     45>> A: For the beginning rename MolgenisRole to MolgenisGroup. Extend MolgenisUser from MolgenisGroup. Make mref from MolgenisUser to MolgenisGroup.
     46* there will be one Administrator and one Public User.
     47* For each individual the total set of permissions is calculated and narrower permissions overrule broader permissions (e.g. entity permission implies permissions on all fields, ownership implies read and write]
     48
     49Decisions:
     50* permission field in MolgenisPermission could be xref instead of enum. Advantage: open ended. Drawback: harder to program.
     51> R: Enum will be used, because set of permissions is static.
     52* !MolgenisElement could be made generic so you don't need subclasses. Advantage: easier to program. Drawback: loose information that we may want to use in other places.
     53> R: Not generic.
     54
     55Discussion:
     56> Q: What if I have readpermissions on 'A' and A has an xref to B. Do I than automatically get readpermission on 'B'?
     57>> A: We could make a special exception for the 'xref_label' of the entity. That should ALWAYS be readable. But without read permissions, users cannot choose other fields of 'B'.
     58>>> A: None of the fields of 'B' will be visible. If they should, permissions have to be set.
     59
     60=== Dynamic permissions: row level security or 'sharing' ===
     61
     62Expected user interface during editing:
     63{{{
     64> Sharing details [hide]
     65
     66Owner:     me
     67Can view:  Maggie (user) [-][+]
     68Can edit:  John (user) [-]
     69           My best friends (group) [-][+]
     70}}}
     71
     72Proposed solution1: big helper table
     73 * Row rights: for this we introduce another optional field in the Table rights table, namely an xref to a row in the table in question. Every row already has an (autogenerated) id field so this is easily done. With this extra field in place we can have very specific entries detailing what rights a certain user has on a combination of a column and a row in a certain table (so we can in fact have "cell rights"). The remark about precedence for the column rights also holds for this.
     74 * So we end up with one extra bridge table having entries for combinations of tables, columns, rows, users and kinds of rights. All queries should involve joins with this table to restrict the result set based on what the current user is allowed to see/edit/execute. We have to find out what this will do with the performance of our applications! Maybe it turns out that this "big table" approach is not feasible.
     75 * We will add a plug-in to the Auth module where authenticated users can request rights on tables, columns and/or rows. The requests will be sent to the owners.
     76 * We will add a plug-in to the Auth module where users can manage the rights on tables, columns and/or rows of which they are owners. Here they can see the current requests and act on them.
     77
     78Proposed solution 2: attach permissions to any 'Identifiable'
     79* There is an interface !RowLevelSecurity that contains fields [owner: xref->!MolgenisUser, shareRead: xref->!MolgenisGroup, shareWrite: xref->!MolgenisGroup]. [[BR]]Thus a user can choose to share data with the selected groups or individuals.
     80> R: We use an abstract entity Authorizable with these three xref's. If users want to use row level security on certain entities, these have to implement Authorizable.
     81* Only the owner can change shareRead and shareWrite properties.
     82* For sharing one can only choose !MolgenisRole that the owner is member of, i.e. you can only choose groups you are part of or individuals you can find (i.e. that have given you read permission on their profiles).
     83> R: We won't deal with that idea in v1.
     84
     85Discussion:
     86* We need a way to define that entities inherit permissions from its 'container'. For example: 'Investigation' could be a container and all !InvestigationElement have by default the same permissions.
     87> R: In v1 we start with this specific user story and implement a more generic way in following versions.
     88* We want to be able to locally override permissions. For example, Data is an InvestigationElement that we may want to limit edit permissions to a subgroup.
     89* This data model depends on the capability to choose what type to search (groups or users); we need to make 'xref' select boxes smarter for this!
     90
     91[[BR]]
     92[[BR]]
     93
     94----
     95
     96[[BR]]
     97[[BR]]
     98
     99== Needs of the PhenoFlow module (lifelines, bbmri, gids2.0, col7a1, xgap) ==
     100PhenoFlow is the user interface for searching, browsing and extracting phenotype data from the Pheno model. This browsing module will be central in most of our applications.
     101
     102The systems (that will be) using this module are
     103
     104 * LifeLines (datawarehouse)
     105 * BBMRI-NL (biobank catalog) and
     106 * gids (2.0).
     107 * COL7A1 Phenotype/Patient browser (here one gene == one investigation)
     108 * XGAP data browser
     109
     110Requirements:
     111
     112 * Users need to be able to login
     113 * All registered users have edit permissions to create new investigations
     114 * All existing investigations can only be listed (names) but no other values
     115 * All investigations are owned by one or more persons
     116 * If not yet owned, users can request to become manager of an investigation.
     117 * Otherwise users can request read access to the investigation
     118 * Users can create groups of themselves (except for lifelines)
     119 * Users can share an investigation and all its components to [public, groups, whitelists of users) for viewing
     120 * The sharing rules can be read or write (so that means they can transfer management of an investigation)
     121 * All InvestigationElement inherit the sharing rules set on an investigation (hence, if the investigation is public so are all its elements)
     122 * Individual investigation elements, and the dataelements that refer to them can have different permissions (lifelines)
     123
     124Issues:
     125
     126 * What about data that is not an Investigation/InvestigationElement?
     127
     128See www.myexperiment.org for some inspiration on how this 'sharing' model can work. See www.myexperiment.org for some inspiration on how this 'sharing' model can work.
     129
     130== Needs of the xQTL Workbench ==
     131Requirements:
     132
     133General:
     134
     135 * All data input/output needs to be closed / secured
     136 * Unregistered users can still view public datasets
     137
     138User:
     139
     140 * Users need to be able to register (as users)
     141 * Confirmation email to the registrar
     142 * Users need to be able to register/confirm their email
     143 * Users need to be able to login
     144 * When loged in users are able to view public datasets and their own datasets
     145
     146Admin:
     147
     148 * Administrators need to be able to: Authenticate users, Ban users, Delete unused accounts
     149 * Administrators are not able to register, view all,execute all
     150 * Users cannot be promoted to admin, admins cannot be demoted to users
     151 * Admins donnot register, but are 'hardcoded' into the application