source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 17397

Last change on this file since 17397 was 17253, checked in by Henrik Bettermann, 23 months ago

Add AccommodationViewer role.

File size: 10.0 KB
RevLine 
[12829]1.. _security_policy:
2
3Security
4********
5
[12922]6.. seealso::
7
[12951]8   :ref:`Security Doctests <security_txt>`
[12922]9
[12849]10Kofa has a very efficient security machinery. The machinery does not
11perform authorization checks on the content objects themselves stored
[13045]12in the database, but, restricts the usage of views, i.e. web pages and
[12849]13forms which are needed to view or edit data. Views are protected by
14permissions the user must have to use the view. Instead of assigning
15permissions seperately to users, permissions are bundled into sets of
16permissions, so-called roles which can be assigned to users through
17the web interface.
[12829]18
[12849]19It is important to note that permissions do not include other
20permissions. Only roles 'include' permissions. A 'manage' permission,
21for example, does not automatically enable users to open pages which
22merely display the data. These pages have their own 'view'
23permission. Another example is the ManagePortal permission described
24below. The name of the permission may lead to believe that users can
[13045]25do everything with this permissions. This is not true. It does only
[12849]26give access to certain pages which are dedicated to portal managers
27and must not be accessed by any other user.
[12829]28
[12863]29.. contents:: Table of Contents
30   :local:
[12829]31
32Permissions
33===========
34
[12849]35The whole set of permission and role classes are described in the
36:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
37we describe only a subset of permission classes which are essential
38for the security settings configuration.
[12829]39
40General Permissions
41-------------------
42
[12843]43.. autoclass:: waeup.kofa.permissions.Public()
[12829]44   :noindex:
45
[12843]46.. autoclass:: waeup.kofa.permissions.Anonymous()
[12829]47   :noindex:
48
[12843]49.. autoclass:: waeup.kofa.permissions.Authenticated()
[12829]50   :noindex:
51
[12843]52.. autoclass:: waeup.kofa.permissions.ManageUsers()
[12829]53   :noindex:
54
[12843]55.. autoclass:: waeup.kofa.permissions.EditUser()
[12829]56   :noindex:
57
[12843]58.. autoclass:: waeup.kofa.permissions.ManagePortal()
[12829]59   :noindex:
60
[12843]61.. autoclass:: waeup.kofa.permissions.ViewAcademics()
[12829]62   :noindex:
63
[12843]64.. autoclass:: waeup.kofa.permissions.ManageAcademics()
[12829]65   :noindex:
66
[12843]67.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
[12829]68   :noindex:
69
[12843]70.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
[12829]71   :noindex:
72
[12843]73.. autoclass:: waeup.kofa.permissions.ExportData()
[12829]74   :noindex:
75
[12843]76.. autoclass:: waeup.kofa.permissions.ImportData()
[12829]77   :noindex:
78
[12843]79.. autoclass:: waeup.kofa.permissions.TriggerTransition()
80   :noindex:
81
82.. autoclass:: waeup.kofa.permissions.ShowStudents()
83   :noindex:
84
[15277]85.. autoclass:: waeup.kofa.permissions.ExportPaymentsOverview()
86   :noindex:
87
88.. autoclass:: waeup.kofa.permissions.ExportBursaryData()
89   :noindex:
90
[12900]91.. autoclass:: waeup.kofa.reports.HandleReports()
92   :noindex:
93
[12844]94.. autoclass:: waeup.kofa.reports.ManageReports()
95   :noindex:
96
[15277]97Accommodation Section Permissions
98---------------------------------
99
100.. autoclass:: waeup.kofa.hostels.permissions.ViewHostels()
101   :noindex:
102
103.. autoclass:: waeup.kofa.hostels.permissions.ManageHostels()
104   :noindex:
105
106.. autoclass:: waeup.kofa.hostels.permissions.ExportAccommodationData()
107   :noindex:
108
[13076]109Applicants Section Permissions
110------------------------------
[12843]111
112.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
113   :noindex:
114
115.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
116   :noindex:
117
118.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
119   :noindex:
120
121.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
122   :noindex:
123
124.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
125   :noindex:
126
[14948]127.. autoclass:: waeup.kofa.applicants.permissions.CreateStudents()
128   :noindex:
129
[13076]130Students Section Permissions
131----------------------------
[12829]132
[12843]133.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
[12829]134   :noindex:
135
[12843]136.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
137   :noindex:
[12829]138
[12843]139.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
140   :noindex:
141
142.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
143   :noindex:
144
145.. autoclass:: waeup.kofa.students.permissions.PayStudent()
146   :noindex:
147
148.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
149   :noindex:
150
151.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
152   :noindex:
153
154.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
155   :noindex:
156
157.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
158   :noindex:
159
160.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
161   :noindex:
162
163.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
164   :noindex:
165
[16170]166.. autoclass:: waeup.kofa.students.permissions.ViewTranscript()
167   :noindex:
168
169.. autoclass:: waeup.kofa.students.permissions.DownloadTranscript()
170   :noindex:
171
172.. autoclass:: waeup.kofa.students.permissions.ProcessTranscript()
173   :noindex:
174
175.. autoclass:: waeup.kofa.students.permissions.SignTranscript()
176   :noindex:
177
[12829]178Global Roles
179============
180
[12849]181Global or site roles are assigned portal-wide. In contrast to local
182roles, users have this role in every context.
[12829]183
[12849]184Many global roles do only bundle one or two permissions. The objective
185behind is to share responsibilities and distribute tasks.
[12829]186
[12847]187Global roles are being assigned via the user manage form page.
188
[12844]189Global General Roles
190--------------------
[12829]191
[12843]192.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
[12829]193   :noindex:
194
[12843]195.. autoclass:: waeup.kofa.permissions.AcademicsManager()
[12829]196   :noindex:
197
[12843]198.. autoclass:: waeup.kofa.permissions.DataCenterManager()
[12829]199   :noindex:
200
[12843]201.. autoclass:: waeup.kofa.permissions.ImportManager()
[12829]202   :noindex:
203
[12843]204.. autoclass:: waeup.kofa.permissions.ExportManager()
[12829]205   :noindex:
206
[12843]207.. autoclass:: waeup.kofa.permissions.ACManager()
[12829]208   :noindex:
209
[12843]210.. autoclass:: waeup.kofa.permissions.UsersManager()
[12829]211   :noindex:
212
[12843]213.. autoclass:: waeup.kofa.permissions.WorkflowManager()
[12829]214   :noindex:
215
[15277]216.. autoclass:: waeup.kofa.permissions.BursaryOfficer()
217   :noindex:
218
[12900]219.. autoclass:: waeup.kofa.reports.ReportsOfficer()
220   :noindex:
221
[12844]222.. autoclass:: waeup.kofa.reports.ReportsManager()
223   :noindex:
224
[12849]225In contrast to these specialized sets of permissions, there are two
226sets which delegate extensive powers on portal managers.
[12829]227
[12844]228.. autoclass:: waeup.kofa.permissions.PortalManager()
[12829]229   :noindex:
230
[12843]231.. autoclass:: waeup.kofa.permissions.CCOfficer()
[12829]232   :noindex:
233
[15277]234Global Accommodation Section Roles
235----------------------------------
236
237.. autoclass:: waeup.kofa.hostels.permissions.AccommodationOfficer()
238   :noindex:
239
[17253]240.. autoclass:: waeup.kofa.hostels.permissions.AccommodationViewer()
241   :noindex:
242
[13076]243Global Applicants Section Roles
244-------------------------------
[12844]245
[13076]246Global Applicants Section Roles are assigned portal-wide (globally)
247but do actually only allocate permissions in the applicants section.
[12847]248
[12844]249.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
250   :noindex:
251
252.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
253   :noindex:
254
255.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
256   :noindex:
257
[14948]258.. autoclass:: waeup.kofa.applicants.permissions.StudentsCreator()
259   :noindex:
260
[13076]261Global Students Section Roles
262-----------------------------
[12844]263
[13076]264Global Students Section Roles are assigned portal-wide (globally) but
265do actually only allocate permissions in the students section.
[12847]266
[12844]267.. autoclass:: waeup.kofa.students.permissions.StudentRole()
268   :noindex:
269
270.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
271   :noindex:
272
273.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
274   :noindex:
275
276.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
277   :noindex:
278
279.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
280   :noindex:
281
282.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
283   :noindex:
284
[15163]285.. autoclass:: waeup.kofa.students.permissions.TranscriptOfficer()
286   :noindex:
287
288.. autoclass:: waeup.kofa.students.permissions.TranscriptSignee()
289   :noindex:
290
[12906]291.. _local_roles:
292
[12847]293Local Roles and Dynamic Role Assignment
294=======================================
[12829]295
[12849]296In contrast to global roles, which are assigned portal-wide, local
297role permissions are gained for a specific context.
[12847]298
[12849]299Some local roles serve a second purpose. At first glance it appears
300strange that some of these 'odd' roles do not give more permissions
301than the user already has due to other roles. Their real purpose is to
[13076]302delegate permissions to the students or applicants section. If a user
[12849]303has for example the LocalStudentsManager role described below at
304department level, s/he automatically gets the StudentsManager role for
305those students studying in this department. We call this a **dynamic
306role**. In contrast to static global or local roles, dynamic roles are
307not stored in the database, they are dynamically assigned.
[12847]308
[12849]309Local roles are assigned either automatically by the system during
310user object setup or manually through the web interface. The
311automatically assigned local roles are:
[12847]312
313.. autoclass:: waeup.kofa.permissions.Owner()
314   :noindex:
315
316.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
317   :noindex:
318
319.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
320   :noindex:
321
322All other local roles must be assigned manually via context manage form pages.
323
[12850]324.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
[12847]325   :noindex:
326
327.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
328   :noindex:
329
330.. autoclass:: waeup.kofa.permissions.DepartmentManager()
331   :noindex:
332
333.. autoclass:: waeup.kofa.permissions.Lecturer()
334   :noindex:
335
[12849]336The following local roles do also delegate permissions to the student
337section. In other words, dynamic roles are assigned.
[12847]338
339.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
340   :noindex:
341
342.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
343   :noindex:
344
345.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
346   :noindex:
347
[15968]348.. autoclass:: waeup.kofa.permissions.LocalReportsOfficer()
349   :noindex:
350
[12847]351.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
352   :noindex:
353
354.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
355   :noindex:
356
357.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
358   :noindex:
[15163]359
360.. autoclass:: waeup.kofa.permissions.LocalTranscriptOfficer()
361   :noindex:
362
363.. autoclass:: waeup.kofa.permissions.LocalTranscriptSignee()
364   :noindex:
Note: See TracBrowser for help on using the repository browser.