Differences between revisions 45 and 46
Revision 45 as of 2005-05-15 16:03:36
Size: 2631
Revision 46 as of 2009-09-20 23:27:21
Size: 2639
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
[http://cocoon.apache.org/lenya/docs/components/accesscontrol/terms.html#Role] [[http://cocoon.apache.org/lenya/docs/components/accesscontrol/terms.html#Role]]
Line 21: Line 21:
[http://cocoon.apache.org/lenya/docs/components/accesscontrol/authorizers.html#UsecaseAuthorizer] [[http://cocoon.apache.org/lenya/docs/components/accesscontrol/authorizers.html#UsecaseAuthorizer]]
Line 29: Line 29:
[http://cocoon.apache.org/lenya/docs/components/accesscontrol/policymanagers.html] [[http://cocoon.apache.org/lenya/docs/components/accesscontrol/policymanagers.html]]
Line 35: Line 35:
[http://cocoon.apache.org/lenya/docs/components/workflow/configuration.html#RoleCondition] [[http://cocoon.apache.org/lenya/docs/components/workflow/configuration.html#RoleCondition]]

Understanding the Lenya Role Concept

  1. you define an arbitrary set of roles for your publication by creating the .rml files in $PUB_HOME/config/ac/passwd

  2. you assign roles to usecases
  3. you assign roles to identities at URLs using policies
  4. you assign roles to workflow transitions

Defining Roles


Roles are the connection between access control and CMS functionality. On the access control side, you assign Roles to users, IP address ranges and groups at certain URL spaces. On the CMS side, you define which Roles are needed to execute certain usecases and workflow transitions.

Assigning Roles to Usecases


This Authorizer looks for the lenya.usecase request parameter and checks the usecase policy file for the Roles that are allowed to execute this usecase.

Assinging Roles to Identities at URLs using Policies


A Policy assigns Roles to Accreditables.

Assigning Roles to Workflow Transitions


Roles vs. Groups

Roles and groups are completely different things.

Groups are just collections of users or IP ranges. They make assigning of permissions easier (you can assign a permission to a group instead of every single user.

Roles are just strings. You can choose them for every publication. You define what a role means.

Basically, you can imagine

+----------------+             +----------------+
| Access Control |--- Roles ---| CMS Functions  |
+----------------+             +----------------+
   - users                        - workflow
   - groups                       - usecases
   - IP ranges

which means that you use roles to separate your access control definitions from your CMS function definitions. Roles are used as the interface between access control and CMS functions.

If there were no roles, you would have to assign every single CMS function (workflow, usecases, ...) to users, groups etc. This would be a huge amount of work and maintenance.

But you define roles as shorthands to protect CMS functions (using workflow conditions and usecase permissions). And you assign roles to users, groups, etc. on certain URLs (using policies).

OverviewAccessControl (last edited 2009-09-20 23:27:21 by localhost)