Home
Demo
Documentation
Downloads
FAQ
Project
Support
Tour
Team
Wiki

Community
Forums
openCRX Partners
 
Features
Roadmap
License

 



SourceForge.net Logo
openCRX Security: Version 1.7.1
PrevNext

Chapter 4. Permissions

Table of Contents
Ownership Permissions
Security Setting of New Objects
Model Permissions

With the openCRX security framework permissions can be granted with the following two methods:

  • Ownership Permissions: Permissions are granted on a particular object based on ownership (ownership access control has been implemented since openCRX v1.4.0). For example, permission to browse the account "Steve Jones" is granted to everybody or permission to delete the product "Gadget" is granted to the segment administrator only. Object permissions work similar to file permissions in a file system.

  • Model Permissions: Permissions are granted on model elements (will be implemented in a future version of openCRX). For example, permission is granted to execute the operation Refresh on the UserHome or permission is granted to view the Tab Leads, etc.

Ownership Permissions

Ownership permissions are used to control browse/delete/update access to openCRX objects by Users and UserGroups. Ownership access control has been implemented since openCRX v1.4.0. Every openCRX object is a SecureObject. The following figure shows an extract from the UML model (if you are interested in all the details and the formally correct and complete specifications you should refer to the openCRX UML models):

Figure 4-1. UML Model SecureObject (Extract)

enlarge

The most important security attributes of an object X are discussed below (and an example is shown in Figure 4-2):

  • Owning User: this user "owns" object X; the Owning User can always browse/delete/update object X (unless the access level is set to 0 [no access]).

  • Owning Groups: these groups might enjoy privileged treatment for browsing/deleting/updating object X depending on the relevant access level settings.

  • Browse Access Level: this setting determines which users / user groups are granted browse access to direct composite objects of object X [i.e. can view/inspect direct composite objects (including all their attributes) of object X].

  • Delete Access Level: this setting determines which users / user groups are granted delete access to object X and all its composite objects (recursively!) [i.e. can delete object X and all its composite objects (recursively!)].

  • Update Access Level: this setting determines which users / user groups are granted update access to object X [i.e. can change object X; this includes adding composite objects to object X].

Figure 4-2. System Attributes of an openCRX Object

enlarge

The following access levels are available to control which users / user groups are granted permission to browse/delete/update a particular object X:

  • 0 - N/A: no access.

  • 1 - private: access is granted if the user is owning user of object X.

  • 2 - basic: access is granted if (a) the user is owning user of object X, or if (b) the user is member of any of the owning groups of object X, or if (c) any of the owning groups of object X is a subgroup** of any group the user is member of.

  • 3 - deep: access is granted if (a) the user is owning user of object X, or if (b) the user is member of any of the owning groups of object X, or if (c) any of the owning groups of object X is a subgroup** of any group the user is member of, or if (d) any of the owning groups of object X is a subgroup** of any supergroup* of any group the user is member of.

  • 4 - global: all users are granted access.

* a supergroup of an owning group G is a group of which G is a member of (recursively)

** a subgroup of an owning group G is a group which is member of G (recursively)

PrevHomeNext
Introduction to role-based security Security Setting of New Objects
http://www.crixp.com/ http://www.openmdx.org/