Rights
Rights are rules of system access control deciding if and how a user or application may perform operations with an object.
Rights can be managed for two different kinds of objects in the onion.net system. They can either refer to data, or to ChangeSets. Rights with respect to data control whether a particular data object, or its descendants can be read, edited, or deleted. Rights with respect to ChangeSets control whether a particular ChangeSet can be read, edited or published.
When new users are created in the onion.net system, they only have the rights connected to their role at first (see Chapter 6.2.2.2). The users do not have any other rights going beyond these rights of their role. A user administrator cannot allocate more rights to a user. Instead, the user administrator can allocate users to a group and allocate the respective rights to this group. The rights of this group apply to all of its members. This procedure facilitates the administration of rights because in case of changes in the structure of rights only the rights of a group need to be adjusted and not the ones of every individual user. Users are allocated to one or several groups and thus receive their rights indirectly.
The allocation of rights is effected on the basis of objects. User administrators define group rights for specific objects. In doing so, distinctions are made between object rights and descendants' rights. Object rights refer to a specific object, descendants' rights to its descendants. Table 3.1 lists all rights for an object that can be allocated to a group. Table 3.2 lists all rights for a ChangeSet that can be allocated to a group.
Table 3.1
|
Symbol |
Right |
Description |
|---|---|---|
|
|
Reading an object |
Group members have the right to see the object, i. e. they can see it but they cannot edit it. |
|
|
Editing an object |
Group members have the right to edit the object, i. e. they can check it in, save it etc. |
|
|
Deleting an object |
Group members have the right to delete the object. |
|
|
Create descendants |
Group members have the right to create descendants of this object. |
|
|
Reading descendants |
Group members have the right to see descendants of this object. |
|
|
Editing descendants |
Group members have the right to edit descendants of this object. |
|
|
Deleting descendants |
Group members have the right to delete descendants of this object. |
|
|
Listing descendants |
Group members have the right to list descendants of this object. This is a special reading right. Group members only have the right to see the children of an object for which they were explicitly given the right "Reading an object". All other child objects cannot be seen. |
Table 3.2
| Symbol | Right | Description |
|---|---|---|
 |
Read ChangeSet | Group members have the right to see the ChangeSet, i. e. they can see it and enter it, but they cannot edit it. |
 |
Edit ChangeSet | Group members have the right to edit the ChangeSet, i. e. they can edit the meta-data. |
 |
Publish ChangeSet | Group members have the right to publish or delete the ChangeSet . |
The object detail window gives a clear overview of the rights of a group for a specific object. Every line shows the rights of an object with its icon and path being displayed in the first column. For every right, the user administrator can indicate one of three states (see Table 4) by clicking in the table cell until the desired symbol appears.
Table 4
|
Symbol |
State |
Description |
|---|---|---|
|
|
Inherit the right by structure |
Rights are inherited in a standardised way. If, for example, group members have been allocated the right to read the children of an object, this right is also inherited to their children, i. e. group members are allowed to read the children's children etc. Due to this, we speak about descendants' rights and not only children's rights. Inherited rights can be overridden if a right is explicitly allocated to or withdrawn from an object. |
|
|
Allocating a right |
The group explicitly receives the corresponding right. |
|
|
Withdrawing a right |
The group does explicitly not receive the corresponding right. |
