Commit 53ca424b authored by Bartek Górny's avatar Bartek Górny

complete implementation of security - six basic policies

git-svn-id: https://svn.erp5.org/repos/public/erp5/trunk@11748 20353a03-c40f-0410-a6d1-a30d3c3de9de
parent 0faec4f0
<type_roles>
<role id='Associate'>
<property id='title'>Project Associates</property>
<property id='description'>Policy: */project
Rule: all project members have a right to access document once it has been shared or released</property>
<property id='condition'>python:object.Document_policyApplies('*/project')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>source_project</multi_property>
</role>
<role id='Assignor'>
<property id='title'>Team Reviewer</property>
<property id='description'>The head of the team who is in charge of reviewing documents published by his team. He is granted special rights on documents produced by his team.</property>
<property id='condition'>python: not object.getSourceProject()</property>
<property id='priority'>10.0</property>
<property id='title'>Project Director</property>
<property id='description'>Policy: */project
Rule: project director is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property>
<property id='condition'>python:object.Document_policyApplies('*/project')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<multi_property id='category'>function/publication/reviewer</multi_property>
<multi_property id='category'>function/knowledge/manager</multi_property>
<multi_property id='base_category'>function</multi_property>
<multi_property id='base_category'>source_project</multi_property>
</role>
<role id='Assignee'>
<property id='title'>Owner</property>
<property id='description'>Policy: */*
Rule: the creator is Assignee - can edit the doc and submit it</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromUser</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>reference</multi_property>
</role>
<role id='Auditor'>
<property id='title'>Organisation members</property>
<property id='description'>Policy: */*
Rule: all people working for the same organisation are Auditors (we identify the organisation by the first part of the "group" path)
This does not apply if it is a project document and does not have a project</property>
<property id='condition'>python: not object.Document_policyApplies('*/restricted') and (object.Document_policyApplies('*/project') or not object.Document_policyApplies('*/project',True) )</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryRoot</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>group</multi_property>
<multi_property id='base_category'>site</multi_property>
</role>
<role id='Assignee'>
<property id='title'>Project Assignees</property>
<property id='description'>In a project collaborative document, all project members have a right to access and modify a document before release or publication.</property>
<property id='condition'>python:object.getSourceProject() and object.isMemberOf('classification/collaborative/project')</property>
<property id='priority'>10.0</property>
<property id='title'>Project Collaborators</property>
<property id='description'>Policy: collaborative/project
Rule: all members of project team can edit the document before it is submitted, and can submit it</property>
<property id='condition'>python:object.Document_policyApplies('collaborative/project')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>source_project</multi_property>
</role>
<role id='Associate'>
<property id='title'>Project Associates</property>
<property id='description'>In a project document, all project members have a right to access the document before it is released or published.</property>
<property id='condition'>python: object.getSourceProject()</property>
<property id='priority'>10.0</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<multi_property id='base_category'>source_project</multi_property>
<role id='Assignor'>
<property id='title'>Team Director</property>
<property id='description'>Policy: */team
Rule: team manager is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property>
<property id='condition'>python:object.Document_policyApplies('*/team')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
<multi_property id='category'>function/auc/department/director_of_department</multi_property>
<multi_property id='base_category'>group</multi_property>
<multi_property id='base_category'>function</multi_property>
</role>
<role id='Assignor'>
<property id='title'>Project Reviewer</property>
<property id='description'>The head of the project who is in charge of reviewing documents produced by the project before release or publication.</property>
<property id='condition'>python: object.getSourceProject()</property>
<property id='priority'>10.0</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<multi_property id='category'>function/project/director</multi_property>
<multi_property id='base_category'>source_project</multi_property>
<property id='title'>Team Deputy</property>
<property id='description'>Policy: */team
Rule: team manager is an Assignor (has management rights to the doc - can review it, release, publish, add local roles)</property>
<property id='condition'>python:object.Document_policyApplies('*/team')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
<multi_property id='category'>function/auc/department/deputy_director_of_department</multi_property>
<multi_property id='base_category'>group</multi_property>
<multi_property id='base_category'>function</multi_property>
</role>
<role id='Associate'>
<property id='title'>Team Associates</property>
<property id='description'>All team members have a right to access non restricted documents before their release or publication.</property>
<property id='condition'>python:not object.isMemberOf('classification/personnal/restricted')</property>
<property id='priority'>10.0</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<property id='description'>Policy: */team
Rule: all team members have a right to access document once it has been shared or released</property>
<property id='condition'>python:object.Document_policyApplies('*/team')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>group</multi_property>
<multi_property id='base_category'>function</multi_property>
<multi_property id='base_category'>site</multi_property>
</role>
<role id='Auditor'>
<property id='title'>Management</property>
<property id='description'>Management has to access anydocument in the system.</property>
<property id='priority'>10.0</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromArrow</property>
<multi_property id='category'>function/hq</multi_property>
<role id='Assignee'>
<property id='title'>Team Collaborators</property>
<property id='description'>Policy: collaborative/team
Rule: all members of the team can edit the document before it is submitted, and can submit it</property>
<property id='condition'>python:object.Document_policyApplies('collaborative/team')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>group</multi_property>
</role>
<role id='Assignee'>
<property id='title'>Public Collaborators</property>
<property id='description'>Policy: collaborative/public
Rule: everyone in the organisation (root group) can edit the doc before it is submitted, and can suggest its publication</property>
<property id='condition'>python:object.Document_policyApplies('collaborative/public')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryRoot</property>
<multi_property id='category'></multi_property>
<multi_property id='base_category'>group</multi_property>
</role>
<role id='Assignor'>
<property id='title'>Public Reviewer</property>
<property id='description'>Policy: collaborative/public
Rule: any person with knowledge/manager role can publish the document and manage access rights to it</property>
<property id='condition'>python:object.Document_policyApplies('collaborative/public')</property>
<property id='priority'>10</property>
<property id='base_category_script'>ERP5Type_getSecurityCategoryFromAssignment</property>
<multi_property id='category'>function/knowledge/manager</multi_property>
<multi_property id='base_category'>function</multi_property>
</role>
</type_roles>
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment