1 $Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $
7 Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think
8 it's a lot more flexible than RT 1.0, but not so crazily complex that
9 it will be impossible to implement. One of the "interesting" features
10 is the ability to grant acls based on watcher status. This now lives
15 Who can rights be granted to:
17 users whose id is <foo>
18 users who are watchers of type <requestor/cc/admincc> for <queue/ticket> <id>
19 users who are watchers of type <requestor/cc/admincc> for <this ticket / this queue>
22 what scope do these rights apply to
27 What rights can be granted
30 Only users with manipulate ticket level access will see comments
31 Maniplulate Ticket Status
45 # {{{ Prinicpals These are the entities in your Access Control Element
48 Principal: What user does this right apply to
51 PrincipalScope, PrincipalType and PrincipalId
68 Type: Requestors; Cc; AdminCc
69 Id: A ticket id or 0 for "this ticket"
73 Id: A queue id or 0 for "this queue"
78 # {{{ Object: What object does this right apply to
80 Object is composed of an ObjectType and an ObjectId
86 Id: Integer ref to queue id or 0 for all queues
90 # {{{ Right: (What does this entry give the principal the right to do)
94 For the Object System:
106 For the Object "Queue":
112 Queue::ModifyWatchers
117 Ticket::UpdateRequestors
119 Ticket::UpdateAdminCc
120 Ticket::NotifyWatchers
125 Ticket::SetStatus: (Values)
135 # {{{ Implementation:
139 id int not null primary_key autoincrement,
141 PrincipalType VARCHAR(16),
142 PrincipalScope VARCHAR(16),
143 ObjectType VARCHAR(16),
150 # {{{ perl implementation of rights searches
153 if (defined $Ticket) {
154 return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
157 return "($UserPrincipal) OR ($WatchersPrincipal)";
161 $Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
163 $UserPrincipal = " ( ACE.PrincipalScope = 'User') AND
164 ( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)";
166 $OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND
167 ( Tickets.Owner = "$User ) AND
168 ( Tickets.Id = $Ticket)";
170 $WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND
171 ( ACE.PrincipalType = Watchers.Type ) AND
172 ( ACL.PrincipalId = Watchers.Value ) AND
173 ( Watchers.Owner = $User )";
175 $QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)";
177 $SystemObject = "( ACE.ObjectType = 'System' )";
180 # This select statement would figure out if A user has $Right at the queue level
182 SELECT ACE.id from ACE, Watchers, Tickets WHERE (
184 AND ( ACE.Right = $Right)
187 # This select statement would figure outif a user has $Right for the "System"
189 SELECT ACE.id from ACE, Watchers, Tickets WHERE (
190 ($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals))
205 There needs to be a more refined method for grouping users, such that members of the customer service department
206 can't change sysadmins' passwords.