-
Notifications
You must be signed in to change notification settings - Fork 0
SecurityModel
DBWiki has a built-in authentication system with simple user roles. Administrators can take any action, ordinary users' abilities are limited by the access control policy.
Once you visit DBWiki page, you can start to use it without logging on the system. You are also able to read or write data on Databases. However you don't have an access to the main top menu. For example if you want to edit a collection's authentication mode, reset the database or manage users, you need to login to the system with the rights of an administrator.
There are 3 levels of granularity for permissions:
-
Authentication mode: set by the three flags "Never login (NO AUTHENTICATION), Login for updates (WRITE-ONLY AUTHENTICATION), or Always login (FULL AUTHENTICATION)" on the "Edit Database Wiki" page, which determine whether a user needs to log in for write access or both read and write access.
-
Collection-level authorization: sets whether a user is allowed or not allowed to read, insert, delete or update data for a whole collection, in the "Manage access authority" page.
-
Entry-level authorization: sets whether a user is allowed or not allowed to read, insert, delete or update data for a specific entry for a collection.
The user interface of the Manage Users page, to which you can access through "Users" on the top menu, shows us the User ID, their Login Name, Full Name and whether they are Administrator or not. Only administrators have access to this page.
There exist 4 types of permissions: Read Permission, Insert Permission, Delete Permission, and Update Permission. Only administrators can manage the permissions of other users. In addition, it is possible to set permissions for each entry of the database. On the Manage Authorization page you can easily set permissions for all users and by going to Manage by Entries, you are able to set permissions for each entry on the database. Below there are examples of changing permissions in each levels of authorization.
For changing the authentication policy:
- Go to the main Database Wiki page
- Click on the "Edit" menu for the database whose authentication policy you want to change
- Set the policy and click on "Save".
For setting a collection's authentication policy to "Login for updates":
- Go to the main Database Wiki page
- Click on the "Edit" menu for the database whose authentication policy you want to change
- On the resulting page click on the radio button for "Login for updates (WRITE-ONLY AUTHENTICATION)".
To manage the authorization policy for a collection:
- Below near Authorization by users click to the link "Manage access authority"
- On the resulting "Manage Authorization" page click on the radio button under one of the 4 permissions there for the user you want to set
- Click on "Save" to save the updated permission.
For changing the authorization policy for a given entry:
- Below near Authorization by users click on the link "Manage access authority"
- On the resulting "Manage Authorization" page go by the link Manage By Entries
- On the resulting page set permissions for each entries
- Click on "Save" to save the updated permission.
The permission set at the collection-level may differ from these at the entry-level. If this is the case, the user is granted access if either the collection-level or entry-level permission is "Yes". Therefore, collection-level permissions grant access to all elements of a collection, while entry-level permissions grant access to single entries if the collection-level access is not granted. Let's say that Alice can edit countries but the entry for concrete country, e.g. Argentina, says Alice cannot edit. It means that the collection-level authorization has a priority over the entry-level authorization. In other words, Alice is allowed to edit Argentina, if permission is set to her as 'yes' on collection-level, even there is 'no' on entry-level for Argentina.