Rights and Roles Workshop 2017-11
The workshop will be held in from 27.11 - 30.11.2017
- Do the current rights work correctly in TaxEditor & Vaadin
- most important: editing of factual data with limited rights on feature (and taxon subtree)
- Rights for long running tasks like repair mechanisms, cleanups and imports (e.g. pre-check if an import is allowed at all with the given rights)
- Discuss the Create/Update/Delete issue where a user has rights to create, but not to update a record that he/she created. ==> WorkshopRightsAndRoles2017-11
- Are there better solutions? How are others solve the problem?
- Which use-cases do we have?
- Solutions in existing systems
- Are string based rights the best data structure or use a more structured class? (ticket exists) ==> no, the class
CdmAuthorityneeds to become a cdm model class which replaces, extends
GrantedAutorityImpl, see WorkshopRightsAndRoles2017-11#Combing-GrantedAuthorities, TODO do we need to have relations between cdm entities and Rights
- Rights&Roles editor ===> draft for a better UI in WorkshopRightsAndRoles2017-11#Combing-GrantedAuthorities, second photo
- Current state
- Is the original "View" concept maybe a better solution. This concept adds each CdmBase to a number of roles, so the rights are defined as data relationships between the role and the actual data. ==> TODO
- This may make reading rights easier to implement
- Critical: each insert (and maybe even update or delete) needs to update the rights relationships.
- Reading rights ===> WorkshopRightsAndRoles2017-11#Strategy-3-Unpublished-Entities-general-READ-rights
- How to implement in editors (sometimes read rights are required to get to a certain place where you have write rights, e.g. for editing factual data you need read rights for the taxon/specimen, and for standard use you even need read rights for the whole classification as the access is often via the taxon navigator.
- Do we need a technical label for terms ==> TODO
- Do we need concatenated rights like "Subtree A and Feature A + tree B and Feature B, but not Tree A and Feature B" ===> WorkshopRightsAndRoles2017-11#Combing-GrantedAuthorities
- Discuss: which tags to use in Redmine for rights&roles issues (see comment)
- all open tickets with security tag
Project specific requirements:
- World Flora Online
- Löschen von Namen, die eine WFO ID haben, ist nur dem „Super-Admin“ möglich – oder nur nach sehr starker Warnung.
- Red List 2020
- Editing of distributions that belong to a certain area
- Editing of a working set
- For a given working set edit the character matrix (content), this may include the possibility to add specimen / taxa. It also includes rights on all characters (=features) defined in the working set
- management roles per taxonomic group (#4159)
- Facts Eingabe für ein Feature
Results of the workshop in WorkshopRightsAndRoles2017-11¶
#4 Updated by Andreas Müller over 1 year ago
- Description updated (diff)
Ja derzeit subsummiert dies alles unter term Tag "security". Eigentlich wäre ein spezifischeres Tag besser. Wir sollten da vielleicht wirklich trennen:
- permission (also alles was Rechte, Rollen und Autorisierung betrifft)
- security (das stünde dann für alles was sicherheitsrelevante Themen betrifft, die nicht zu den beiden anderen Begriffen gehören)
#19 Updated by Andreas Kohlbecker 9 months ago
- Status changed from New to In Progress
- Assignee changed from Andreas Kohlbecker to Andreas Müller
It is linked from WorkshopRightsAndRoles2017-11, therefore I think we could close it without losing anything, BUT there are some TODOs in the topics list which need to be discussed in the next workshop.
So the question is: Keep this ticket open or create a new one covering the TODOs only?