source: main/waeup.kofa/branches/henrik-transcript-workflow/docs/source/userdocs/security.rst @ 17341

Last change on this file since 17341 was 15133, checked in by Henrik Bettermann, 6 years ago

New permissions and roles for transcript processing.

File size: 8.9 KB
RevLine 
[12829]1.. _security_policy:
2
3Security
4********
5
[12922]6.. seealso::
7
[12951]8   :ref:`Security Doctests <security_txt>`
[12922]9
[12849]10Kofa has a very efficient security machinery. The machinery does not
11perform authorization checks on the content objects themselves stored
[13045]12in the database, but, restricts the usage of views, i.e. web pages and
[12849]13forms which are needed to view or edit data. Views are protected by
14permissions the user must have to use the view. Instead of assigning
15permissions seperately to users, permissions are bundled into sets of
16permissions, so-called roles which can be assigned to users through
17the web interface.
[12829]18
[12849]19It is important to note that permissions do not include other
20permissions. Only roles 'include' permissions. A 'manage' permission,
21for example, does not automatically enable users to open pages which
22merely display the data. These pages have their own 'view'
23permission. Another example is the ManagePortal permission described
24below. The name of the permission may lead to believe that users can
[13045]25do everything with this permissions. This is not true. It does only
[12849]26give access to certain pages which are dedicated to portal managers
27and must not be accessed by any other user.
[12829]28
[12863]29.. contents:: Table of Contents
30   :local:
[12829]31
32Permissions
33===========
34
[12849]35The whole set of permission and role classes are described in the
36:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
37we describe only a subset of permission classes which are essential
38for the security settings configuration.
[12829]39
40General Permissions
41-------------------
42
[12843]43.. autoclass:: waeup.kofa.permissions.Public()
[12829]44   :noindex:
45
[12843]46.. autoclass:: waeup.kofa.permissions.Anonymous()
[12829]47   :noindex:
48
[12843]49.. autoclass:: waeup.kofa.permissions.Authenticated()
[12829]50   :noindex:
51
[12843]52.. autoclass:: waeup.kofa.permissions.ManageUsers()
[12829]53   :noindex:
54
[12843]55.. autoclass:: waeup.kofa.permissions.EditUser()
[12829]56   :noindex:
57
[12843]58.. autoclass:: waeup.kofa.permissions.ManagePortal()
[12829]59   :noindex:
60
[12843]61.. autoclass:: waeup.kofa.permissions.ViewAcademics()
[12829]62   :noindex:
63
[12843]64.. autoclass:: waeup.kofa.permissions.ManageAcademics()
[12829]65   :noindex:
66
[12843]67.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
[12829]68   :noindex:
69
[12843]70.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
[12829]71   :noindex:
72
[12843]73.. autoclass:: waeup.kofa.permissions.ExportData()
[12829]74   :noindex:
75
[12843]76.. autoclass:: waeup.kofa.permissions.ImportData()
[12829]77   :noindex:
78
[12843]79.. autoclass:: waeup.kofa.permissions.TriggerTransition()
80   :noindex:
81
82.. autoclass:: waeup.kofa.permissions.ShowStudents()
83   :noindex:
84
[12900]85.. autoclass:: waeup.kofa.reports.HandleReports()
86   :noindex:
87
[12844]88.. autoclass:: waeup.kofa.reports.ManageReports()
89   :noindex:
90
[13076]91Applicants Section Permissions
92------------------------------
[12843]93
94.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
95   :noindex:
96
97.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
98   :noindex:
99
100.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
101   :noindex:
102
103.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
104   :noindex:
105
106.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
107   :noindex:
108
[14948]109.. autoclass:: waeup.kofa.applicants.permissions.CreateStudents()
110   :noindex:
111
[13076]112Students Section Permissions
113----------------------------
[12829]114
[12843]115.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
[12829]116   :noindex:
117
[12843]118.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
119   :noindex:
[12829]120
[12843]121.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
122   :noindex:
123
124.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
125   :noindex:
126
127.. autoclass:: waeup.kofa.students.permissions.PayStudent()
128   :noindex:
129
130.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
131   :noindex:
132
133.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
134   :noindex:
135
136.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
137   :noindex:
138
139.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
140   :noindex:
141
142.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
143   :noindex:
144
145.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
146   :noindex:
147
[12829]148Global Roles
149============
150
[12849]151Global or site roles are assigned portal-wide. In contrast to local
152roles, users have this role in every context.
[12829]153
[12849]154Many global roles do only bundle one or two permissions. The objective
155behind is to share responsibilities and distribute tasks.
[12829]156
[12847]157Global roles are being assigned via the user manage form page.
158
[12844]159Global General Roles
160--------------------
[12829]161
[12843]162.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
[12829]163   :noindex:
164
[12843]165.. autoclass:: waeup.kofa.permissions.AcademicsManager()
[12829]166   :noindex:
167
[12843]168.. autoclass:: waeup.kofa.permissions.DataCenterManager()
[12829]169   :noindex:
170
[12843]171.. autoclass:: waeup.kofa.permissions.ImportManager()
[12829]172   :noindex:
173
[12843]174.. autoclass:: waeup.kofa.permissions.ExportManager()
[12829]175   :noindex:
176
[12843]177.. autoclass:: waeup.kofa.permissions.ACManager()
[12829]178   :noindex:
179
[12843]180.. autoclass:: waeup.kofa.permissions.UsersManager()
[12829]181   :noindex:
182
[12843]183.. autoclass:: waeup.kofa.permissions.WorkflowManager()
[12829]184   :noindex:
185
[12900]186.. autoclass:: waeup.kofa.reports.ReportsOfficer()
187   :noindex:
188
[12844]189.. autoclass:: waeup.kofa.reports.ReportsManager()
190   :noindex:
191
[12849]192In contrast to these specialized sets of permissions, there are two
193sets which delegate extensive powers on portal managers.
[12829]194
[12844]195.. autoclass:: waeup.kofa.permissions.PortalManager()
[12829]196   :noindex:
197
[12843]198.. autoclass:: waeup.kofa.permissions.CCOfficer()
[12829]199   :noindex:
200
[13076]201Global Applicants Section Roles
202-------------------------------
[12844]203
[13076]204Global Applicants Section Roles are assigned portal-wide (globally)
205but do actually only allocate permissions in the applicants section.
[12847]206
[12844]207.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
208   :noindex:
209
210.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
211   :noindex:
212
213.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
214   :noindex:
215
[14948]216.. autoclass:: waeup.kofa.applicants.permissions.StudentsCreator()
217   :noindex:
218
[13076]219Global Students Section Roles
220-----------------------------
[12844]221
[13076]222Global Students Section Roles are assigned portal-wide (globally) but
223do actually only allocate permissions in the students section.
[12847]224
[12844]225.. autoclass:: waeup.kofa.students.permissions.StudentRole()
226   :noindex:
227
228.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
229   :noindex:
230
231.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
232   :noindex:
233
234.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
235   :noindex:
236
237.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
238   :noindex:
239
240.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
241   :noindex:
242
[15133]243.. autoclass:: waeup.kofa.students.permissions.TranscriptOfficer()
244   :noindex:
245
246.. autoclass:: waeup.kofa.students.permissions.TranscriptSignee()
247   :noindex:
248
[12906]249.. _local_roles:
250
[12847]251Local Roles and Dynamic Role Assignment
252=======================================
[12829]253
[12849]254In contrast to global roles, which are assigned portal-wide, local
255role permissions are gained for a specific context.
[12847]256
[12849]257Some local roles serve a second purpose. At first glance it appears
258strange that some of these 'odd' roles do not give more permissions
259than the user already has due to other roles. Their real purpose is to
[13076]260delegate permissions to the students or applicants section. If a user
[12849]261has for example the LocalStudentsManager role described below at
262department level, s/he automatically gets the StudentsManager role for
263those students studying in this department. We call this a **dynamic
264role**. In contrast to static global or local roles, dynamic roles are
265not stored in the database, they are dynamically assigned.
[12847]266
[12849]267Local roles are assigned either automatically by the system during
268user object setup or manually through the web interface. The
269automatically assigned local roles are:
[12847]270
271.. autoclass:: waeup.kofa.permissions.Owner()
272   :noindex:
273
274.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
275   :noindex:
276
277.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
278   :noindex:
279
280All other local roles must be assigned manually via context manage form pages.
281
[12850]282.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
[12847]283   :noindex:
284
285.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
286   :noindex:
287
288.. autoclass:: waeup.kofa.permissions.DepartmentManager()
289   :noindex:
290
291.. autoclass:: waeup.kofa.permissions.Lecturer()
292   :noindex:
293
[12849]294The following local roles do also delegate permissions to the student
295section. In other words, dynamic roles are assigned.
[12847]296
297.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
298   :noindex:
299
300.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
301   :noindex:
302
303.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
304   :noindex:
305
306.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
307   :noindex:
308
309.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
310   :noindex:
311
312.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
313   :noindex:
[15133]314
315.. autoclass:: waeup.kofa.permissions.LocalTranscriptOfficer()
316   :noindex:
317
318.. autoclass:: waeup.kofa.permissions.LocalTranscriptSignee()
319   :noindex:
Note: See TracBrowser for help on using the repository browser.