import rt 2.0.14

[freeside.git] / rt / docs / design_docs / acls

diff --git a/rt/docs/design_docs/acls b/rt/docs/design_docs/acls
new file mode 100644 (file)
index 0000000..3b9d856
--- /dev/null
+++ b/rt/docs/design_docs/acls
@@ -0,0 +1,206 @@
+$Header: /home/cvs/cvsroot/freeside/rt/docs/design_docs/acls,v 1.1 2002-08-12 06:17:07 ivan Exp $
+
+
+
+# {{{ Requirements 
+
+Here's the rough scheme I was thinking of for RT2 acls. Thoughts? I think
+it's a lot more flexible than RT 1.0, but not so crazily complex that
+it will be impossible to implement.  One of the "interesting" features
+is the ability to grant acls based on watcher status. This now lives
+in design-docs/acls
+
+        jesse
+
+Who can rights be granted to:
+
+       users whose id is <foo>
+       users who are watchers of type <requestor/cc/admincc> for <queue/ticket> <id>
+       users who are watchers of type <requestor/cc/admincc> for <this ticket / this queue>
+
+
+what scope do these rights apply to
+       queue <id>
+       system
+       
+
+What rights can be granted
+       Display Ticket
+       Manipulate Ticket
+               Only users with manipulate ticket level access will see comments
+       Maniplulate Ticket Status
+       Create Ticket   
+
+       Admin Queue Watchers 
+       Admin Ticket Watchers
+       Admin user accounts
+       Admin scrips
+       Admin scripscopes
+       Admin Queue ACLS
+       Admin System ACLs
+
+# }}}
+
+
+# {{{ Prinicpals  These are the entities in your Access Control Element
+#
+
+Principal: What user does this right apply to
+
+       Made up of: 
+               PrincipalScope, PrincipalType and PrincipalId
+
+       
+       User:   
+               Scope:  User    
+               Type:   null
+               Id:     A userid or 0
+
+       Owner:
+               Scope:  Owner
+               Type:   null
+               Id:     none
+
+
+       Watchers:
+
+               Scope: Ticket
+               Type:   Requestors; Cc; AdminCc
+               Id:     A ticket id or 0 for "this ticket"
+
+               Scope: Queue
+               Type:   Cc; AdminCc
+               Id:     A queue id or 0 for "this queue"
+
+
+# }}}
+
+# {{{ Object: What object does this right apply to
+
+       Object is composed of an ObjectType and an ObjectId
+
+       Type:   System  
+       Id:     NULL
+
+       Type:   Queue
+       Id:     Integer ref to queue id or 0 for all queues
+       
+# }}}
+
+# {{{ Right: (What does this entry give the principal the right to do)
+
+
+
+       For the Object System:
+               System::SetACL
+               System::AdminScrips
+
+               User::Display
+               User::Create
+               User::Destroy
+               User::Modify
+               User::SetPassword
+
+
+
+       For the Object "Queue":
+               Queue::Admin
+               Queue::SetACL
+               Queue::Create
+               Queue::Display
+               Queue::Destroy
+               Queue::ModifyWatchers
+               Ticket::Create
+               Ticket::Destory
+               Ticket::Display
+               Ticket::Update
+               Ticket::UpdateRequestors
+               Ticket::UpdateCc
+               Ticket::UpdateAdminCc
+               Ticket::NotifyWatchers
+
+               
+               DEFERRED
+
+               Ticket::SetStatus:      (Values)
+                                       Open
+                                       Resolved
+                                       Stalled
+                                       <null> means any
+
+
+# }}}
+
+
+# {{{ Implementation:
+
+# {{{ SQL Schema 
+CREATE TABLE ACL (
+       id int not null primary_key autoincrement,
+       PrinicpalId INT(11),
+       PrincipalType VARCHAR(16),
+       PrincipalScope VARCHAR(16),
+       ObjectType VARCHAR(16),
+       ObjectId  INT,
+       Right VARCHAR(16)
+);
+
+# }}}
+
+# {{{ perl implementation of rights searches
+
+sub Principals {
+if (defined $Ticket) {
+       return "($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
+       }
+else {
+       return   "($UserPrincipal) OR ($WatchersPrincipal)";
+       }  
+}
+       
+$Principals = " ($UserPrincipal) OR ($OwnerPrincipal) OR ($WatchersPrincipal)";
+
+$UserPrincipal = " ( ACE.PrincipalScope = 'User') AND 
+                  ( ACE.PrincipalId = $User OR ACE.PrincipalId = 0)";
+
+$OwnerPrincipal = " ( ACE.PrinciaplScope = 'Owner') AND 
+                     ( Tickets.Owner = "$User ) AND    
+                     ( Tickets.Id = $Ticket)";
+
+$WatchersPrincipal = " ( ACE.PrincipalScope = Watchers.Scope ) AND 
+                     ( ACE.PrincipalType = Watchers.Type ) AND 
+                     ( ACL.PrincipalId = Watchers.Value ) AND 
+                     ( Watchers.Owner = $User )";
+
+$QueueObject = "( ACE.ObjectType = 'Queue' and (ACE.ObjectId = $Queue OR ACE.ObjectId = 0)";
+
+$SystemObject = "( ACE.ObjectType = 'System' )";
+
+
+# This select statement would figure out if A user has $Right at the queue level
+
+SELECT ACE.id from ACE, Watchers, Tickets WHERE ( 
+            $QueueObject
+            AND ( ACE.Right = $Right) 
+            AND ($Principals))
+
+# This select statement would figure outif a user has $Right for the "System"
+
+SELECT ACE.id from ACE, Watchers, Tickets WHERE ( 
+            ($SystemObject) AND ( ACE.Right = $Right ) AND ($Principals))
+
+# }}}
+
+# }}}
+
+# {{{ Examples
+#
+
+# }}}  
+
+
+
+Unaddressed issues:
+
+       There needs to be a more refined method for grouping users, such that members of the customer service department
+can't change sysadmins' passwords.