source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 13055

Last change on this file since 13055 was 13045, checked in by Henrik Bettermann, 9 years ago

More docs.
File size: 8.5 KB
Line 
1.. _security_policy:
2
3Security
4********
5
6.. seealso::
7
8   :ref:`Security Doctests <security_txt>`
9
10Kofa has a very efficient security machinery. The machinery does not
11perform authorization checks on the content objects themselves stored
12in the database, but, restricts the usage of views, i.e. web pages and
13forms which are needed to view or edit data. Views are protected by
14permissions the user must have to use the view. Instead of assigning
15permissions seperately to users, permissions are bundled into sets of
16permissions, so-called roles which can be assigned to users through
17the web interface.
18
19It is important to note that permissions do not include other
20permissions. Only roles 'include' permissions. A 'manage' permission,
21for example, does not automatically enable users to open pages which
22merely display the data. These pages have their own 'view'
23permission. Another example is the ManagePortal permission described
24below. The name of the permission may lead to believe that users can
25do everything with this permissions. This is not true. It does only
26give access to certain pages which are dedicated to portal managers
27and must not be accessed by any other user.
28
29.. contents:: Table of Contents
30   :local:
31
32Permissions
33===========
34
35The whole set of permission and role classes are described in the
36:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
37we describe only a subset of permission classes which are essential
38for the security settings configuration.
39
40General Permissions
41-------------------
42
43.. autoclass:: waeup.kofa.permissions.Public()
44   :noindex:
45
46.. autoclass:: waeup.kofa.permissions.Anonymous()
47   :noindex:
48
49.. autoclass:: waeup.kofa.permissions.Authenticated()
50   :noindex:
51
52.. autoclass:: waeup.kofa.permissions.ManageUsers()
53   :noindex:
54
55.. autoclass:: waeup.kofa.permissions.EditUser()
56   :noindex:
57
58.. autoclass:: waeup.kofa.permissions.ManagePortal()
59   :noindex:
60
61.. autoclass:: waeup.kofa.permissions.ViewAcademics()
62   :noindex:
63
64.. autoclass:: waeup.kofa.permissions.ManageAcademics()
65   :noindex:
66
67.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
68   :noindex:
69
70.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
71   :noindex:
72
73.. autoclass:: waeup.kofa.permissions.ExportData()
74   :noindex:
75
76.. autoclass:: waeup.kofa.permissions.ImportData()
77   :noindex:
78
79.. autoclass:: waeup.kofa.permissions.TriggerTransition()
80   :noindex:
81
82.. autoclass:: waeup.kofa.permissions.ShowStudents()
83   :noindex:
84
85.. autoclass:: waeup.kofa.reports.HandleReports()
86   :noindex:
87
88.. autoclass:: waeup.kofa.reports.ManageReports()
89   :noindex:
90
91Application Section Permissions
92-------------------------------
93
94.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
95   :noindex:
96
97.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
98   :noindex:
99
100.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
101   :noindex:
102
103.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
104   :noindex:
105
106.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
107   :noindex:
108
109Student Section Permissions
110---------------------------
111
112.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
113   :noindex:
114
115.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
116   :noindex:
117
118.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
119   :noindex:
120
121.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
122   :noindex:
123
124.. autoclass:: waeup.kofa.students.permissions.PayStudent()
125   :noindex:
126
127.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
128   :noindex:
129
130.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
131   :noindex:
132
133.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
134   :noindex:
135
136.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
137   :noindex:
138
139.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
140   :noindex:
141
142.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
143   :noindex:
144
145.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
146   :noindex:
147
148Global Roles
149============
150
151Global or site roles are assigned portal-wide. In contrast to local
152roles, users have this role in every context.
153
154Many global roles do only bundle one or two permissions. The objective
155behind is to share responsibilities and distribute tasks.
156
157Global roles are being assigned via the user manage form page.
158
159Global General Roles
160--------------------
161
162.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
163   :noindex:
164
165.. autoclass:: waeup.kofa.permissions.AcademicsManager()
166   :noindex:
167
168.. autoclass:: waeup.kofa.permissions.DataCenterManager()
169   :noindex:
170
171.. autoclass:: waeup.kofa.permissions.ImportManager()
172   :noindex:
173
174.. autoclass:: waeup.kofa.permissions.ExportManager()
175   :noindex:
176
177.. autoclass:: waeup.kofa.permissions.ACManager()
178   :noindex:
179
180.. autoclass:: waeup.kofa.permissions.UsersManager()
181   :noindex:
182
183.. autoclass:: waeup.kofa.permissions.WorkflowManager()
184   :noindex:
185
186.. autoclass:: waeup.kofa.reports.ReportsOfficer()
187   :noindex:
188
189.. autoclass:: waeup.kofa.reports.ReportsManager()
190   :noindex:
191
192In contrast to these specialized sets of permissions, there are two
193sets which delegate extensive powers on portal managers.
194
195.. autoclass:: waeup.kofa.permissions.PortalManager()
196   :noindex:
197
198.. autoclass:: waeup.kofa.permissions.CCOfficer()
199   :noindex:
200
201Global Application Section Roles
202--------------------------------
203
204Global Application Section Roles are assigned portal-wide (globally)
205but do actually only allocate permissions in the Application Section.
206
207.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
208   :noindex:
209
210.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
211   :noindex:
212
213.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
214   :noindex:
215
216Global Student Section Roles
217----------------------------
218
219Global Student Section Roles are assigned portal-wide (globally) but
220do actually only allocate permissions in the Student Section.
221
222.. autoclass:: waeup.kofa.students.permissions.StudentRole()
223   :noindex:
224
225.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
226   :noindex:
227
228.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
229   :noindex:
230
231.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
232   :noindex:
233
234.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
235   :noindex:
236
237.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
238   :noindex:
239
240.. _local_roles:
241
242Local Roles and Dynamic Role Assignment
243=======================================
244
245In contrast to global roles, which are assigned portal-wide, local
246role permissions are gained for a specific context.
247
248Some local roles serve a second purpose. At first glance it appears
249strange that some of these 'odd' roles do not give more permissions
250than the user already has due to other roles. Their real purpose is to
251delegate permissions to the students or application section. If a user
252has for example the LocalStudentsManager role described below at
253department level, s/he automatically gets the StudentsManager role for
254those students studying in this department. We call this a **dynamic
255role**. In contrast to static global or local roles, dynamic roles are
256not stored in the database, they are dynamically assigned.
257
258Local roles are assigned either automatically by the system during
259user object setup or manually through the web interface. The
260automatically assigned local roles are:
261
262.. autoclass:: waeup.kofa.permissions.Owner()
263   :noindex:
264
265.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
266   :noindex:
267
268.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
269   :noindex:
270
271All other local roles must be assigned manually via context manage form pages.
272
273.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
274   :noindex:
275
276.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
277   :noindex:
278
279.. autoclass:: waeup.kofa.permissions.DepartmentManager()
280   :noindex:
281
282.. autoclass:: waeup.kofa.permissions.Lecturer()
283   :noindex:
284
285The following local roles do also delegate permissions to the student
286section. In other words, dynamic roles are assigned.
287
288.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
289   :noindex:
290
291.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
292   :noindex:
293
294.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
295   :noindex:
296
297.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
298   :noindex:
299
300.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
301   :noindex:
302
303.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
304   :noindex:
Note: See TracBrowser for help on using the repository browser.