$Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $ # {{{ Requirements Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think it's a lot more flexible than RT 1.0, but not so crazily complex that it will be impossible to implement. One of the "interesting" features is the ability to grant acls based on watcher status. This now lives in design-docs/acls jesse Who can rights be granted to: users whose id is users who are watchers of type for users who are watchers of type for what scope do these rights apply to queue system What rights can be granted Display Ticket Manipulate Ticket Only users with manipulate ticket level access will see comments Maniplulate Ticket Status Create Ticket Admin Queue Watchers Admin Ticket Watchers Admin user accounts Admin scrips Admin scripscopes Admin Queue ACLS Admin System ACLs # }}} # {{{ Prinicpals These are the entities in your Access Control Element # Principal: What user does this right apply to Made up of: PrincipalScope, PrincipalType and PrincipalId User: Scope: User Type: null Id: A userid or 0 Owner: Scope: Owner Type: null Id: none Watchers: Scope: Ticket Type: Requestors; Cc; AdminCc Id: A ticket id or 0 for "this ticket" Scope: Queue Type: Cc; AdminCc Id: A queue id or 0 for "this queue" # }}} # {{{ Object: What object does this right apply to Object is composed of an ObjectType and an ObjectId Type: System Id: NULL Type: Queue Id: Integer ref to queue id or 0 for all queues # }}} # {{{ Right: (What does this entry give the principal the right to do) For the Object System: System::SetACL System::AdminScrips User::Display User::Create User::Destroy User::Modify User::SetPassword For the Object "Queue": Queue::Admin Queue::SetACL Queue::Create Queue::Display Queue::Destroy Queue::ModifyWatchers Ticket::Create Ticket::Destory Ticket::Display Ticket::Update Ticket::UpdateRequestors Ticket::UpdateCc Ticket::UpdateAdminCc Ticket::NotifyWatchers DEFERRED Ticket::SetStatus: (Values) Open Resolved Stalled means any # }}} # {{{ Implementation: # {{{ SQL Schema CREATE TABLE ACL ( id int not null primary_key autoincrement, PrinicpalId INT(11), PrincipalType VARCHAR(16), PrincipalScope VARCHAR(16), ObjectType VARCHAR(16), ObjectId INT, Right VARCHAR(16) ); # }}} # {{{ perl implementation of rights searches sub Principals { if (defined $Ticket) { return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)"; } else { return "($UserPrincipal) OR ($WatchersPrincipal)"; } } $Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)"; $UserPrincipal = " ( ACE.PrincipalScope = 'User') AND ( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)"; $OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND ( Tickets.Owner = "$User ) AND ( Tickets.Id = $Ticket)"; $WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND ( ACE.PrincipalType = Watchers.Type ) AND ( ACL.PrincipalId = Watchers.Value ) AND ( Watchers.Owner = $User )"; $QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)"; $SystemObject = "( ACE.ObjectType = 'System' )"; # This select statement would figure out if A user has $Right at the queue level SELECT ACE.id from ACE, Watchers, Tickets WHERE ( $QueueObject AND ( ACE.Right = $Right) AND ($Principals)) # This select statement would figure outif a user has $Right for the "System" SELECT ACE.id from ACE, Watchers, Tickets WHERE ( ($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals)) # }}} # }}} # {{{ Examples # # }}} Unaddressed issues: There needs to be a more refined method for grouping users, such that members of the customer service department can't change sysadmins' passwords.