Roles and Relationships

Introduction

This is the documentation for the permission system used by the Webapp framework (and particularly the SAFE). The permission system is handled by the SessionService object returned by the AppContext.

Roles

A role is the simplest of the permission states. It is a named global capability that can be assigned to a user or a login session. In a web-context roles may be inherited from the Servlet framework. In this case the role only applies to the current logged in session. In all other cases roles are defined in terms of an AppUser (These are ther objects/records that represent registered users of the application). The mapping between users and roles are stored in the role_table database table. There is a standard form that allows a users assigned roles to be changed. The list of roles available to this form can be extended by adding names to a comma separated list stored in the role_list configuration parameter.

In practice the number of different roles checked by the application can be very large to allow fine-tuning of permissions. However roles that are actively assigned to users may be meta-roles that represent a number of underlying permissions. An underlying role can be mapped to a meta-role by setting a config parameter:
use_role.role-name=meta-role-list
Where role-list is a comma separated list of meta-roles that inherit the permissions of the underlying role.

Some roles can be marked at “togglable” roles. These roles are not active by default and a user with access to them needs to perform an action (such as clicking a web-menu) to enable the role before use. These are intended for administrative roles where the user may also want to view the application as an unprivileged user. The set of togglable roles is defined in the toggle_roles configuration parameter.

Relationships

Relationships are similar to roles in that they are named capabilities. However they define a relationship with a particular domain object (such as manager or owner)

Relationships are configured via the ConfigService by setting: use_relationship.factory-tag.role If this is a comma separated list it implies an OR of the component parts. within this AND combinations can be specified as + separated terms.

The factory (or its Composites) can implement AccessRoleProvider to provide roles.

Roles of the form field->remote_role denotes a remote filter joined via the reference field field A person has these roles with the target object if they have the remote_role on the object the target references. The remote role must be unqualified.

Role names containing a period are qualified names the qualifier can be: