| | 1 | = AuthModule 2.0 wishlist = |
| | 2 | [[TOC()]] |
| | 3 | Driven by WormQTL and other community project we would like the following: |
| | 4 | |
| | 5 | == Users, groups and roles == |
| | 6 | |
| | 7 | A user is an natural person that can log in to the system. He/she can have a username and password. |
| | 8 | A group is a named role that cannot log in. Both users and other groups can be 'member' of a group. |
| | 9 | Both user and group are 'role'. |
| | 10 | |
| | 11 | Special roles: |
| | 12 | - anonymous (user): users that are not logged in |
| | 13 | - admin (user): users that bypass the security system |
| | 14 | - all users (group): users that are registered in this system |
| | 15 | |
| | 16 | |
| | 17 | |
| | 18 | |
| | 19 | == Record permission roles == |
| | 20 | |
| | 21 | A record is an instance of an entity. Record permissions define what actions a role can perform on a record. |
| | 22 | We distinguish the following types of permissions per record: |
| | 23 | |
| | 24 | || action || view || edit || own || |
| | 25 | || view record || X || X || X || |
| | 26 | || edit record || - || X || X || |
| | 27 | || give other roles view or edit permissions || - || - || X || |
| | 28 | || delete record || - || - || X || |
| | 29 | || transfer ownership to other user || - || - || X || |
| | 30 | |
| | 31 | Only when having table level write permission you can create new records. |
| | 32 | The creator is automatically the owner. There can be only one owner per record. |
| | 33 | |
| | 34 | == User interactions == |
| | 35 | |
| | 36 | Default only the owner is set and the table level permissions are enforced (e.g. the admin may have specified that 'anonymous' can read and 'biologists' can edit'). |
| | 37 | |
| | 38 | Individual users may choose to override this by giving row level permissions. These come in the form 'PermissionRule' {role,permission}, for example "admin,read". |
| | 39 | Multiple PermissionRule can be bundled into on PermissionSet, for example "admin,write; anonymous, view". |
| | 40 | These can then be link |
| | 41 | |
| | 42 | A 'PermissionSet' is a bundle of permission rules. |
| | 43 | |
| | 44 | |
| | 45 | |
| | 46 | |
| | 47 | |
| | 48 | In the 'list' view you can select record and then push the 'share' button to set sharing permissions (existing permissions are overwritten). |
| | 49 | You can also reuse a previous 'permission set'. |
| | 50 | |
| | 51 | || user story || how it works || |
| | 52 | || Give everybody permission to my data || Give permission to 'anonymous' || |
| | 53 | || Give all registered users permission to my data || Give permission to 'all users' || |
| | 54 | || Give a particular user permission to my data || Give permission to '<username>' || |
| | 55 | |
| | 56 | |
| | 57 | * In user interface it should be very clear what is share so I can change that easily |
| | 58 | * |
| | 59 | * Give view/edit permissions to all users -> give view to 'anonymous'. |
| | 60 | * I can specify for each group that I am member of how I want to share |
