Version 2 (modified by 13 years ago) (diff) | ,
---|
AuthModule 2.0 wishlist
Table of Contents
Driven by WormQTL and other community project we would like the following:
Users, groups and roles
A user is an natural person that can log in to the system. He/she can have a username and password. A group is a named role that cannot log in. Both users and other groups can be 'member' of a group. Both user and group are 'role'.
Special roles:
- anonymous (user): users that are not logged in
- admin (user): users that bypass the security system
- all users (group): all users except anonymous and admin
Record permission roles
A record is an instance of an entity. Record permissions define what actions a role can perform on a record. We distinguish the following types of permissions per record:
action | view | edit | own |
view record | X | X | X |
edit record | - | X | X |
give other roles view or edit permissions | - | - | X |
delete record | - | - | X |
transfer ownership to other user | - | - | X |
Only when having table level write permission you can create new records. The creator is automatically the owner. There can be only one owner per record.
User interactions
Default only the owner is set and the table level permissions are enforced (e.g. the admin may have specified that 'anonymous' can read and 'biologists' can edit').
Individual users may choose to override this by giving row level permissions. These come in the form 'PermissionRule?' {role,permission}, for example "admin,read". Multiple PermissionRule? can be bundled into on PermissionSet?, for example "admin,write; anonymous, view". These can then be link
A 'PermissionSet?' is a bundle of permission rules.
In the 'list' view you can select record and then push the 'share' button to set sharing permissions (existing permissions are overwritten). You can also reuse a previous 'permission set'.
user story | how it works |
Give everybody permission to my data | Give permission to 'anonymous' |
Give all registered users permission to my data | Give permission to 'all users' |
Give a particular user permission to my data | Give permission to '<username>' |
- In user interface it should be very clear what is share so I can change that easily
*
- Give view/edit permissions to all users -> give view to 'anonymous'.
- I can specify for each group that I am member of how I want to share