source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 14891

Last change on this file since 14891 was 14885, checked in by Henrik Bettermann, 7 years ago

Remove duplicate line.

File size: 8.4 KB
Line 
1.. _security_policy:
2
3Security
4********
5
6.. seealso::
7
8   :ref:`Security Doctests <security_txt>`
9
10Kofa has a very efficient security machinery. The machinery does not
11perform authorization checks on the content objects themselves stored
12in the database, but, restricts the usage of views, i.e. web pages and
13forms which are needed to view or edit data. Views are protected by
14permissions the user must have to use the view. Instead of assigning
15permissions seperately to users, permissions are bundled into sets of
16permissions, so-called roles which can be assigned to users through
17the web interface.
18
19It is important to note that permissions do not include other
20permissions. Only roles 'include' permissions. A 'manage' permission,
21for example, does not automatically enable users to open pages which
22merely display the data. These pages have their own 'view'
23permission. Another example is the ManagePortal permission described
24below. The name of the permission may lead to believe that users can
25do everything with this permissions. This is not true. It does only
26give access to certain pages which are dedicated to portal managers
27and must not be accessed by any other user.
28
29.. contents:: Table of Contents
30   :local:
31
32Permissions
33===========
34
35The whole set of permission and role classes are described in the
36:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
37we describe only a subset of permission classes which are essential
38for the security settings configuration.
39
40General Permissions
41-------------------
42
43.. autoclass:: waeup.kofa.permissions.Public()
44   :noindex:
45
46.. autoclass:: waeup.kofa.permissions.Anonymous()
47   :noindex:
48
49.. autoclass:: waeup.kofa.permissions.Authenticated()
50   :noindex:
51
52.. autoclass:: waeup.kofa.permissions.ManageUsers()
53   :noindex:
54
55.. autoclass:: waeup.kofa.permissions.EditUser()
56   :noindex:
57
58.. autoclass:: waeup.kofa.permissions.ManagePortal()
59   :noindex:
60
61.. autoclass:: waeup.kofa.permissions.ViewAcademics()
62   :noindex:
63
64.. autoclass:: waeup.kofa.permissions.ManageAcademics()
65   :noindex:
66
67.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
68   :noindex:
69
70.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
71   :noindex:
72
73.. autoclass:: waeup.kofa.permissions.ExportData()
74   :noindex:
75
76.. autoclass:: waeup.kofa.permissions.ImportData()
77   :noindex:
78
79.. autoclass:: waeup.kofa.permissions.TriggerTransition()
80   :noindex:
81
82.. autoclass:: waeup.kofa.permissions.ShowStudents()
83   :noindex:
84
85.. autoclass:: waeup.kofa.reports.HandleReports()
86   :noindex:
87
88.. autoclass:: waeup.kofa.reports.ManageReports()
89   :noindex:
90
91Applicants Section Permissions
92------------------------------
93
94.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
95   :noindex:
96
97.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
98   :noindex:
99
100.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
101   :noindex:
102
103.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
104   :noindex:
105
106.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
107   :noindex:
108
109Students Section Permissions
110----------------------------
111
112.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
113   :noindex:
114
115.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
116   :noindex:
117
118.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
119   :noindex:
120
121.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
122   :noindex:
123
124.. autoclass:: waeup.kofa.students.permissions.PayStudent()
125   :noindex:
126
127.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
128   :noindex:
129
130.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
131   :noindex:
132
133.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
134   :noindex:
135
136.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
137   :noindex:
138
139.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
140   :noindex:
141
142.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
143   :noindex:
144
145Global Roles
146============
147
148Global or site roles are assigned portal-wide. In contrast to local
149roles, users have this role in every context.
150
151Many global roles do only bundle one or two permissions. The objective
152behind is to share responsibilities and distribute tasks.
153
154Global roles are being assigned via the user manage form page.
155
156Global General Roles
157--------------------
158
159.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
160   :noindex:
161
162.. autoclass:: waeup.kofa.permissions.AcademicsManager()
163   :noindex:
164
165.. autoclass:: waeup.kofa.permissions.DataCenterManager()
166   :noindex:
167
168.. autoclass:: waeup.kofa.permissions.ImportManager()
169   :noindex:
170
171.. autoclass:: waeup.kofa.permissions.ExportManager()
172   :noindex:
173
174.. autoclass:: waeup.kofa.permissions.ACManager()
175   :noindex:
176
177.. autoclass:: waeup.kofa.permissions.UsersManager()
178   :noindex:
179
180.. autoclass:: waeup.kofa.permissions.WorkflowManager()
181   :noindex:
182
183.. autoclass:: waeup.kofa.reports.ReportsOfficer()
184   :noindex:
185
186.. autoclass:: waeup.kofa.reports.ReportsManager()
187   :noindex:
188
189In contrast to these specialized sets of permissions, there are two
190sets which delegate extensive powers on portal managers.
191
192.. autoclass:: waeup.kofa.permissions.PortalManager()
193   :noindex:
194
195.. autoclass:: waeup.kofa.permissions.CCOfficer()
196   :noindex:
197
198Global Applicants Section Roles
199-------------------------------
200
201Global Applicants Section Roles are assigned portal-wide (globally)
202but do actually only allocate permissions in the applicants section.
203
204.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
205   :noindex:
206
207.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
208   :noindex:
209
210.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
211   :noindex:
212
213Global Students Section Roles
214-----------------------------
215
216Global Students Section Roles are assigned portal-wide (globally) but
217do actually only allocate permissions in the students section.
218
219.. autoclass:: waeup.kofa.students.permissions.StudentRole()
220   :noindex:
221
222.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
223   :noindex:
224
225.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
226   :noindex:
227
228.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
229   :noindex:
230
231.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
232   :noindex:
233
234.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
235   :noindex:
236
237.. _local_roles:
238
239Local Roles and Dynamic Role Assignment
240=======================================
241
242In contrast to global roles, which are assigned portal-wide, local
243role permissions are gained for a specific context.
244
245Some local roles serve a second purpose. At first glance it appears
246strange that some of these 'odd' roles do not give more permissions
247than the user already has due to other roles. Their real purpose is to
248delegate permissions to the students or applicants section. If a user
249has for example the LocalStudentsManager role described below at
250department level, s/he automatically gets the StudentsManager role for
251those students studying in this department. We call this a **dynamic
252role**. In contrast to static global or local roles, dynamic roles are
253not stored in the database, they are dynamically assigned.
254
255Local roles are assigned either automatically by the system during
256user object setup or manually through the web interface. The
257automatically assigned local roles are:
258
259.. autoclass:: waeup.kofa.permissions.Owner()
260   :noindex:
261
262.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
263   :noindex:
264
265.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
266   :noindex:
267
268All other local roles must be assigned manually via context manage form pages.
269
270.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
271   :noindex:
272
273.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
274   :noindex:
275
276.. autoclass:: waeup.kofa.permissions.DepartmentManager()
277   :noindex:
278
279.. autoclass:: waeup.kofa.permissions.Lecturer()
280   :noindex:
281
282The following local roles do also delegate permissions to the student
283section. In other words, dynamic roles are assigned.
284
285.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
286   :noindex:
287
288.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
289   :noindex:
290
291.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
292   :noindex:
293
294.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
295   :noindex:
296
297.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
298   :noindex:
299
300.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
301   :noindex:
Note: See TracBrowser for help on using the repository browser.