source: main/waeup.kofa/trunk/docs/source/userdocs/security.rst @ 15208

Last change on this file since 15208 was 15163, checked in by Henrik Bettermann, 6 years ago

Merge with /main/waeup.kofa/branches/henrik-transcript-workflow:15127-15162

File size: 8.9 KB
Line 
1.. _security_policy:
2
3Security
4********
5
6.. seealso::
7
8   :ref:`Security Doctests <security_txt>`
9
10Kofa has a very efficient security machinery. The machinery does not
11perform authorization checks on the content objects themselves stored
12in the database, but, restricts the usage of views, i.e. web pages and
13forms which are needed to view or edit data. Views are protected by
14permissions the user must have to use the view. Instead of assigning
15permissions seperately to users, permissions are bundled into sets of
16permissions, so-called roles which can be assigned to users through
17the web interface.
18
19It is important to note that permissions do not include other
20permissions. Only roles 'include' permissions. A 'manage' permission,
21for example, does not automatically enable users to open pages which
22merely display the data. These pages have their own 'view'
23permission. Another example is the ManagePortal permission described
24below. The name of the permission may lead to believe that users can
25do everything with this permissions. This is not true. It does only
26give access to certain pages which are dedicated to portal managers
27and must not be accessed by any other user.
28
29.. contents:: Table of Contents
30   :local:
31
32Permissions
33===========
34
35The whole set of permission and role classes are described in the
36:py:mod:`Permissions and Roles Module<waeup.kofa.permissions>`. Here
37we describe only a subset of permission classes which are essential
38for the security settings configuration.
39
40General Permissions
41-------------------
42
43.. autoclass:: waeup.kofa.permissions.Public()
44   :noindex:
45
46.. autoclass:: waeup.kofa.permissions.Anonymous()
47   :noindex:
48
49.. autoclass:: waeup.kofa.permissions.Authenticated()
50   :noindex:
51
52.. autoclass:: waeup.kofa.permissions.ManageUsers()
53   :noindex:
54
55.. autoclass:: waeup.kofa.permissions.EditUser()
56   :noindex:
57
58.. autoclass:: waeup.kofa.permissions.ManagePortal()
59   :noindex:
60
61.. autoclass:: waeup.kofa.permissions.ViewAcademics()
62   :noindex:
63
64.. autoclass:: waeup.kofa.permissions.ManageAcademics()
65   :noindex:
66
67.. autoclass:: waeup.kofa.permissions.ManagePortalConfiguration()
68   :noindex:
69
70.. autoclass:: waeup.kofa.permissions.ManageDataCenter()
71   :noindex:
72
73.. autoclass:: waeup.kofa.permissions.ExportData()
74   :noindex:
75
76.. autoclass:: waeup.kofa.permissions.ImportData()
77   :noindex:
78
79.. autoclass:: waeup.kofa.permissions.TriggerTransition()
80   :noindex:
81
82.. autoclass:: waeup.kofa.permissions.ShowStudents()
83   :noindex:
84
85.. autoclass:: waeup.kofa.reports.HandleReports()
86   :noindex:
87
88.. autoclass:: waeup.kofa.reports.ManageReports()
89   :noindex:
90
91Applicants Section Permissions
92------------------------------
93
94.. autoclass:: waeup.kofa.applicants.permissions.ViewApplication()
95   :noindex:
96
97.. autoclass:: waeup.kofa.applicants.permissions.HandleApplication()
98   :noindex:
99
100.. autoclass:: waeup.kofa.applicants.permissions.ManageApplication()
101   :noindex:
102
103.. autoclass:: waeup.kofa.applicants.permissions.PayApplicant()
104   :noindex:
105
106.. autoclass:: waeup.kofa.applicants.permissions.ViewApplicationStatistics()
107   :noindex:
108
109.. autoclass:: waeup.kofa.applicants.permissions.CreateStudents()
110   :noindex:
111
112Students Section Permissions
113----------------------------
114
115.. autoclass:: waeup.kofa.students.permissions.ViewStudent()
116   :noindex:
117
118.. autoclass:: waeup.kofa.students.permissions.HandleStudent()
119   :noindex:
120
121.. autoclass:: waeup.kofa.students.permissions.ViewStudentsContainer()
122   :noindex:
123
124.. autoclass:: waeup.kofa.students.permissions.ManageStudent()
125   :noindex:
126
127.. autoclass:: waeup.kofa.students.permissions.PayStudent()
128   :noindex:
129
130.. autoclass:: waeup.kofa.students.permissions.HandleAccommodation()
131   :noindex:
132
133.. autoclass:: waeup.kofa.students.permissions.UploadStudentFile()
134   :noindex:
135
136.. autoclass:: waeup.kofa.students.permissions.LoginAsStudent()
137   :noindex:
138
139.. autoclass:: waeup.kofa.students.permissions.EditStudyLevel()
140   :noindex:
141
142.. autoclass:: waeup.kofa.students.permissions.ClearStudent()
143   :noindex:
144
145.. autoclass:: waeup.kofa.students.permissions.ValidateStudent()
146   :noindex:
147
148Global Roles
149============
150
151Global or site roles are assigned portal-wide. In contrast to local
152roles, users have this role in every context.
153
154Many global roles do only bundle one or two permissions. The objective
155behind is to share responsibilities and distribute tasks.
156
157Global roles are being assigned via the user manage form page.
158
159Global General Roles
160--------------------
161
162.. autoclass:: waeup.kofa.permissions.AcademicsOfficer()
163   :noindex:
164
165.. autoclass:: waeup.kofa.permissions.AcademicsManager()
166   :noindex:
167
168.. autoclass:: waeup.kofa.permissions.DataCenterManager()
169   :noindex:
170
171.. autoclass:: waeup.kofa.permissions.ImportManager()
172   :noindex:
173
174.. autoclass:: waeup.kofa.permissions.ExportManager()
175   :noindex:
176
177.. autoclass:: waeup.kofa.permissions.ACManager()
178   :noindex:
179
180.. autoclass:: waeup.kofa.permissions.UsersManager()
181   :noindex:
182
183.. autoclass:: waeup.kofa.permissions.WorkflowManager()
184   :noindex:
185
186.. autoclass:: waeup.kofa.reports.ReportsOfficer()
187   :noindex:
188
189.. autoclass:: waeup.kofa.reports.ReportsManager()
190   :noindex:
191
192In contrast to these specialized sets of permissions, there are two
193sets which delegate extensive powers on portal managers.
194
195.. autoclass:: waeup.kofa.permissions.PortalManager()
196   :noindex:
197
198.. autoclass:: waeup.kofa.permissions.CCOfficer()
199   :noindex:
200
201Global Applicants Section Roles
202-------------------------------
203
204Global Applicants Section Roles are assigned portal-wide (globally)
205but do actually only allocate permissions in the applicants section.
206
207.. autoclass:: waeup.kofa.applicants.permissions.ApplicantRole()
208   :noindex:
209
210.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsOfficer()
211   :noindex:
212
213.. autoclass:: waeup.kofa.applicants.permissions.ApplicationsManager()
214   :noindex:
215
216.. autoclass:: waeup.kofa.applicants.permissions.StudentsCreator()
217   :noindex:
218
219Global Students Section Roles
220-----------------------------
221
222Global Students Section Roles are assigned portal-wide (globally) but
223do actually only allocate permissions in the students section.
224
225.. autoclass:: waeup.kofa.students.permissions.StudentRole()
226   :noindex:
227
228.. autoclass:: waeup.kofa.students.permissions.StudentsOfficer()
229   :noindex:
230
231.. autoclass:: waeup.kofa.students.permissions.StudentsManager()
232   :noindex:
233
234.. autoclass:: waeup.kofa.students.permissions.StudentsClearanceOfficer()
235   :noindex:
236
237.. autoclass:: waeup.kofa.students.permissions.StudentsCourseAdviser()
238   :noindex:
239
240.. autoclass:: waeup.kofa.students.permissions.StudentImpersonator()
241   :noindex:
242
243.. autoclass:: waeup.kofa.students.permissions.TranscriptOfficer()
244   :noindex:
245
246.. autoclass:: waeup.kofa.students.permissions.TranscriptSignee()
247   :noindex:
248
249.. _local_roles:
250
251Local Roles and Dynamic Role Assignment
252=======================================
253
254In contrast to global roles, which are assigned portal-wide, local
255role permissions are gained for a specific context.
256
257Some local roles serve a second purpose. At first glance it appears
258strange that some of these 'odd' roles do not give more permissions
259than the user already has due to other roles. Their real purpose is to
260delegate permissions to the students or applicants section. If a user
261has for example the LocalStudentsManager role described below at
262department level, s/he automatically gets the StudentsManager role for
263those students studying in this department. We call this a **dynamic
264role**. In contrast to static global or local roles, dynamic roles are
265not stored in the database, they are dynamically assigned.
266
267Local roles are assigned either automatically by the system during
268user object setup or manually through the web interface. The
269automatically assigned local roles are:
270
271.. autoclass:: waeup.kofa.permissions.Owner()
272   :noindex:
273
274.. autoclass:: waeup.kofa.applicants.permissions.ApplicationOwner()
275   :noindex:
276
277.. autoclass:: waeup.kofa.students.permissions.StudentRecordOwner()
278   :noindex:
279
280All other local roles must be assigned manually via context manage form pages.
281
282.. autoclass:: waeup.kofa.permissions.ApplicationsManager()
283   :noindex:
284
285.. autoclass:: waeup.kofa.permissions.DepartmentOfficer()
286   :noindex:
287
288.. autoclass:: waeup.kofa.permissions.DepartmentManager()
289   :noindex:
290
291.. autoclass:: waeup.kofa.permissions.Lecturer()
292   :noindex:
293
294The following local roles do also delegate permissions to the student
295section. In other words, dynamic roles are assigned.
296
297.. autoclass:: waeup.kofa.permissions.ClearanceOfficer()
298   :noindex:
299
300.. autoclass:: waeup.kofa.permissions.LocalStudentsManager()
301   :noindex:
302
303.. autoclass:: waeup.kofa.permissions.LocalWorkflowManager()
304   :noindex:
305
306.. autoclass:: waeup.kofa.permissions.UGClearanceOfficer()
307   :noindex:
308
309.. autoclass:: waeup.kofa.permissions.PGClearanceOfficer()
310   :noindex:
311
312.. autoclass:: waeup.kofa.permissions.CourseAdviser100()
313   :noindex:
314
315.. autoclass:: waeup.kofa.permissions.LocalTranscriptOfficer()
316   :noindex:
317
318.. autoclass:: waeup.kofa.permissions.LocalTranscriptSignee()
319   :noindex:
Note: See TracBrowser for help on using the repository browser.