source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 12858

Last change on this file since 12858 was 12850, checked in by uli, 10 years ago

Fix typo and remove description of already removed class.
File size: 8.3 KB
Line 
1.. _security_policy:
2
3Security
4********
5
6Kofa has a very efficient security machinery. The machinery does not
7perform authorization checks on the content objects themselves stored
8in the database but restricts the usage of views, i.e. web pages and
9forms which are needed to view or edit data. Views are protected by
10permissions the user must have to use the view. Instead of assigning
11permissions seperately to users, permissions are bundled into sets of
12permissions, so-called roles which can be assigned to users through
13the web interface.
14
15It is important to note that permissions do not include other
16permissions. Only roles 'include' permissions. A 'manage' permission,
17for example, does not automatically enable users to open pages which
18merely display the data. These pages have their own 'view'
19permission. Another example is the ManagePortal permission described
20below. The name of the permission may lead to believe that users can
21do everything with this permssions. This is not true. It does only
22give access to certain pages which are dedicated to portal managers
23and must not be accessed by any other user.
24
25.. contents::
26
27Permissions
28===========
29
30The whole set of permission and role classes are described in the
31:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
32we describe only a subset of permission classes which are essential
33for the security settings configuration.
34
35General Permissions
36-------------------
37
38.. autoclass:: waeup.kofa.permissions.Public()
39   :noindex:
40
41.. autoclass:: waeup.kofa.permissions.Anonymous()
42   :noindex:
43
44.. autoclass:: waeup.kofa.permissions.Authenticated()
45   :noindex:
46
47.. autoclass:: waeup.kofa.permissions.ManageUsers()
48   :noindex:
49
50.. autoclass:: waeup.kofa.permissions.EditUser()
51   :noindex:
52
53.. autoclass:: waeup.kofa.permissions.ManagePortal()
54   :noindex:
55
56.. autoclass:: waeup.kofa.permissions.ViewAcademics()
57   :noindex:
58
59.. autoclass:: waeup.kofa.permissions.ManageAcademics()
60   :noindex:
61
62.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
63   :noindex:
64
65.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
66   :noindex:
67
68.. autoclass:: waeup.kofa.permissions.ExportData()
69   :noindex:
70
71.. autoclass:: waeup.kofa.permissions.ImportData()
72   :noindex:
73
74.. autoclass:: waeup.kofa.permissions.TriggerTransition()
75   :noindex:
76
77.. autoclass:: waeup.kofa.permissions.ShowStudents()
78   :noindex:
79
80.. autoclass:: waeup.kofa.reports.ManageReports()
81   :noindex:
82
83Application Section Permissions
84-------------------------------
85
86.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
87   :noindex:
88
89.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
90   :noindex:
91
92.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
93   :noindex:
94
95.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
96   :noindex:
97
98.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
99   :noindex:
100
101Student Section Permissions
102---------------------------
103
104.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
105   :noindex:
106
107.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
108   :noindex:
109
110.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
111   :noindex:
112
113.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
114   :noindex:
115
116.. autoclass:: waeup.kofa.students.permissions.PayStudent()
117   :noindex:
118
119.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
120   :noindex:
121
122.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
123   :noindex:
124
125.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
126   :noindex:
127
128.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
129   :noindex:
130
131.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
132   :noindex:
133
134.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
135   :noindex:
136
137.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
138   :noindex:
139
140Global Roles
141============
142
143Global or site roles are assigned portal-wide. In contrast to local
144roles, users have this role in every context.
145
146Many global roles do only bundle one or two permissions. The objective
147behind is to share responsibilities and distribute tasks.
148
149Global roles are being assigned via the user manage form page.
150
151Global General Roles
152--------------------
153
154.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
155   :noindex:
156
157.. autoclass:: waeup.kofa.permissions.AcademicsManager()
158   :noindex:
159
160.. autoclass:: waeup.kofa.permissions.DataCenterManager()
161   :noindex:
162
163.. autoclass:: waeup.kofa.permissions.ImportManager()
164   :noindex:
165
166.. autoclass:: waeup.kofa.permissions.ExportManager()
167   :noindex:
168
169.. autoclass:: waeup.kofa.permissions.ACManager()
170   :noindex:
171
172.. autoclass:: waeup.kofa.permissions.UsersManager()
173   :noindex:
174
175.. autoclass:: waeup.kofa.permissions.WorkflowManager()
176   :noindex:
177
178.. autoclass:: waeup.kofa.reports.ReportsManager()
179   :noindex:
180
181In contrast to these specialized sets of permissions, there are two
182sets which delegate extensive powers on portal managers.
183
184.. autoclass:: waeup.kofa.permissions.PortalManager()
185   :noindex:
186
187.. autoclass:: waeup.kofa.permissions.CCOfficer()
188   :noindex:
189
190Global Application Section Roles
191--------------------------------
192
193Global Application Section Roles are assigned portal-wide (globally)
194but do actually only allocate permissions in the Application Section.
195
196.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
197   :noindex:
198
199.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
200   :noindex:
201
202.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
203   :noindex:
204
205Global Student Section Roles
206----------------------------
207
208Global Student Section Roles are assigned portal-wide (globally) but
209do actually only allocate permissions in the Student Section.
210
211.. autoclass:: waeup.kofa.students.permissions.StudentRole()
212   :noindex:
213
214.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
215   :noindex:
216
217.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
218   :noindex:
219
220.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
221   :noindex:
222
223.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
224   :noindex:
225
226.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
227   :noindex:
228
229Local Roles and Dynamic Role Assignment
230=======================================
231
232In contrast to global roles, which are assigned portal-wide, local
233role permissions are gained for a specific context.
234
235Some local roles serve a second purpose. At first glance it appears
236strange that some of these 'odd' roles do not give more permissions
237than the user already has due to other roles. Their real purpose is to
238delegate permissions to the students or application section. If a user
239has for example the LocalStudentsManager role described below at
240department level, s/he automatically gets the StudentsManager role for
241those students studying in this department. We call this a **dynamic
242role**. In contrast to static global or local roles, dynamic roles are
243not stored in the database, they are dynamically assigned.
244
245Local roles are assigned either automatically by the system during
246user object setup or manually through the web interface. The
247automatically assigned local roles are:
248
249.. autoclass:: waeup.kofa.permissions.Owner()
250   :noindex:
251
252.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
253   :noindex:
254
255.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
256   :noindex:
257
258All other local roles must be assigned manually via context manage form pages.
259
260.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
261   :noindex:
262
263.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
264   :noindex:
265
266.. autoclass:: waeup.kofa.permissions.DepartmentManager()
267   :noindex:
268
269.. autoclass:: waeup.kofa.permissions.Lecturer()
270   :noindex:
271
272The following local roles do also delegate permissions to the student
273section. In other words, dynamic roles are assigned.
274
275.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
276   :noindex:
277
278.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
279   :noindex:
280
281.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
282   :noindex:
283
284.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
285   :noindex:
286
287.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
288   :noindex:
289
290.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
291   :noindex:
Note: See TracBrowser for help on using the repository browser.