Controlling access to an organisations data is based on the two key concepts of authentication (Who is it?) & authorisation (What can be seen & done?)
Authorisation is based on a combination of functional and relational access policies/controls.
In a space that holds the data for a single organisation, most of the access controls are functional.
In a space that holds the data for many organisations, eg a collaboration space representing a network of organisations and their relationship to each other, then more of the access controls are relational, supported by functional access controls.
Functional |
Relational |
---|---|
Access to data is based on the ability to invoke functions on the data objects and field restrictions. |
Access to data is based on relational data* within the space.
* Relationships between contacts & users (represented by their linked contact record).
|
Access is set up by the space administrator based on user roles (static). | Access policy changes as data changes (reflective). |
Design/administrator driven. | User driven (via the creation of relationships) based on functional access and existing relational access. |
Item | Description | |||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Relational access control (paths) |
Based on links (relationships) between users and contacts (organisations & individuals)
|
|||||||||||||||||
Relational access control (sharing example) |
Based on links (relationships) between users and contacts
|
|||||||||||||||||
Relational access control type |
|
|||||||||||||||||
Functions |
mydigitalstructure._util.security.share.link:
Also available as controller: util-security-share-link.
Requires version mydigitalstructure 3.3.7 or later and mydigitalstructure.util version 3.8.4 or later.
|
|||||||||||||||||
Sharing Controllers |
|
|||||||||||||||||
Bob the sharer example |
Bob (user) needs to be able to share his information with Jane (user).
|
|||||||||||||||||
Method based data access control |
Controlling the share methods
|
|||||||||||||||||
Security object |
|
User Role based Access Controllers |
|
Initialising the view queue |
You can set the user roles during intialisation. Content will only be added or rendered if the user has one of the user roles.
app.vq.init({queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
|
Adding to the view queue |
You can set the user roles when adding to the view queue. Content will only be added if the user has one of the user roles.
app.vq.add('<div>Hello</div>', {queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
|
Showing/rendering the view queue |
You can set the user roles when rendering the view queue. Content will only be rendered if the user has one of the user roles.
app.vq.init({queue: 'myqueue', roles: [{ title: 'User Role 1', title: 'User Role 2'}]})
|
Showing the whole table |
Table will only be shown if the user has one of the user roles.
app.invoke('util-view-table', { ..., roles: [{ title: 'User Role 1', title: 'User Role 2' }] })
|
Showing columns |
Table column will only be added if the user has one of the user roles.
app.invoke('util-view-table', { .., columns: [{... roles: [{ title: 'User Role 1', title: 'User Role 2'}] }] }
|