The Extensive Access Checking concept is normally used for EDMsixServer systems with The Extensive Access Checking concept is normally used for EDMsixServer systems with multi user access to an EDMdatabase. In such multi user systems, this concept enables a very flexible and configurable access control system.
...
A protected object is an EDMdatabase object which possess a set of attributes containing object protection meta data.
Section | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
The attributes owner, group, administrators and access_rights_for are used to determine how the EDMuser / EDMgroup relates to the protected object (Access Role)
When you create protected objects, the object protection is set according to a set of default values that have been assigned to the EDMuser and EDMgroup accounts that you are logged in with.
The object protection is set individually for USER, GROUP and PUBLIC access. If you are familiar with UNIX, you will probably recognize this concept. For each of the USER, GROUP and PUBLIC protections, a set of five access flags will be set or unset.
- READ_ACCESS (0001)
- WRITE_ACCESS (0002)
- CREATE_ACCESS (0004)
- EXECUTE_ACCESS (0010)
- DELETE_ACCESS (0020)
The USER, GROUP and PUBLIC protection settings of a protected object are all combinations of these five access flags. They combine to a five bit binary pattern and the USER, GROUP and PUBLIC protections may therefore be represented by a decimal number ranging from 0 (No access) to 32 (Full access). The The USER, GROUP and PUBLIC protection settings a protected object is represented by a single decimal number. This number results from concatenating the USER, GROUP and PUBLIC protection settings into a single 15 bit object protection pattern;
...
Granting access to protected objects by EDMusers and EDMgroups is done by controlling their Access Role. Protected objects also have meta information used to determine the type of access an EDMuser or EDMgroup shall have to the object.
Access Roles
Access to protected objects is granted based on the logged in EDMuser and EDMgroup. When EDMsix checks access to a protected object, it will firstly determine will access role that applies to the EDMuser/EDMgroup. There are seven possible access roles.
Section | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Access Role | Description |
---|---|
OWNER_USER (Level 1 - 001b) | This is the highest possible access role to a protected object, (except for superuser). When creating a protected object, your EDMuser will automatically be the object owner. A protected object may only be owned by a single EDMuser. If you are the owner of the protected object, your access role will be OWNER_USER and you will be granted USER access to it, provided there are no restricting USER access settings on any of its parent protected objects. |
ADMIN_USER (Level 2 - 010b) | When creating a protected object, your EDMuser will also automatically be added to a list of object administrator users. A protected object may have any number of object administrator users. If you are logged in as an object administrator user and you are not the object owner, your access role will be ADMIN_USER and you will be granted USER access to it, provided there are no restricting USER access settings on any of its parent protected objects. |
OWNER_GROUP (Level 3 - 011b) | When creating a protected object, your EDMgroup will automatically be the object owner group. A protected object may only be owned by a single EDMgroup. If you are logged in with the owner group of the protected object, your access role will be OWNER_GROUP and you will be granted GROUP access to it, provided you have not already been granted a higher access role and there are no restricting GROUP_ACCESS settings on any of its parent protected objects. |
ADMIN_GROUP (Level 4 - 100b) | When creating a protected object, your EDMgroup will also automatically be added to a list of object administrator groups. A protected object may have any number of object administrator groups. If you are logged in as an object administrator group, your access role will be ADMIN_GROUP and you will be granted GROUP access to it, provided you have not already been granted a higher access role and there are no restricting GROUP access settings on any of its parent protected objects. |
ACCESS_FOR_USER (Level 5 - 101b) | If you have the OWNER_USER or ADMIN_USER access role to a protected object, you may grant special access to any number of entrusted EDMusers. If you are logged in as an entrusted EDMuser, your access role will be ACCESS_FOR_USER, and you will be granted the ENTRUSTED user access that has specially been set for you, provided you have not been granted a higher access role and there are no restricting USER access or ENTRUSTED user access settings on any of its parent protected objects. |
ACCESS_FOR_GROUP (Level 6 - 110b) | If you have the OWNER_USER or ADMIN_USER access role to a protected object, you may grant special access to any number of entrusted EDMgroups. If you are logged in as an entrusted EDMgroup, your access role will be ACCESS_FOR_GROUP, and you will be granted the ENTRUSTED user that has specifically set for your EDMgroup, provided you have not been granted a higher access role and there are no restricting GROUP access or ENTRUSTED group access settings on any of its parent protected objects. |
PUBLIC_ACCESS (Level 7 - 111b) | The lowest possible access role is PUBLIC_ACCESS. This is the access role you will be granted if you have not been granted any higher access role on a protected object and there are no restricting PUBLIC access settings on any of its parent protected objects. |