source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 12916

Last change on this file since 12916 was 12906, checked in by Henrik Bettermann, 10 years ago

Backup docs work done so far.

File size: 8.4 KB
Line 
1.. _security_policy:
2
3Security
4********
5
6Kofa has a very efficient security machinery. The machinery does not
7perform authorization checks on the content objects themselves stored
8in the database but restricts the usage of views, i.e. web pages and
9forms which are needed to view or edit data. Views are protected by
10permissions the user must have to use the view. Instead of assigning
11permissions seperately to users, permissions are bundled into sets of
12permissions, so-called roles which can be assigned to users through
13the web interface.
14
15It is important to note that permissions do not include other
16permissions. Only roles 'include' permissions. A 'manage' permission,
17for example, does not automatically enable users to open pages which
18merely display the data. These pages have their own 'view'
19permission. Another example is the ManagePortal permission described
20below. The name of the permission may lead to believe that users can
21do everything with this permssions. This is not true. It does only
22give access to certain pages which are dedicated to portal managers
23and must not be accessed by any other user.
24
25.. contents:: Table of Contents
26   :local:
27
28Permissions
29===========
30
31The whole set of permission and role classes are described in the
32:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
33we describe only a subset of permission classes which are essential
34for the security settings configuration.
35
36General Permissions
37-------------------
38
39.. autoclass:: waeup.kofa.permissions.Public()
40   :noindex:
41
42.. autoclass:: waeup.kofa.permissions.Anonymous()
43   :noindex:
44
45.. autoclass:: waeup.kofa.permissions.Authenticated()
46   :noindex:
47
48.. autoclass:: waeup.kofa.permissions.ManageUsers()
49   :noindex:
50
51.. autoclass:: waeup.kofa.permissions.EditUser()
52   :noindex:
53
54.. autoclass:: waeup.kofa.permissions.ManagePortal()
55   :noindex:
56
57.. autoclass:: waeup.kofa.permissions.ViewAcademics()
58   :noindex:
59
60.. autoclass:: waeup.kofa.permissions.ManageAcademics()
61   :noindex:
62
63.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
64   :noindex:
65
66.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
67   :noindex:
68
69.. autoclass:: waeup.kofa.permissions.ExportData()
70   :noindex:
71
72.. autoclass:: waeup.kofa.permissions.ImportData()
73   :noindex:
74
75.. autoclass:: waeup.kofa.permissions.TriggerTransition()
76   :noindex:
77
78.. autoclass:: waeup.kofa.permissions.ShowStudents()
79   :noindex:
80
81.. autoclass:: waeup.kofa.reports.HandleReports()
82   :noindex:
83
84.. autoclass:: waeup.kofa.reports.ManageReports()
85   :noindex:
86
87Application Section Permissions
88-------------------------------
89
90.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
91   :noindex:
92
93.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
94   :noindex:
95
96.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
97   :noindex:
98
99.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
100   :noindex:
101
102.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
103   :noindex:
104
105Student Section Permissions
106---------------------------
107
108.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
109   :noindex:
110
111.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
112   :noindex:
113
114.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
115   :noindex:
116
117.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
118   :noindex:
119
120.. autoclass:: waeup.kofa.students.permissions.PayStudent()
121   :noindex:
122
123.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
124   :noindex:
125
126.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
127   :noindex:
128
129.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
130   :noindex:
131
132.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
133   :noindex:
134
135.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
136   :noindex:
137
138.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
139   :noindex:
140
141.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
142   :noindex:
143
144Global Roles
145============
146
147Global or site roles are assigned portal-wide. In contrast to local
148roles, users have this role in every context.
149
150Many global roles do only bundle one or two permissions. The objective
151behind is to share responsibilities and distribute tasks.
152
153Global roles are being assigned via the user manage form page.
154
155Global General Roles
156--------------------
157
158.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
159   :noindex:
160
161.. autoclass:: waeup.kofa.permissions.AcademicsManager()
162   :noindex:
163
164.. autoclass:: waeup.kofa.permissions.DataCenterManager()
165   :noindex:
166
167.. autoclass:: waeup.kofa.permissions.ImportManager()
168   :noindex:
169
170.. autoclass:: waeup.kofa.permissions.ExportManager()
171   :noindex:
172
173.. autoclass:: waeup.kofa.permissions.ACManager()
174   :noindex:
175
176.. autoclass:: waeup.kofa.permissions.UsersManager()
177   :noindex:
178
179.. autoclass:: waeup.kofa.permissions.WorkflowManager()
180   :noindex:
181
182.. autoclass:: waeup.kofa.reports.ReportsOfficer()
183   :noindex:
184
185.. autoclass:: waeup.kofa.reports.ReportsManager()
186   :noindex:
187
188In contrast to these specialized sets of permissions, there are two
189sets which delegate extensive powers on portal managers.
190
191.. autoclass:: waeup.kofa.permissions.PortalManager()
192   :noindex:
193
194.. autoclass:: waeup.kofa.permissions.CCOfficer()
195   :noindex:
196
197Global Application Section Roles
198--------------------------------
199
200Global Application Section Roles are assigned portal-wide (globally)
201but do actually only allocate permissions in the Application Section.
202
203.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
204   :noindex:
205
206.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
207   :noindex:
208
209.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
210   :noindex:
211
212Global Student Section Roles
213----------------------------
214
215Global Student Section Roles are assigned portal-wide (globally) but
216do actually only allocate permissions in the Student Section.
217
218.. autoclass:: waeup.kofa.students.permissions.StudentRole()
219   :noindex:
220
221.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
222   :noindex:
223
224.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
225   :noindex:
226
227.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
228   :noindex:
229
230.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
231   :noindex:
232
233.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
234   :noindex:
235
236.. _local_roles:
237
238Local Roles and Dynamic Role Assignment
239=======================================
240
241In contrast to global roles, which are assigned portal-wide, local
242role permissions are gained for a specific context.
243
244Some local roles serve a second purpose. At first glance it appears
245strange that some of these 'odd' roles do not give more permissions
246than the user already has due to other roles. Their real purpose is to
247delegate permissions to the students or application section. If a user
248has for example the LocalStudentsManager role described below at
249department level, s/he automatically gets the StudentsManager role for
250those students studying in this department. We call this a **dynamic
251role**. In contrast to static global or local roles, dynamic roles are
252not stored in the database, they are dynamically assigned.
253
254Local roles are assigned either automatically by the system during
255user object setup or manually through the web interface. The
256automatically assigned local roles are:
257
258.. autoclass:: waeup.kofa.permissions.Owner()
259   :noindex:
260
261.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
262   :noindex:
263
264.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
265   :noindex:
266
267All other local roles must be assigned manually via context manage form pages.
268
269.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
270   :noindex:
271
272.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
273   :noindex:
274
275.. autoclass:: waeup.kofa.permissions.DepartmentManager()
276   :noindex:
277
278.. autoclass:: waeup.kofa.permissions.Lecturer()
279   :noindex:
280
281The following local roles do also delegate permissions to the student
282section. In other words, dynamic roles are assigned.
283
284.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
285   :noindex:
286
287.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
288   :noindex:
289
290.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
291   :noindex:
292
293.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
294   :noindex:
295
296.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
297   :noindex:
298
299.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
300   :noindex:
Note: See TracBrowser for help on using the repository browser.