We're updating the issue view to help you get more done. 

ACLs for specific object types

Description

Many of our customers asked for a sophisticated right management to handle the access to

  • objects by object type

  • specific object fields (like passwords)

Handling in backend
Evaluating access rights should be handled in backend for security reasons.

Access rights on group level
All access rights should be configured for user groups (not for individual users). One user is linked to one user group.

Navigation elements in UI
If a usergroup does not have sufficient rights for specific actions, navigation elements (buttons, links, …) should be hidden.

ACLs for specific object types
Access control lists (ACLs) should be set for a specific object type. If no ACLs are defined (as in existing setups today), only the system level rights are applied. The configuration of ACLs should be optional for a specific object type. In the ACL of an object type the permissions for one or multiple user groups can be set. Permissions are:

  • view: viewing all objects of that type

  • add: adding new objects of that type

  • edit: editing existing objects of that type

  • delete: deleting objects of that type

If ACLs are defined, they were applied after the system level rights. That means, a user must have the regarded system level rights to make ACLs an effect.
Example:

  • system level right: base.framework.object.view;

    • ACL for type “router” and group “server”: view => objects can only be viewed

    • ACL for type “router” and group “guest” is not defined: no access

    • ACL for type “router” and group “network”: write=> object can only be viewed

  • system level right: base.framework.object.edit;

    • ACL for type “router” and group “server”: view => objects can only be viewed

    • ACL for type “router” and group “guest” is not defined: no access

    • ACL for type “router” and group “network”: write=> object can only be edited

If a usergroup has no view access to specific object types:

  • objects of these types should not be shown in search results

  • types should not be shown in category menu on the left side (we also should hide empty categories for theses users)

  • references to these objects should be disabled (“protected“)

ACLs should be configured on type level as part of the object type generator.

Activity

Show:
Michael Batz
yesterday

As discussed, I changed the description in the Epic. Can please everybody review it and see if we have the same understanding?

Assignee

Unassigned

Reporter

Michael Batz

Labels

Story Points

None

Tester

None

Fix versions

Priority

Medium

Epic Name

ACLs for specific object types
Configure