Permission: Difference between revisions
(Created page with "In ContactsLaw, <strong>permissions</strong> to the various features and functions of the software are determined using ''Access Control Lists (ACLs)''.") |
mNo edit summary |
||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
In [[ContactsLaw]], <strong>permissions</strong> | In [[ContactsLaw]], the <strong>permissions</strong> that govern how each [[member]] interacts with the software are determined using ''Access Control Lists (ACLs)''. An ACL is a table containing [[Security:Role|roles]] and the permissions granted to them in respect of a particular ''resource''. The resource may be a [[subscription]], [[business]], [[workgroup]] or some other item. | ||
== Scope == | |||
ACLs can be defined on the following resources: | |||
* [[Subscription]] (global permissions) | |||
* [[Business]] | |||
* [[Workgroup]] | |||
* [[Matter]] | |||
* [[Documents:Folder|Folder]] | |||
The more specific the resource, the fewer permissions are governed by the ACL; for example, workgroup ACLs may govern matters and documents, whereas folder ACLs may only govern documents. | |||
== Effective Permissions == | |||
In determining the ''effective permissions'' for a particular member, ContactsLaw will: | |||
# Determine which role(s) are held by the member. | |||
# Check whether there is a specific ACL associated with the resource requested by the user: | |||
#* If so, check whether the ACL grants the permission to ''any'' of the member's roles: | |||
#** If so, permission is allowed. | |||
#** If not¹, permission is denied. | |||
#* If not, determine the item that owns the requested resource (if any) and repeat from step 2. | |||
In this way, a handful of ACLs defined on high-level resources (subscriptions, businesses, etc) determine the permissions that apply in most cases, while ACLs on low-level resources ([[Matter|matters]], [[Document:Folder|folders]], etc) need only be defined in exceptional circumstances. | |||
Note that [[Workgroup|workgroups]] are hierarchical; therefore, a workgroup may "own" one or more child workgroups for the purposes of permissions. | |||
¹ If a role is absent from the ACL, it is not granted the permission. | |||
== Implicit Permissions == | |||
Some permissions in ContactsLaw are implied from the [[Security:Role|roles]] held by a member. It is not possible to deny such permissions using ACLs. | |||
*The ''Administrator'' role grants all possible permissions. It should not be held by members who use the software on a daily basis. | |||
* The ''Manager'' role on [[Matter|matters]] grants full permissions to the matter and any resources owned by it, except for the "resolve conflicts" permission. | |||
* The ''Supervisor'' role on matters behaves as above, but also grants "resolve conflicts". | |||
== Reduced Requirements == | |||
When a member has a direct relationship with a particular resource (e.g. a document they uploaded), the requirements to interact with it may be reduced. It is not possible to deny such interactions using ACLs as no permissions apply. | |||
*'''Accounting''' | |||
** Members can list any transaction that contributes towards their "recovery" metric. | |||
* '''Billing''' | |||
** Members can list any time records on which they appear. | |||
** Members can list any orders for external services placed by them. | |||
** Members can list any invoices that contribute towards their "sales" metric. | |||
* '''Calendar''' | |||
** Members can edit any calendar items for which they are nominated as the organiser. All attendees can view the item. | |||
** Members can edit any task items they own. All delegates can view the item. | |||
* '''Contacts''' | |||
** Members can edit their own contact. | |||
* '''Daemon''' | |||
** The service account under which the daemon runs can manage any scheduled jobs on the server. | |||
* '''Documents''' | |||
** Members can undo their own checkouts (other members require the "undo checkout" permission). | |||
** Members can view items in the recycle bin that correspond to documents they originally deleted. | |||
** Members can delete any temporary documents they uploaded. | |||
* '''Matters''' | |||
** Members can list any matters on which they hold a role. | |||
* '''Members''' | |||
** Members can edit their own profile, excluding details relating to authentication and permissions. | |||
* '''Processes''' | |||
** Members can continue or abort any process they started. | |||
== Audit Logging == | |||
ContactsLaw logs any interaction that requires permission in a '''security audit log'''. This information can be accessed by members who have permission to manage the [[subscription]]. Old entries are periodically purged from the audit log. | |||
[[Category:Members]] | |||
Latest revision as of 15:14, 3 December 2024
In ContactsLaw, the permissions that govern how each member interacts with the software are determined using Access Control Lists (ACLs). An ACL is a table containing roles and the permissions granted to them in respect of a particular resource. The resource may be a subscription, business, workgroup or some other item.
Scope
ACLs can be defined on the following resources:
- Subscription (global permissions)
- Business
- Workgroup
- Matter
- Folder
The more specific the resource, the fewer permissions are governed by the ACL; for example, workgroup ACLs may govern matters and documents, whereas folder ACLs may only govern documents.
Effective Permissions
In determining the effective permissions for a particular member, ContactsLaw will:
- Determine which role(s) are held by the member.
- Check whether there is a specific ACL associated with the resource requested by the user:
- If so, check whether the ACL grants the permission to any of the member's roles:
- If so, permission is allowed.
- If not¹, permission is denied.
- If not, determine the item that owns the requested resource (if any) and repeat from step 2.
- If so, check whether the ACL grants the permission to any of the member's roles:
In this way, a handful of ACLs defined on high-level resources (subscriptions, businesses, etc) determine the permissions that apply in most cases, while ACLs on low-level resources (matters, folders, etc) need only be defined in exceptional circumstances.
Note that workgroups are hierarchical; therefore, a workgroup may "own" one or more child workgroups for the purposes of permissions.
¹ If a role is absent from the ACL, it is not granted the permission.
Implicit Permissions
Some permissions in ContactsLaw are implied from the roles held by a member. It is not possible to deny such permissions using ACLs.
- The Administrator role grants all possible permissions. It should not be held by members who use the software on a daily basis.
- The Manager role on matters grants full permissions to the matter and any resources owned by it, except for the "resolve conflicts" permission.
- The Supervisor role on matters behaves as above, but also grants "resolve conflicts".
Reduced Requirements
When a member has a direct relationship with a particular resource (e.g. a document they uploaded), the requirements to interact with it may be reduced. It is not possible to deny such interactions using ACLs as no permissions apply.
- Accounting
- Members can list any transaction that contributes towards their "recovery" metric.
- Billing
- Members can list any time records on which they appear.
- Members can list any orders for external services placed by them.
- Members can list any invoices that contribute towards their "sales" metric.
- Calendar
- Members can edit any calendar items for which they are nominated as the organiser. All attendees can view the item.
- Members can edit any task items they own. All delegates can view the item.
- Contacts
- Members can edit their own contact.
- Daemon
- The service account under which the daemon runs can manage any scheduled jobs on the server.
- Documents
- Members can undo their own checkouts (other members require the "undo checkout" permission).
- Members can view items in the recycle bin that correspond to documents they originally deleted.
- Members can delete any temporary documents they uploaded.
- Matters
- Members can list any matters on which they hold a role.
- Members
- Members can edit their own profile, excluding details relating to authentication and permissions.
- Processes
- Members can continue or abort any process they started.
Audit Logging
ContactsLaw logs any interaction that requires permission in a security audit log. This information can be accessed by members who have permission to manage the subscription. Old entries are periodically purged from the audit log.