Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Roles define similar set of access rights. Roles are assigned to users, users ; a user having a role gets the rights defined by the role. We do not place any constraints on the number of roles assigned to the user or the number of access rights (accounts) defined by the role. All the associations can be thought of as many-to-many. Basic role structure is illustrated in a following diagram.

...

If the captain and pirate roles get assigned to Jack, the result should be that Jack has three accounts: Maritime Information System account, Rum Supply Management account and Shipwreck Cove account. Role roles Roles imply these accountaccounts. A user assigned to a role will get account accounts on all resources that the role implies (unless he already have has such accounts).

The implied accounts are defined by the Account Construction XML structure. It basically define defines the resource in which the account has to be created, account type and optional condition.

...

The role can also imply specific attributes for that the account, e.g. a specific text in the account description field. Attribute values implied by the roles may be fixed (static), but that is usually not sufficient to avoid a role explosion problem. More frequently the implied attributes are derived from other values, e.g. fields of the User object. The principle is illustrated in the following diagram.

...

The XML role definition is as follows:

Code Block
xml
xml
    <m:role oid="9991">
        <c:name>Captain</c:name>
        <m:impliedAccount>
            <m:resourceRef oid="8882" type="ResourceType"/>
            <m:entitlement objectClass="mis:GroupObjectClass">
                <value>
                    <mis:id>captains</mis:id>
                </value>
            </m:entitlement>
        </m:impliedAccount>
    </m:role>

...