[gold-users] Re: Gold role based ACL

Scott Jackson scott at clusterresources.com
Wed Nov 29 19:30:18 MST 2006


Sorry it took me so long to reply. I'm trying desperately to unbury

If you take off Query for ANY object, you will have to explicitly add
Query for all of the objects you want Anonymous users to see. These must


at a minimum.

As far as using the SELF instance, this is only supported for User (when
the user is querying themselves) and any object which has an attribute
named User and the user is querying their own instances (like: Password,
Transaction, Reservation, Quotation, Job (goldsh Attribute Query
Name==User Show:=Object)).

The MEMBERS instance can be used for associations where the child object
is User (like: ProjectUser, AccountUser (goldsh Object Query
Association==True Child==User Show:=Name)) or for objects which have
User associations (like: Project, Account (goldsh Object Query
Association==True Child==User Show:=Parent)). 

It's actually a bit tough to get them to be able to query only their own
account balance since the queries involved in this calculation involve
several objects and the queries used are elaborate joins that do not
restrict themselves to the user-owned objects. You will have to
experiment by running a query and examining the goldd.log to see all of
the independent queries that are made to perform the balance query.

I hope this helps,


and On Thu, 2006-11-23 at 14:15 +0100, Alessandro Federico wrote: 
> Hi Scott,
> I'm starting to configure Gold'role to fit our needs.
> First of all I would like to avoid normal users
> ('Anonymous') to query all gold's object.
> By default the following roles (Action & Users)
> are defined:
> gold at cmslab:~> goldsh RoleAction Query Role==Anonymous
> Role      Object   Name    Instance
> --------- -------- ------- --------
> Anonymous Password ANY     SELF
> Anonymous ANY      Query   ANY
> Anonymous Account  Balance ANY
> gold at cmslab:~> goldsh RoleUser Query Role==Anonymous
> Role      Name
> --------- ----
> Anonymous ANY
> With these ACL everyone can query any gold object.
> I want 'Anonymous' users to be able to query only
> their account balance. More generally I would like
> they can only query the objects their own objects.
> I have tried to change the 'Instance' of the two
> last RoleAction of 'Anonymous' to 'SELF' but it's
> not working. How can I do it?
> Best regards,
> Ale

More information about the gold-users mailing list