Index: openacs-4/packages/acs-core-docs/www/permissions.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/permissions.html,v diff -u -r1.7 -r1.7.2.1 --- openacs-4/packages/acs-core-docs/www/permissions.html 7 Mar 2002 06:55:36 -0000 1.7 +++ openacs-4/packages/acs-core-docs/www/permissions.html 15 May 2002 23:26:18 -0000 1.7.2.1 @@ -1,68 +1,34 @@ - - - -Groups, Context, Permissions - - - - - - - - - -
-

-Groups, Context, Permissions

-

By Pete Su -

-
-

-Overview

-

+Groups, Context, Permissions

Groups, Context, Permissions

By Pete Su


+ OpenACS docs are written by the named authors, but may be edited + by OpenACS documentation staff. +

Overview

The OpenACS 4.5 Permissions system allows developers and administrators to set access control policies at the object level, that is, any application or system object represented by a row in the acs_objects table can be access-controlled via a simple PL/SQL or Tcl interface. The permissions system manages a data model that then allows scripts to check permissions using another simple API call. -

-

+

Although this may all sound easy and wonderful, no developer or -administrator would want to explicitly set access control -rights for every user and every object on a +administrator would want to explicitly set access control +rights for every user and every object on a site. Therefore, OpenACS 4.5 has two auxiliary mechanisms for making this easier: First, the Groups system allows users to be grouped together in flexible ways. Second, the object model defines a notion of -object context, which allows applications to group objects +object context, which allows applications to group objects together into larger security domains. The rest of this document will talk about each of these parts, and how they fit together with the permissions system. -

-
-
-

-Groups

-

+

Groups

In OpenACS 3.x, the groups system allowed developers and administrators to define simple groupings of users. Each group had a human readable name and unique ID, and there was a single mapping table that mapped users to groups. (The actual data model was more complicated because it contained a meta-data system much like the OpenACS 4.5 object type system, but that's not relevant right now.) -

-

+

The 3.x groups system, while very useful, was limited in few ways. The main limitation: groups could not either contain or include other groups. You could not express the fact that all the members of group A @@ -72,8 +38,7 @@ employees. Obviously, you'd want every member of an office employee group to automatically be a member of the whole company employee group. -

-

+

In OpenACS 3.x, you also could not express the fact that group A should itself be a member of group B, without also implying that all of its members are also members of B. This type of relationship also comes up @@ -82,29 +47,25 @@ and organizations: although the Sierra Club may be an organization member of Greenpeace, its members are not necessarily members of Greenpeace. -

-

+

OpenACS 4.5 solves both of these modeling problems by introducing a new -abstraction called a party. Parties have a recursive +abstraction called a party. Parties have a recursive definition, and we can illustrate how it works with the following simplified data model. First, we define the parties table, where each party has an email address and a URL for contact information. -

-
+

 
 create table parties (
     party_id  integer not null references acs_objects(object_id),
     email varchar(100),
     url varchar(100)
 )
 
-
-

+

Now we define two subtypes of party, one for persons, and one for groups: -

-
+

 
 create table groups (
     group_id  not null references parties(party_id),
@@ -117,49 +78,38 @@
     last_name varchar(100) not null
 )
 
-
-

+

The users table is also defined in this data model as a subtype of person. It contains many of the basic columns that the old OpenACS 3.x users table contained. -

-

-Finally, we define two relations, one for group membership and -one for group composition. The composition relation allows us +

+Finally, we define two relations, one for group membership and +one for group composition. The composition relation allows us to express the fact that every member of group A should also be a member of group B. This relation allows us to define a hierarchy of groups instead of the simple flat groups that 3.x allowed. -

-

+

The membership relation is much like the mapping we had in 3.x, except -that it maps groups to parties instead of groups to users. What +that it maps groups to parties instead of groups to users. What this means is that each member of a group is a party rather than just a user. That is, groups consist of members that are either a person or an entire group. This allows us to say that group A should be a member of another group B. -

-

+

The groups data model is pleasantly recursive. The fact that parties are modeled as being either a person or a group has a lot of power, allowing us to model complex hierarchical groupings of persons and groups that were hard or impossible to model in 3.x. -

-

+

The full details of the groups data model is beyond the scope of this tutorial - I've just given you what you need to understand how permissions work. For further detail, you can look at Parties in OpenACS 4 or OpenACS 4 Groups Design. -

-
-
-

-Permissions

-

+

Permissions

The permissions data model is actually pretty simple. The data model -is a mapping between privileges, parties and objects. We +is a mapping between privileges, parties and objects. We already know what parties and objects are, but we don't know what privileges are. -

-

+

In OpenACS 4.5, a privilege models the right to perform some operation on some object. They are the basic units out of which we build access control policies. For example, in the Unix filesystem we typically @@ -173,8 +123,7 @@ automatically granted all the child privileges that the privilege contains. The OpenACS 4.5 kernel data model actually defines these privileges as follows: -

-
+

 
 begin
  acs_privilege.create_privilege('read');
@@ -191,94 +140,44 @@
  commit;
 end;
 
-
-

+

To give a user permission to perform a particular operation on a particular object you call acs_permission.grant_permission like this: -

-
+ 

 
     acs_permission.grant_permission (
       object_id => some_object_id,
       grantee_id => some_party_id,
       privilege => 'some_privilege_name'
       );
 
-
-

+

Using just these mechanisms is enough for developers and administrators to effectively define access control for every object in a system. But it would be tedious to explicitly attach permissions to every object individually: in many cases, we'd prefer controlling permissions to large groups of objects in the site, all at once. We use contexts to achieve this goal. -

-
-
-

-Object Context

-

+

Object Context

In OpenACS 4.5, an object context is a generalization of the scoping mechanism introduced in OpenACS 3.x. "Scoping" and "scope" are terms best explained by example: consider some hypothetical rows in the address_book table: -

-
------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
...scopeuser_idgroup_id...
...user123...
...group456...
...public...
-

+

...scopeuser_idgroup_id...
...user123...
...group456...
...public...

The first row represents an entry in User 123's personal address book, the second row represents an entry in User Group 456's shared address book, and the third row represents an entry in the site's public address book. -

-

+

In this way, the scoping columns identify the security context in -which a given object belongs, where each context is either a -person or a group of people or the general public +which a given object belongs, where each context is either a +person or a group of people or the general public (itself a group of people). -

-

+

In OpenACS 4.5, rather than breaking the world into a limited set of scopes, -every object lives in a single context. A context is just an +every object lives in a single context. A context is just an another object that represents the security domain to which the object belongs. By convention, if an object A doesn't have any permissions explicitly attached to it, then the system will look at the @@ -290,8 +189,7 @@ through the context happens, otherwise it does not. You might set this field to 'f' if you want to override the default permissions in a subtree of some context. -

-

A good example of how to use this hierarchy is in the bboard +

A good example of how to use this hierarchy is in the bboard application. With only row-level permissions it is not obvious how to reasonably initialize the access control list when creating a message. At best, we have to explicitly grant various read and write @@ -304,15 +202,12 @@ checks permissions on the message's context. To allow the creator of the message to change the message after it has been posted we grant the user write-access on the message, and we are done. -

-

+

This mechanism allows developers and administrators to define a hierarchy that matches the structure they need for access control in their application. The following picture shows a typical context hierarchy for a hypothetical site: -

-

-

+

A few things to note here. First, the top two contexts in the picture are "magic" in some sense because they are created by default by OpenACS for a specific purpose. The object default_context @@ -325,33 +220,25 @@ some object has no permissions attached to it, and its value for security_inherit_p is 'f', or context_id is null, then we use this context by default. -

-
-
-

-Example

-

+

Example

At this point, you should either go and download the Notes example code from the package repository, or check it out of the ArsDigita CVS repository and add it to your server. The package is called "notes". To check it out from CVS, read the these instructions on how to use anonymous checkouts and then checkout the module acs-packages/notes: -

-
+

 
 % export CVSROOT=:pserver:anonymous@cvs.arsdigita.com:/usr/local/cvsroot
 % cvs login # the password is acsrules
 % cvs checkout acs-packages/notes
 
-
-

+

After you have downloaded the package, look at the index.tcl page in the www directory. You can also -look at the code in your browser. The code should look something like this: -

-
+look at the code in your browser. The code should look something like this:
+

 
 # main index page for notes.
 
@@ -396,46 +283,39 @@
 
 ad_return_template
 
-
-

+

This example shows both the Tcl and PL/SQL APIs for checking permissions. The Tcl proc ad_permission_p and the PL/SQL function acs_permission.permission_p both return a flag indicating whether the current user has permission to perform the given action. By default, the Tcl procedure extracts the user_id out of the request environment, while the SQL procedure takes it as an argument. -

-

+

It also shows how we display more complicated items using the template -system. The code here creates a multirow data source, i.e. a +system. The code here creates a multirow data source, i.e. a data source that represents a query returning multiple rows from the database. For each row, we return the ID of the note, the ID of the owner of the note, the title, the body and then three flags that indicate whether the user has write, admin, and delete privileges. Also, the WHERE clause of the query ensures that we only see notes that we are allowed to see. -

-

-Next, look at the index.adp. It is pretty complicated. +

+Next, look at the index.adp. It is pretty complicated. The main part of this page uses a multiple template tag. If you want to experiment, you can replace the main body of the multiple tag with this: -

-
+

 
 <multiple name=notes>
 <td>@notes.title@</td><td>@notes.body</td>
 </multiple>
 
-
-

+

This will just make a table with one note per row. -

-

+

Now put the more complex code back. You'll notice a lot of stuff like this: -

-
+

 
 <if @notes.write_p@ eq 1>
   <a href=add-edit?note_id=@notes.note_id@>@notes.title@</a>
@@ -444,14 +324,12 @@
   @notes.title@
 </else>
 
-
-

+

This displays the title of the note as either a link or plain text depending on whether or not we have write privileges on the object. The if tag is something that the OpenACS 4.5 template system defines for you to support conditional presentation. The templates developer guide provides more information about this. -

-

+

If you study the rest of the system, you will also notice that the notes application doesn't explicitly attach privileges to the objects it creates. All privileges are inherited from the context of the object @@ -462,50 +340,17 @@ implement a user interface that allowed the user to explicitly attach permissions to notes that she wanted to make public or whatever. But that's beyond the scope of this example. -

-
-
-

-Summary

-

+

Summary

OpenACS 4.5 defines three separate mechanisms for specifying access control in applications. The Groups data model allows you to define hierarchical organizations of users and groups of users. The Permissions data model allows you to define a hierarchy of user rights. Finally, the Context hierarchy allows you to define organize default permissions in a hierarchical fashion. A simple PL/SQL or Tcl API is then used to do access control checks in application pages. -

-

+

In the next section, we'll look at a more complex page for adding and editing notes, and discuss these issues further. -

-

($Id$)

-
-
-
- - +