[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] Types of users/Types of permissions

Note that the HS_VLIST type expects a binary encoding of the handle value list.  

Once you have 12345/usertype1 with an HS_VLIST value at index 200, you can use it as the "administrator" for HS_ADMIN values.  So for instance, on 12345/test, there could be one HS_ADMIN value specifying that 200:12345/usertype1 has "read secret value" permission, while a second HS_ADMIN value can specify that 200:12345/usertype2 has the various editing permissions.

Robert

On Nov 29, 2016, at 3:57 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:

Thanks Robert.

So, the point is:

Define a new handle (12345/usertype1) with index=200, type HS_VLIST where the value data is a list of users, for example as the documentation shows:
300:10.50/USR1; 300:10.50/USR2; 300:10.50/USR3;

Each of these values is a handle that represents a user (usr1,usr2,usr3) with HS_ADMIN permission (read/write)..but..what do you mean with "Then you could give 200:12345/usertype1 permissions on other handle records via HS_ADMIN values"?. 

In addition, if I create a new handle, 12345/handlexample that could be read it by "usertype1" (usr1,usr2,usr3) and modified by another type of user (e.g. "usertype2"). How can I, for the same handle (a specific index where specific data is stored), specify permissions to read to usertype1 and to write by usertype2?. 

Thanks in advance.

De: Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>
Enviado: lunes, 28 de noviembre de 2016 15:59:43
Para: Ruiz-Zafra, Angel
Cc: handle-info@cnri.reston.va.us
Asunto: Re: [Handle-info] Types of users/Types of permissions
 
You can specify "groups" of administrators using the HS_VLIST handle value type.  For instance you could create 12345/usertype1 with a handle value at index 200 of type HS_VLIST with data being an encoded list of user identities.  Then you could give 200:12345/usertype1 permissions on other handle records via HS_ADMIN values.  That may give you functionality similar to "roles".

It is not possible to have index-specific permissions.  This may be tried in the future, but it was tried in the past and rejected as overly complicated.

If you need more fine-grained permissions, you may be best served by treating Handle as a back-end layer where your front-end manages permissions.

Robert

On Nov 28, 2016, at 8:11 AM, Ruiz-Zafra, Angel <a.ruiz-zafra@ucl.ac.uk> wrote:

Hi there!.

A couple of questions:

1) It is possible to define different types of "roles"?. Not just the ADMIN, also "usertype1", "usertype2", etc. How? (I'm using Java client)

2) According to these different roles, it is possible define specific permissions for different indexs of the same handle?. I mean, if you have a handle (12345/test) with different values (index=1, url ; index=2, url; index=3, text), is possible define different permissions for each one in terms that "usertype1" just could read index1 but not index2 and 3 and "usertype2" just could access to index2 but not 1 and 3.

Or Handle just ensure the security to access to the repository and the permissions should be managed by my own?.

I'm trying to use Handle as another security layer, managing permissions with handles but I'm not sure if this is really possible..

Thanks in advance!
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info