The OpenACS 5.9.0 Permissions system allows developers and
administrators to set access control policies at the object level,
that is, any application or system object represented by a row in
the acs_objects table can be
@@ -32,7 +32,7 @@
they fit together with the permissions system.
OpenACS 5.9.0 has an abstraction called a party. Parties have a recursive
definition. We can illustrate how it works with the following
simplified data model. First, we define the parties table, where each party has an
email address and a URL for contact information.
@@ -80,13 +80,13 @@ which we build access control policies. For example in the Unix filesystem, access is controlled by granting users some combination of read, write, or execute privileges on files and directories. In -OpenACS 5.7.0, the table of privileges is organized hierarchically +OpenACS 5.9.0, the table of privileges is organized hierarchically so that developers can define privileges that aggregate some set of privileges together. For example, if we have read, write, create and delete privileges, it might be convenient to combine them into a new privilege called "admin". Then, when a user is granted "admin" privilege, she is automatically granted all the child -privileges that the privilege contains. The OpenACS 5.7.0 kernel +privileges that the privilege contains. The OpenACS 5.9.0 kernel data model defines these privileges:# begin @@ -124,7 +124,7 @@ the same time.In OpenACS 5.9.0, object context is a scoping mechanism. "Scoping" and "scope" are terms best explained by example: consider some hypothetical rows in the
address_booktable:
@@ -190,7 +190,7 @@ permissions code. OpenACS 5.9.0 defines three separate mechanisms for specifying access control in applications.
The Groups data model allows you to define hierarchical organizations of users and groups of users.
The Permissions data model allows you to define a hierarchy of