[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ganymede Dev] Permissions model

*Date*	Fri, 30 Nov 2001 16:28:12 -0600 (CST)
*From*	Jonathan Abbey <jonabbey@arlut.utexas.edu>

"Gaurav Bhargava" <gaurav.bhargava@villanova.edu> wrote:
|
| Hey Jon,
| I have a summary of the permissions model....
| 
| A user can have multiple admin personae's.
| The steps are
| 1) Create a user.
| 2) give its ownership to a group(Owner group object).
| 3) Create admin Personae's associated to that User.
| 4) Create a new role object and define the functions by modifying
|    the access bits and in the end add different admin personae's to 
|    this role.
| 5) Make sure that the new Role has the permission to create and edit 
|    the objects owned field in the "Owner" group object.

Right, that's all correct.

| Now whats happening here is that once have created a user and linked it 
| to a personae and set the permissions, and i try to log in as that user 
| it gives me two options as to how would i like to work as,...as the 
| user or as the personae, when i try to log in(client side) as the 
| personae entity it shows me all the objects which the user has 
| ownership but when i try to (switch)work as a user it doesnt show me 
| anything ...do you know whats happening here??? Can users only work as 
| personae's ??

The intention is that all admins working with Ganymede will log in
using an admin persona.  The purpose of the separation of the admin
persona from the basic user account is so that compromise of the
admin's primary password will not lead to privileged access in the
Ganymede server.  Users would have to find and crack the admin persona
password in order to muck things up in the Ganymede server.

If an admin just logs in with their 'native', i.e., user privileges,
they will only have those privileges that are granted by the Default
role object.

All roles have two permission matrices.. the 'Objects Owned'
permissions, and the 'Default' permissions.

By default, a simple user login (without using an admin persona) can't
own any objects in the database except their own user account.  Thus,
by setting things up so that the 'Objects Owned' permission matrix in
the Default role object allows editing of the user's password, shell,
and personal identification information, your end users will be able
to login to Ganymede and change their password, etc.

If you have something that you want ALL of your users to be able to
do, just put those abilities in the Default Role object.  If you have
anything that you want some but not all users to be able to do, you
should pretty much create admin personae for them.

You can use some of the customization hooks in DBEditObject to grant
ownership based on custom run-time calculations.. the grantOwnership()
method for an object can be used to provide exceptions to the basic
rule that users don't own anything but their own user accounts.. as
in the following from our custom logic here at the lab:

  /**
   * <p>Hook to allow subclasses to grant ownership privileges to a given
   * object.  If this method returns true on a given object, the Ganymede
   * Permissions system will provide access to the object as owned with
   * whatever permissions apply to objects owned by the persona active
   * in gSession.</p>
   *
   * <p><b>*PSEUDOSTATIC*</b></p>
   */

  public boolean grantOwnership(GanymedeSession gSession, DBObject object)
  {
    Invid userInvid = (Invid) object.getFieldValueLocal(systemSchema.PRIMARYUSER);

    if (userInvid != null &&
	userInvid.equals(gSession.getUserInvid()))
      {
	return true;
      }

    return false;
  }

that is, in our schema, system objects have a PRIMARYUSER Invid field
which points to the user object who is the primary user of the system.
If a user logs in with their end-user privileges, the combination of
this code in the systemCustom class and the enabling of some editing
privileges for Systems in the 'Objects Owned' permission matrix in the
Default Role object will allow them to edit their own systems, without
having to have and use an admin persona.

I know this is a bit involved, let me know if I can explain it further.

| Thanks 
| Gaurav

Thanks Gaurav!

 Jon

-------------------------------------------------------------------------------
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX     http://www.arlut.utexas.edu/gash2

----------------------------------------------------------------------------
To make changes to your subscription to the Ganymede Dev mailing list, send
mail to majordomo@arlut.utexas.edu.

To unsubcribe, include the line

unsubscribe ganymede-dev

in the body of your mail message

Visit the Ganymede web page at http://www.arlut.utexas.edu/gash2

----------------------------------------------------------------------------

References:
- [Ganymede Dev] Permissions model
  - From: "Gaurav Bhargava" <gaurav.bhargava@villanova.edu>

Re: [Ganymede Dev] Permissions model

From: Jonathan Abbey <jonabbey@arlut.utexas.edu>

Prev by Date: [Ganymede Dev] Permissions model
Next by Date: [Ganymede Dev] Fixed cvsweb on Ganymede site
Prev by thread: [Ganymede Dev] Permissions model
Next by thread: [Ganymede Dev] Fixed cvsweb on Ganymede site
Index(es):
- Main
- Thread