1 | .. _security_policy: |
---|
2 | |
---|
3 | Security |
---|
4 | ******** |
---|
5 | |
---|
6 | .. seealso:: |
---|
7 | |
---|
8 | :ref:`Security Doctests <security_txt>` |
---|
9 | |
---|
10 | Kofa has a very efficient security machinery. The machinery does not |
---|
11 | perform authorization checks on the content objects themselves stored |
---|
12 | in the database, but, restricts the usage of views, i.e. web pages and |
---|
13 | forms which are needed to view or edit data. Views are protected by |
---|
14 | permissions the user must have to use the view. Instead of assigning |
---|
15 | permissions seperately to users, permissions are bundled into sets of |
---|
16 | permissions, so-called roles which can be assigned to users through |
---|
17 | the web interface. |
---|
18 | |
---|
19 | It is important to note that permissions do not include other |
---|
20 | permissions. Only roles 'include' permissions. A 'manage' permission, |
---|
21 | for example, does not automatically enable users to open pages which |
---|
22 | merely display the data. These pages have their own 'view' |
---|
23 | permission. Another example is the ManagePortal permission described |
---|
24 | below. The name of the permission may lead to believe that users can |
---|
25 | do everything with this permissions. This is not true. It does only |
---|
26 | give access to certain pages which are dedicated to portal managers |
---|
27 | and must not be accessed by any other user. |
---|
28 | |
---|
29 | .. contents:: Table of Contents |
---|
30 | :local: |
---|
31 | |
---|
32 | Permissions |
---|
33 | =========== |
---|
34 | |
---|
35 | The whole set of permission and role classes are described in the |
---|
36 | :py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here |
---|
37 | we describe only a subset of permission classes which are essential |
---|
38 | for the security settings configuration. |
---|
39 | |
---|
40 | General Permissions |
---|
41 | ------------------- |
---|
42 | |
---|
43 | .. autoclass:: waeup.kofa.permissions.Public() |
---|
44 | :noindex: |
---|
45 | |
---|
46 | .. autoclass:: waeup.kofa.permissions.Anonymous() |
---|
47 | :noindex: |
---|
48 | |
---|
49 | .. autoclass:: waeup.kofa.permissions.Authenticated() |
---|
50 | :noindex: |
---|
51 | |
---|
52 | .. autoclass:: waeup.kofa.permissions.ManageUsers() |
---|
53 | :noindex: |
---|
54 | |
---|
55 | .. autoclass:: waeup.kofa.permissions.EditUser() |
---|
56 | :noindex: |
---|
57 | |
---|
58 | .. autoclass:: waeup.kofa.permissions.ManagePortal() |
---|
59 | :noindex: |
---|
60 | |
---|
61 | .. autoclass:: waeup.kofa.permissions.ViewAcademics() |
---|
62 | :noindex: |
---|
63 | |
---|
64 | .. autoclass:: waeup.kofa.permissions.ManageAcademics() |
---|
65 | :noindex: |
---|
66 | |
---|
67 | .. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration() |
---|
68 | :noindex: |
---|
69 | |
---|
70 | .. autoclass:: waeup.kofa.permissions.ManageDataCenter() |
---|
71 | :noindex: |
---|
72 | |
---|
73 | .. autoclass:: waeup.kofa.permissions.ExportData() |
---|
74 | :noindex: |
---|
75 | |
---|
76 | .. autoclass:: waeup.kofa.permissions.ImportData() |
---|
77 | :noindex: |
---|
78 | |
---|
79 | .. autoclass:: waeup.kofa.permissions.TriggerTransition() |
---|
80 | :noindex: |
---|
81 | |
---|
82 | .. autoclass:: waeup.kofa.permissions.ShowStudents() |
---|
83 | :noindex: |
---|
84 | |
---|
85 | .. autoclass:: waeup.kofa.reports.HandleReports() |
---|
86 | :noindex: |
---|
87 | |
---|
88 | .. autoclass:: waeup.kofa.reports.ManageReports() |
---|
89 | :noindex: |
---|
90 | |
---|
91 | Applicant Section Permissions |
---|
92 | ----------------------------- |
---|
93 | |
---|
94 | .. autoclass:: waeup.kofa.applicants.permissions.ViewApplication() |
---|
95 | :noindex: |
---|
96 | |
---|
97 | .. autoclass:: waeup.kofa.applicants.permissions.HandleApplication() |
---|
98 | :noindex: |
---|
99 | |
---|
100 | .. autoclass:: waeup.kofa.applicants.permissions.ManageApplication() |
---|
101 | :noindex: |
---|
102 | |
---|
103 | .. autoclass:: waeup.kofa.applicants.permissions.PayApplicant() |
---|
104 | :noindex: |
---|
105 | |
---|
106 | .. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics() |
---|
107 | :noindex: |
---|
108 | |
---|
109 | Student Section Permissions |
---|
110 | --------------------------- |
---|
111 | |
---|
112 | .. autoclass:: waeup.kofa.students.permissions.ViewStudent() |
---|
113 | :noindex: |
---|
114 | |
---|
115 | .. autoclass:: waeup.kofa.students.permissions.HandleStudent() |
---|
116 | :noindex: |
---|
117 | |
---|
118 | .. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer() |
---|
119 | :noindex: |
---|
120 | |
---|
121 | .. autoclass:: waeup.kofa.students.permissions.ManageStudent() |
---|
122 | :noindex: |
---|
123 | |
---|
124 | .. autoclass:: waeup.kofa.students.permissions.PayStudent() |
---|
125 | :noindex: |
---|
126 | |
---|
127 | .. autoclass:: waeup.kofa.students.permissions.HandleAccommodation() |
---|
128 | :noindex: |
---|
129 | |
---|
130 | .. autoclass:: waeup.kofa.students.permissions.UploadStudentFile() |
---|
131 | :noindex: |
---|
132 | |
---|
133 | .. autoclass:: waeup.kofa.students.permissions.ClearStudent() |
---|
134 | :noindex: |
---|
135 | |
---|
136 | .. autoclass:: waeup.kofa.students.permissions.LoginAsStudent() |
---|
137 | :noindex: |
---|
138 | |
---|
139 | .. autoclass:: waeup.kofa.students.permissions.EditStudyLevel() |
---|
140 | :noindex: |
---|
141 | |
---|
142 | .. autoclass:: waeup.kofa.students.permissions.ClearStudent() |
---|
143 | :noindex: |
---|
144 | |
---|
145 | .. autoclass:: waeup.kofa.students.permissions.ValidateStudent() |
---|
146 | :noindex: |
---|
147 | |
---|
148 | Global Roles |
---|
149 | ============ |
---|
150 | |
---|
151 | Global or site roles are assigned portal-wide. In contrast to local |
---|
152 | roles, users have this role in every context. |
---|
153 | |
---|
154 | Many global roles do only bundle one or two permissions. The objective |
---|
155 | behind is to share responsibilities and distribute tasks. |
---|
156 | |
---|
157 | Global roles are being assigned via the user manage form page. |
---|
158 | |
---|
159 | Global General Roles |
---|
160 | -------------------- |
---|
161 | |
---|
162 | .. autoclass:: waeup.kofa.permissions.AcademicsOfficer() |
---|
163 | :noindex: |
---|
164 | |
---|
165 | .. autoclass:: waeup.kofa.permissions.AcademicsManager() |
---|
166 | :noindex: |
---|
167 | |
---|
168 | .. autoclass:: waeup.kofa.permissions.DataCenterManager() |
---|
169 | :noindex: |
---|
170 | |
---|
171 | .. autoclass:: waeup.kofa.permissions.ImportManager() |
---|
172 | :noindex: |
---|
173 | |
---|
174 | .. autoclass:: waeup.kofa.permissions.ExportManager() |
---|
175 | :noindex: |
---|
176 | |
---|
177 | .. autoclass:: waeup.kofa.permissions.ACManager() |
---|
178 | :noindex: |
---|
179 | |
---|
180 | .. autoclass:: waeup.kofa.permissions.UsersManager() |
---|
181 | :noindex: |
---|
182 | |
---|
183 | .. autoclass:: waeup.kofa.permissions.WorkflowManager() |
---|
184 | :noindex: |
---|
185 | |
---|
186 | .. autoclass:: waeup.kofa.reports.ReportsOfficer() |
---|
187 | :noindex: |
---|
188 | |
---|
189 | .. autoclass:: waeup.kofa.reports.ReportsManager() |
---|
190 | :noindex: |
---|
191 | |
---|
192 | In contrast to these specialized sets of permissions, there are two |
---|
193 | sets which delegate extensive powers on portal managers. |
---|
194 | |
---|
195 | .. autoclass:: waeup.kofa.permissions.PortalManager() |
---|
196 | :noindex: |
---|
197 | |
---|
198 | .. autoclass:: waeup.kofa.permissions.CCOfficer() |
---|
199 | :noindex: |
---|
200 | |
---|
201 | Global Applicant Section Roles |
---|
202 | ------------------------------ |
---|
203 | |
---|
204 | Global Applicant Section Roles are assigned portal-wide (globally) |
---|
205 | but do actually only allocate permissions in the applicant section. |
---|
206 | |
---|
207 | .. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole() |
---|
208 | :noindex: |
---|
209 | |
---|
210 | .. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer() |
---|
211 | :noindex: |
---|
212 | |
---|
213 | .. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager() |
---|
214 | :noindex: |
---|
215 | |
---|
216 | Global Student Section Roles |
---|
217 | ---------------------------- |
---|
218 | |
---|
219 | Global Student Section Roles are assigned portal-wide (globally) but |
---|
220 | do actually only allocate permissions in the student section. |
---|
221 | |
---|
222 | .. autoclass:: waeup.kofa.students.permissions.StudentRole() |
---|
223 | :noindex: |
---|
224 | |
---|
225 | .. autoclass:: waeup.kofa.students.permissions.StudentsOfficer() |
---|
226 | :noindex: |
---|
227 | |
---|
228 | .. autoclass:: waeup.kofa.students.permissions.StudentsManager() |
---|
229 | :noindex: |
---|
230 | |
---|
231 | .. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer() |
---|
232 | :noindex: |
---|
233 | |
---|
234 | .. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser() |
---|
235 | :noindex: |
---|
236 | |
---|
237 | .. autoclass:: waeup.kofa.students.permissions.StudentImpersonator() |
---|
238 | :noindex: |
---|
239 | |
---|
240 | .. _local_roles: |
---|
241 | |
---|
242 | Local Roles and Dynamic Role Assignment |
---|
243 | ======================================= |
---|
244 | |
---|
245 | In contrast to global roles, which are assigned portal-wide, local |
---|
246 | role permissions are gained for a specific context. |
---|
247 | |
---|
248 | Some local roles serve a second purpose. At first glance it appears |
---|
249 | strange that some of these 'odd' roles do not give more permissions |
---|
250 | than the user already has due to other roles. Their real purpose is to |
---|
251 | delegate permissions to the students or applicant section. If a user |
---|
252 | has for example the LocalStudentsManager role described below at |
---|
253 | department level, s/he automatically gets the StudentsManager role for |
---|
254 | those students studying in this department. We call this a **dynamic |
---|
255 | role**. In contrast to static global or local roles, dynamic roles are |
---|
256 | not stored in the database, they are dynamically assigned. |
---|
257 | |
---|
258 | Local roles are assigned either automatically by the system during |
---|
259 | user object setup or manually through the web interface. The |
---|
260 | automatically assigned local roles are: |
---|
261 | |
---|
262 | .. autoclass:: waeup.kofa.permissions.Owner() |
---|
263 | :noindex: |
---|
264 | |
---|
265 | .. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner() |
---|
266 | :noindex: |
---|
267 | |
---|
268 | .. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner() |
---|
269 | :noindex: |
---|
270 | |
---|
271 | All other local roles must be assigned manually via context manage form pages. |
---|
272 | |
---|
273 | .. autoclass:: waeup.kofa.permissions.ApplicationsManager() |
---|
274 | :noindex: |
---|
275 | |
---|
276 | .. autoclass:: waeup.kofa.permissions.DepartmentOfficer() |
---|
277 | :noindex: |
---|
278 | |
---|
279 | .. autoclass:: waeup.kofa.permissions.DepartmentManager() |
---|
280 | :noindex: |
---|
281 | |
---|
282 | .. autoclass:: waeup.kofa.permissions.Lecturer() |
---|
283 | :noindex: |
---|
284 | |
---|
285 | The following local roles do also delegate permissions to the student |
---|
286 | section. In other words, dynamic roles are assigned. |
---|
287 | |
---|
288 | .. autoclass:: waeup.kofa.permissions.ClearanceOfficer() |
---|
289 | :noindex: |
---|
290 | |
---|
291 | .. autoclass:: waeup.kofa.permissions.LocalStudentsManager() |
---|
292 | :noindex: |
---|
293 | |
---|
294 | .. autoclass:: waeup.kofa.permissions.LocalWorkflowManager() |
---|
295 | :noindex: |
---|
296 | |
---|
297 | .. autoclass:: waeup.kofa.permissions.UGClearanceOfficer() |
---|
298 | :noindex: |
---|
299 | |
---|
300 | .. autoclass:: waeup.kofa.permissions.PGClearanceOfficer() |
---|
301 | :noindex: |
---|
302 | |
---|
303 | .. autoclass:: waeup.kofa.permissions.CourseAdviser100() |
---|
304 | :noindex: |
---|