source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 12870

Last change on this file since 12870 was 12863, checked in by Henrik Bettermann, 10 years ago

Build subsections. Reorganize content. Rename user documentation and developer documentation.

File size: 8.3 KB
Line 
1.. _security_policy:
2
3Security
4********
5
6Kofa has a very efficient security machinery. The machinery does not
7perform authorization checks on the content objects themselves stored
8in the database but restricts the usage of views, i.e. web pages and
9forms which are needed to view or edit data. Views are protected by
10permissions the user must have to use the view. Instead of assigning
11permissions seperately to users, permissions are bundled into sets of
12permissions, so-called roles which can be assigned to users through
13the web interface.
14
15It is important to note that permissions do not include other
16permissions. Only roles 'include' permissions. A 'manage' permission,
17for example, does not automatically enable users to open pages which
18merely display the data. These pages have their own 'view'
19permission. Another example is the ManagePortal permission described
20below. The name of the permission may lead to believe that users can
21do everything with this permssions. This is not true. It does only
22give access to certain pages which are dedicated to portal managers
23and must not be accessed by any other user.
24
25.. contents:: Table of Contents
26   :local:
27
28Permissions
29===========
30
31The whole set of permission and role classes are described in the
32:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
33we describe only a subset of permission classes which are essential
34for the security settings configuration.
35
36General Permissions
37-------------------
38
39.. autoclass:: waeup.kofa.permissions.Public()
40   :noindex:
41
42.. autoclass:: waeup.kofa.permissions.Anonymous()
43   :noindex:
44
45.. autoclass:: waeup.kofa.permissions.Authenticated()
46   :noindex:
47
48.. autoclass:: waeup.kofa.permissions.ManageUsers()
49   :noindex:
50
51.. autoclass:: waeup.kofa.permissions.EditUser()
52   :noindex:
53
54.. autoclass:: waeup.kofa.permissions.ManagePortal()
55   :noindex:
56
57.. autoclass:: waeup.kofa.permissions.ViewAcademics()
58   :noindex:
59
60.. autoclass:: waeup.kofa.permissions.ManageAcademics()
61   :noindex:
62
63.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
64   :noindex:
65
66.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
67   :noindex:
68
69.. autoclass:: waeup.kofa.permissions.ExportData()
70   :noindex:
71
72.. autoclass:: waeup.kofa.permissions.ImportData()
73   :noindex:
74
75.. autoclass:: waeup.kofa.permissions.TriggerTransition()
76   :noindex:
77
78.. autoclass:: waeup.kofa.permissions.ShowStudents()
79   :noindex:
80
81.. autoclass:: waeup.kofa.reports.ManageReports()
82   :noindex:
83
84Application Section Permissions
85-------------------------------
86
87.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
88   :noindex:
89
90.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
91   :noindex:
92
93.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
94   :noindex:
95
96.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
97   :noindex:
98
99.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
100   :noindex:
101
102Student Section Permissions
103---------------------------
104
105.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
106   :noindex:
107
108.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
109   :noindex:
110
111.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
112   :noindex:
113
114.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
115   :noindex:
116
117.. autoclass:: waeup.kofa.students.permissions.PayStudent()
118   :noindex:
119
120.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
121   :noindex:
122
123.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
124   :noindex:
125
126.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
127   :noindex:
128
129.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
130   :noindex:
131
132.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
133   :noindex:
134
135.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
136   :noindex:
137
138.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
139   :noindex:
140
141Global Roles
142============
143
144Global or site roles are assigned portal-wide. In contrast to local
145roles, users have this role in every context.
146
147Many global roles do only bundle one or two permissions. The objective
148behind is to share responsibilities and distribute tasks.
149
150Global roles are being assigned via the user manage form page.
151
152Global General Roles
153--------------------
154
155.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
156   :noindex:
157
158.. autoclass:: waeup.kofa.permissions.AcademicsManager()
159   :noindex:
160
161.. autoclass:: waeup.kofa.permissions.DataCenterManager()
162   :noindex:
163
164.. autoclass:: waeup.kofa.permissions.ImportManager()
165   :noindex:
166
167.. autoclass:: waeup.kofa.permissions.ExportManager()
168   :noindex:
169
170.. autoclass:: waeup.kofa.permissions.ACManager()
171   :noindex:
172
173.. autoclass:: waeup.kofa.permissions.UsersManager()
174   :noindex:
175
176.. autoclass:: waeup.kofa.permissions.WorkflowManager()
177   :noindex:
178
179.. autoclass:: waeup.kofa.reports.ReportsManager()
180   :noindex:
181
182In contrast to these specialized sets of permissions, there are two
183sets which delegate extensive powers on portal managers.
184
185.. autoclass:: waeup.kofa.permissions.PortalManager()
186   :noindex:
187
188.. autoclass:: waeup.kofa.permissions.CCOfficer()
189   :noindex:
190
191Global Application Section Roles
192--------------------------------
193
194Global Application Section Roles are assigned portal-wide (globally)
195but do actually only allocate permissions in the Application Section.
196
197.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
198   :noindex:
199
200.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
201   :noindex:
202
203.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
204   :noindex:
205
206Global Student Section Roles
207----------------------------
208
209Global Student Section Roles are assigned portal-wide (globally) but
210do actually only allocate permissions in the Student Section.
211
212.. autoclass:: waeup.kofa.students.permissions.StudentRole()
213   :noindex:
214
215.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
216   :noindex:
217
218.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
219   :noindex:
220
221.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
222   :noindex:
223
224.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
225   :noindex:
226
227.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
228   :noindex:
229
230Local Roles and Dynamic Role Assignment
231=======================================
232
233In contrast to global roles, which are assigned portal-wide, local
234role permissions are gained for a specific context.
235
236Some local roles serve a second purpose. At first glance it appears
237strange that some of these 'odd' roles do not give more permissions
238than the user already has due to other roles. Their real purpose is to
239delegate permissions to the students or application section. If a user
240has for example the LocalStudentsManager role described below at
241department level, s/he automatically gets the StudentsManager role for
242those students studying in this department. We call this a **dynamic
243role**. In contrast to static global or local roles, dynamic roles are
244not stored in the database, they are dynamically assigned.
245
246Local roles are assigned either automatically by the system during
247user object setup or manually through the web interface. The
248automatically assigned local roles are:
249
250.. autoclass:: waeup.kofa.permissions.Owner()
251   :noindex:
252
253.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
254   :noindex:
255
256.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
257   :noindex:
258
259All other local roles must be assigned manually via context manage form pages.
260
261.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
262   :noindex:
263
264.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
265   :noindex:
266
267.. autoclass:: waeup.kofa.permissions.DepartmentManager()
268   :noindex:
269
270.. autoclass:: waeup.kofa.permissions.Lecturer()
271   :noindex:
272
273The following local roles do also delegate permissions to the student
274section. In other words, dynamic roles are assigned.
275
276.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
277   :noindex:
278
279.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
280   :noindex:
281
282.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
283   :noindex:
284
285.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
286   :noindex:
287
288.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
289   :noindex:
290
291.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
292   :noindex:
Note: See TracBrowser for help on using the repository browser.