OpenWGA 7.9 - OpenWGA Concepts and Features

Authorisation » Application level authorisations

Access privileges

Privileges are predefined single rights for special operations that are assigned to or revoked from a user. Current OpenWGA supports the following privileges:

Privilegien sind spezielle vordefinierte Einzelberechtigungen, die einem Benutzer erteilt bzw. entzogen werden k├Ânnen. Momentan kennt WGA zwei Privilegien:

May delete document

Users that are revoked this right are not able to delete any active documents in the database. This privilege cannot be assigned to a user that cannot delete documents anyway because of his access level. This restriction however does not apply to inactive documents, like draft contents or empty struct entries.

May move pages / struct entries

Users with this privilege are allowed to move page branches inside an OpenWGA application to new positions.

May use application directly

This privilege denotes that the user may directly use this applications WebTML UI. A user without this privilege is not allowed to use the following resources of an application:

  • WebTML requests of the OpenWGA application of all kinds
  • WebDAV content shares providing contents from this application
  • Remote actions calling WebTML actions of this application

The user however may still use the following resources directly:

  • File attachments on content documents and file containers published via HTTP URL: There is no way to restrict direct access to these without restricting access altogether as they are always published as separate resources via a separate URL.
  • Script resources of type "css" and "javascript" published via HTTP URL for the same reason

Normally every ACL entry owns this privilege. It may get removed for users who are not allowed to directly access a specific application, therefor preventing them free access to all resources they are allowed to read. These users generally may have access to this applications data, but only if it is provided by the UI of another application, where the data that is accessed may be guided more strictly.

Do not inherit roles from less specific ACL entries

This privilege is a utility to revoke a user role from special persons that normally would have this role because of a group ACL entry.

Normally a user gains all user roles from all ACL entries that match him, even very generic ones like "*" or "authenticated". If one of those ACL entries has this privilege it will prevent him from gaining user roles from ACL entries that are "less specific" than the current one.

To determine which ACL entries are "less specific" than other ones OpenWGA uses the type of name that the ACL entry contains. The following order is in effect here (from very specific to less specific):

User name < Group name < Predefined group "authenticated" < Predefined group "*" (All users)