Skip to content

Authorization section

Jump to bottom
Damiano edited this page Apr 9, 2014 · 26 revisions

##Resource-based authorization overview## The GeoStore Authorization system is focused on the grants that an user has on every single resource. This means that if an user has write and read grants on a resource it can read, update and delete every single attribute or the resource's stored data.

No more fine authorization is allowed, in order to allow the user to have a partial access to a resource, nor a less fine authorization, in order to allow the user to have a full access/full deny to all resources that belong to a category.

##Resource ownership and Group membership## All the authenticated users are able to create new resources. The Resource creator is the Resource Owner and it will have read and write grants on that resource. This behavior is static and the resource ownership is not editable.

By default all non-owner users (except the admin) won't be able to access, both in read and write mode, to a new resource. To allow it the admin, or the owner when creating the resource, must assign a security rule that sets grants for a Usersgroup. Of course the non-owner user should belong to that Usergroup in order to access to that resource.

Since all users can be members of many groups, and different groups can have different grants on a single resource, how is determined if a resource can be accessed by an user? It's simple: if the non-owner user belong to at least to one group that has read grants on a resource the user will be granted to readt the resource. Same rule will be applyed to determine write grants.

###Example###

Let's going to see some examples:

  • In geostore are present 4 users: the admin, the userOwner and other 2 users user1 and user2 . Note that there is also another special user represented by the guestUser
  • In geostore are present 2 usersgroup: groupA and groupB with no user associated
  1. userOwner creates resource1

userOwner W+R resource1 | user1 no grants resource1 | user2 no grants resource1 | Admin W+R resource1 | guestUser no grants resource1

  1. admin* assign user1 group groupA

  2. admin* assign user2 group groupB

  3. admin* assign W grants to groupA for resource1

  4. admin* assign W+R grants to groupB for resource1

userOwner W+R resource1 | user1 W resource1 | user2 W+R resource1 | Admin W+R resource1 | guestUser no grants resource1

Clone this wiki locally