-
Notifications
You must be signed in to change notification settings - Fork 0
SecurityModel
DBWiki has a built-in authentication system with simple user roles. Administrators can take any action, ordinary users abilities are limited by the access control policy.
Once you visit DBWiki page, you can start to use it without logging on the system. However there are 3 levels of granularity for permissions:
-
Authentication mode: set by the three flags "Never login (NO AUTHENTICATION), Login for updates (WRITE-ONLY AUTHENTICATION), or Always login (FULL AUTHENTICATION)" on the "Edit Database Wiki" page, which determine whether a user needs to log in for write access or both read and write access.
-
Collection-level authorization: sets whether a user is allowed or not allowed to read, insert, delete or update data for a whole collection, in the "Manage access authority" page.
-
Entry-level authorization: sets whether a user is allowed or not allowed to read, insert, delete or update data for a specific entry for a collection.
The user interface of Manage Users page, to which you can access through "Users" on top menu, shows us the User ID, their Login Name, Full Name and whether they are Administrator or not. Only administrators have access to this page.
There exist 4 types of permissions: Read Permission, Insert Permission, Delete Permission, and Update Permission. Only administrators can manage the permissions of other users. In addition, it is possible to set permissions for each entry of the database. On the Manage Authorization page you can easily set permissions for all users and by going to Manage by Entries, you are able to set permissions for each entry on the database. Below there are examples on changing permissions in each levels of authorization.
For setting a collection's authentication policy to "Login for updates":
- Go to the main Database Wiki page
- Click on the "Edit" menu for the database whose authentication policy you want to change
- On the resulting page click on the radio button for "Login for updates (WRITE-ONLY AUTHENTICATION)".
To manage the authorization policy for a collection:
- Below near Authorization by users click to the link "Manage access authority"
- On the resulting "Manage Authorization" page click on the radio button under Update Permission for the user you want to set.
The permission set at the collection-level may differ from these at the entry-level. If this is the case, the user is granted access if either the collection-level or entry-level permission is "Yes". Therefore, collection-level permissions grant access to all elements of a collection, while entry-level permissions grant access to single entries if the collection-level access is not granted. Let's say that Alice can edit countries but the entry for concrete country, e.g. Argentina, says Alice cannot edit. It means that the collection-level authorization has a privilege on the entry-level authorization. In other words, Alice is allowed to edit Argentina, if permission is set to her as 'yes' on collection-level, even there is 'no' on entry-level for Argentina.