Fire up your applications with Jazz
RSS
Jazz CMS Wiki

About Us

CMS CMS Administration GUI Jazz Jazz Administration Jazz Web Parts Library misc Roles Solutions Training Web Parts Web Service Website Design Website Procedures Wiki conventions WordML Workflow Administration

Quick Search
»
Advanced Search »

Page History: Jazz ACLs

Compare Page Revisions



« Older Revision - Back to Page History - Newer Revision »


Page Revision: 2014/09/30 16:56


Table of Contents [Hide/Show]


Jazz ACLs

Jazz Access Control Lists (ACLs) are used to control access to Jazz Objects.

From Wikipedia:
Within an organization, Roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.

An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

Roles and ACLs

There are two sides in the Role/ACL equation:
  • The user
  • The target object

The user's Role is matched against the Role assigned in the ACL of the target object.

ACL = Role + Access Type

Jazz implements ACL as a Role and an Access Type. The Access Type can be:
  • Allow: is used to allow the role access to the Jazz Record.
  • Deny: is used to deny the role access to the Jazz Record.
  • Read-Only: is used to allow the role access to the Jazz Record as a Read-only view.

ACL = User + Access Type

Jazz also implements a User-based ACL. This can be useful to test access to Jazz objects.

ACL Algorithm

The ACL algorithm is as follows:
  • If the target object has no ACL, then any user can access the target object.
  • If the target object has an ACL with an Admin Role and Allow Access Type, then only users with the Admin Role are allowed to read and write the target object.
  • If the target object has an ACL with an Nada Role and Denied Access Type, then users with the Nada Role are NOT allowed access to the target object.
  • If the target object has an ACL with an RO Role and Read-Only Access Type, then users with the RO Role are only allowed to read the target object.

Assigning Roles

Roles are assigned to Users in the Jazz Admin Panel using the Jazz Assign Roles to Users Web Part.
Roles are removed from Users in the Jazz Admin Panel using the Review Jazz Users Roles Web Part.

Assigning ACLs

ACLs are assigned to Jazz Objects using the Web Part: Jazz Model Access Control List.
Image

ACLs and Workspace

Workspace is represented as a Jazz object that has functionality similar to a directory in a file system. All Jazz Records reside within a single workspace. Like a file system, permissions can be assigned to a workspace via ACLs. Workspaces support:
  • restricting access to users with specific roles,
  • restricting access to the objects contained within the workspace to users with specific roles, and
  • restricting which users can change the Acess Control List of workspace.

Public Workspace

The "Public" workspace has no access restrictions. All Jazz Records that are created will reside inside the public workspace by default. No other workspaces are necessary unless advanced functionalilty is required.

Workspace Procedures

The Workspace of a Jazz Record can be changed in the Web Part: Jazz Editor.
Workspaces are created in the Jazz Admin Panel using the Jazz New Workspace Web Part.
Workspaces are deleted in the Jazz Admin Panel using the Jazz Workspaces Web Part.
Roles are assigned to a Workspace ACL in the Jazz Admin Panel using the Assign Jazz Roles to Workspace Access List Web Part.
Roles are removed from a Workspace ACL in the Jazz Admin Panel using the Jazz Workspace ACL Web Part.

Workspace usage

Workspaces should be used for work groups that have the same permissions for access to a set of Jazz Records. e.g. an accounting department looks after the financial records for the company. Everyone in the accounting department has read-write access to the records. Senior management have read-only access to the records and everyone else in the company is denied access to the records. By placing all accounting records in an 'Accounting' Workspace with three ACLs that represent the three access groups, the security goal is achieved.

http://www.wiebeworks.com - Wiki version 3.0.4.560.