apache > lenya
 
 
PDF -icon
PDF

Basic Terms

Role

Roles are the connection between access control and CMS functionality. On the access control side, you assign Roles to users, IP address ranges and groups at certain URL spaces. On the CMS side, you define which Roles are needed to execute certain usecases and workflow transitions. If the client has a certain Role, this means he is allowed to do something.

Each Role has a unique name. Role names can be arbitrary strings. Examples are

  • author
  • reviewer
  • admin

Another common approach and useful is to use verbs as role names:

  • edit
  • review
  • administrate

Identifiable

An Identifiable is a characteristic of the client that can be identified. Every Identifiable is Accreditable. Lenya currently supports the following Identifiables:

  • users
  • machines
  • the world (this idenitifiable is assigned to every client that tries to access the system)

Identity

An Identity is the collection of all Identifiables that have access to the system in the current session. The Identity always contains the world and the machine that produced the request. If you logged in, the user is also contained in the Identity.

For instance, if you log in from the machine 192.168.0.16 as the user john, the Identity of the client contains

  • the machine 192.168.0.16,
  • the user john, and
  • the world.

Accreditable

An Accreditable can be accredited with Roles in Policies. Lenya currently supports the following Accreditables:

  • users
  • machines (accredition not implemented, use IP ranges instead)
  • IP address ranges
  • the world
  • groups

Credential

A Credential assigns a set of Roles to an Accreditable, e.g.:

  • news_editors: editor, reviewer
    means "The group news_editors has the Roles editor and reviewer."

Policy

A Policy defines a set of Credentials for a certain URL. It has the responsibility to return all Roles of an Accreditable at a certain URL.

If for instance the Policy for the URL /tv/news contains the Credentials

  • news_editors: editor, reviewer
  • john: admin
  • 192.168.0.72: visitor

and user john belongs to the group news_editors and has logged in from the machine 192.168.0.72, the Policy returns the Roles editor, reviewer, admin, visitor for the Accreditable john.

A Policy may not contain invalid Accreditables. E.g., if a user is deleted and another user with the same ID is created, he may not get the same privileges as the former one.