[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ganymede Help] Re: Permissions model
|
Gaurav, I'm switching this over to the ganymede-help list rather than
the ganymede-dev list, as this question has nothing to do with
development for Ganymede, but is instead a question on how to use
Ganymede.
| Hey Jon,
| I have like 4000 object types defined under the object "Address" which
| i can see, edit and delete when i log in as admin....now please have a
| look at this schema
No.. you have 4000 *objects* defined under the object *type*
"Address".
And the <object> records you are showing me here are not part of the
Ganymede schema.. the Ganymede schema consists of the <objectdef> and
<fielddef> records in the XML output, and they are contained in the
<ganyschema> section. The <object> records are the actual data
objects in the database.
| <object type="Role" id="New Role">
| <Name>New Role</Name>
| <Owned_Object_Bits>
| <permissions>
| <Start_of_Authority perm="">
| <Expiration_Date perm=""/>
| <Class perm=""/>
| <Refresh perm=""/>
| <Negative_TTL perm=""/>
| <TTL perm=""/>
| <Notes perm=""/>
| <Domain perm=""/>
| <Removal_Date perm=""/>
| <Delegated perm=""/>
| <NameServer perm=""/>
| <MailBox perm=""/>
| <Positive_TTL perm=""/>
| <Retry perm=""/>
| <Parent perm=""/>
| <Serial_Number perm=""/>
| <Expire perm=""/>
| <Owner_list perm=""/>
| <Owner perm=""/>
| </Start_of_Authority>
| <Owner_Group perm="">
| <Expiration_Date perm=""/>
| <Notes perm=""/>
| <Members perm=""/>
| <Removal_Date perm=""/>
| <Cc_All_Admins perm=""/>
| <Name perm=""/>
| <Objects_owned perm=""/>
| <Mail_List perm=""/>
| <Owner_list perm=""/>
| </Owner_Group>
| <Building perm="VECD">
| <Expiration_Date perm="VEC"/>
| <Notes perm="VEC"/>
| <Building_Name perm="VEC"/>
| <Removal_Date perm="VEC"/>
| <Owner_list perm="VEC"/>
| </Building>
| <Address perm="VEC">
| <Expiration_Date perm="VEC"/>
| <TTL perm="VEC"/>
| <PTR-ID perm="VEC"/>
| <HostNumber perm="VEC"/>
| <Notes perm="VEC"/>
| <A-ID perm="VEC"/>
| <Mail_Exchanger perm="VEC"/>
| <Removal_Date perm="VEC"/>
| <HardWare-ID perm="VEC"/>
| <SOA-ID perm="VEC"/>
| <Building perm="VEC"/>
| <Subnet-ID perm="VEC"/>
| <Closet_Number perm="VEC"/>
| <Dynamic perm="VEC"/>
| <SubDomain perm="VEC"/>
| <Room_Number perm="VEC"/>
| <Owner_list perm="VEC"/>
| <Owner perm="VEC"/>
| <CName perm="VEC"/>
| <HostName perm="VEC"/>
| </Address>
| </permissions>
| </Owned_Object_Bits>
| <Default_Bits>
| <permissions>
| <Subnet perm="">
| <Dist-ZoneID perm=""/>
| <Expiration_Date perm=""/>
| <Base_Address perm=""/>
| <Notes perm=""/>
| <Removal_Date perm=""/>
| <SubnetID perm=""/>
| <Subnet_Mask perm=""/>
| <Name perm=""/>
| <Owner_list perm=""/>
| <Broadcast_Address perm=""/>
| <RouterID perm=""/>
| <Owner perm=""/>
| </Subnet>
| <Router perm="">
| <Expiration_Date perm=""/>
| <Notes perm=""/>
| <Removal_Date perm=""/>
| <Subnets perm=""/>
| <Subnet_Mask perm=""/>
| <Name perm=""/>
| <Owner_list perm=""/>
| <Address perm=""/>
| <RouterID perm=""/>
| <Owner perm=""/>
| <CName perm=""/>
| </Router>
| <Start_of_Authority perm="">
| <Expiration_Date perm=""/>
| <Class perm=""/>
| <Refresh perm=""/>
| <Negative_TTL perm=""/>
| <TTL perm=""/>
| <Notes perm=""/>
| <Domain perm=""/>
| <Removal_Date perm=""/>
| <Delegated perm=""/>
| <NameServer perm=""/>
| <MailBox perm=""/>
| <Positive_TTL perm=""/>
| <Retry perm=""/>
| <Parent perm=""/>
| <Serial_Number perm=""/>
| <Expire perm=""/>
| <Owner_list perm=""/>
| <Owner perm=""/>
| </Start_of_Authority>
| <Owner_Group perm="">
| <Expiration_Date perm=""/>
| <Notes perm=""/>
| <Removal_Date perm=""/>
| <Members perm=""/>
| <Cc_All_Admins perm=""/>
| <Name perm=""/>
| <Objects_owned perm=""/>
| <Mail_List perm=""/>
| <Owner_list perm=""/>
| </Owner_Group>
| <Building perm="VEC">
| <Expiration_Date perm="VEC"/>
| <Notes perm="VEC"/>
| <Building_Name perm="VEC"/>
| <Removal_Date perm="VEC"/>
| <Owner_list perm="VEC"/>
| </Building>
| <NameServer perm="">
| <Subnet perm=""/>
| <Expiration_Date perm=""/>
| <TTL perm=""/>
| <Notes perm=""/>
| <Removal_Date perm=""/>
| <SOA-ID perm=""/>
| <Name perm=""/>
| <NS-ID perm=""/>
| <Owner_list perm=""/>
| <Owner perm=""/>
| </NameServer>
| <Address perm="VC">
| <Expiration_Date perm="VC"/>
| <TTL perm="VC"/>
| <PTR-ID perm="VC"/>
| <HostNumber perm="VC"/>
| <Notes perm="VC"/>
| <Mail_Exchanger perm="VC"/>
| <A-ID perm="VC"/>
| <Removal_Date perm="VC"/>
| <HardWare-ID perm="VC"/>
| <Building perm="VC"/>
| <SOA-ID perm="VC"/>
| <Subnet-ID perm="VC"/>
| <Closet_Number perm="VC"/>
| <Dynamic perm="VC"/>
| <SubDomain perm="VC"/>
| <Room_Number perm="VC"/>
| <Owner_list perm="VC"/>
| <Owner perm="VC"/>
| <CName perm="VC"/>
| <HostName perm="VC"/>
| </Address>
| </permissions>
| </Default_Bits>
| <Persona_entities>
| <invid type="Admin_Persona" id="Gober:gaurav"/>
| </Persona_entities>
| <Owner_list>
| <invid type="Owner_Group" id="villanova"/>
| </Owner_list>
| </object>
|
| Here i have given priviledge to my personae to see, edit and create the
| building object types...and visible and create for the Address
| object..whats happening here is that i have about 40 building object
| types defined under the object Building and about 4000 address
| objects...and now as the personae has the ownership of the building and
| address object...when i log in as the personae i created ..what i see
| is two nodes("i.e two objects "Address" and "Building" which is what i
| should see")..now when i click on the node( + sign ) of the Building
| object what i can see is all the 40 building objects.......but when i
| click on the node of "Address" object i cant see any object types under
| that node....which is wrong as i should be able to see and edit all the
| Address objects which i created as a Admin...coz there is nothing
Remember, objects are owned by owner groups, and admin personae belong
to owner groups. In your permissions shown above, this Role has
permission to view, edit, and create *any* Building object, no matter
who owns it. I.e., this bit in the <Default_Bits> section:
<Building perm="VEC">
<Expiration_Date perm="VEC"/>
<Notes perm="VEC"/>
<Building_Name perm="VEC"/>
<Removal_Date perm="VEC"/>
<Owner_list perm="VEC"/>
</Building>
by comparison, the <Default_Bits> section does not grant editing
privilege to all Address objects, regardless of ownership. You just
have view and create privileges in the <Default_Bits>:
<Address perm="VC">
<Expiration_Date perm="VC"/>
<TTL perm="VC"/>
<PTR-ID perm="VC"/>
<HostNumber perm="VC"/>
<Notes perm="VC"/>
<Mail_Exchanger perm="VC"/>
<A-ID perm="VC"/>
<Removal_Date perm="VC"/>
<HardWare-ID perm="VC"/>
<Building perm="VC"/>
<SOA-ID perm="VC"/>
<Subnet-ID perm="VC"/>
<Closet_Number perm="VC"/>
<Dynamic perm="VC"/>
<SubDomain perm="VC"/>
<Room_Number perm="VC"/>
<Owner_list perm="VC"/>
<Owner perm="VC"/>
<CName perm="VC"/>
<HostName perm="VC"/>
</Address>
You need to make sure that the Address objects are owned by an owner
group that your persona is a member of. If the Address objects are
owned by the right owner group, then the permissions in the
<Owned_Object_Bits> will apply, which are from further up in the xml
you sent:
<Address perm="VEC">
<Expiration_Date perm="VEC"/>
<TTL perm="VEC"/>
<PTR-ID perm="VEC"/>
<HostNumber perm="VEC"/>
<Notes perm="VEC"/>
<A-ID perm="VEC"/>
<Mail_Exchanger perm="VEC"/>
<Removal_Date perm="VEC"/>
<HardWare-ID perm="VEC"/>
<SOA-ID perm="VEC"/>
<Building perm="VEC"/>
<Subnet-ID perm="VEC"/>
<Closet_Number perm="VEC"/>
<Dynamic perm="VEC"/>
<SubDomain perm="VEC"/>
<Room_Number perm="VEC"/>
<Owner_list perm="VEC"/>
<Owner perm="VEC"/>
<CName perm="VEC"/>
<HostName perm="VEC"/>
</Address>
| different that i am doing with the builing object that i did with
| Address object(as far as giving permissions is concerned)....AM i clear
| enough in explaining..;)
| Thanks
| Gaurav
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey@arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX http://www.arlut.utexas.edu/gash2
----------------------------------------------------------------------------
To make changes to your subscription to the Ganymede Help list, send
mail to majordomo@arlut.utexas.edu.
To unsubcribe, include the line
unsubscribe ganymede-help
in the body of your mail message
Visit the Ganymede web page at http://www.arlut.utexas.edu/gash2
----------------------------------------------------------------------------