[gold-users] Re: Gold role based ACL

Alessandro Federico alessandro.federico at caspur.it
Thu Nov 30 02:09:18 MST 2006


Scott,

thank you very much for the explanation.

I will work on it and let you know.

Thank you again.

Ale


Scott Jackson wrote:
> Ale,
> 
> Sorry it took me so long to reply. I'm trying desperately to unbury
> myself.
> 
> If you take off Query for ANY object, you will have to explicitly add
> Query for all of the objects you want Anonymous users to see. These must
> include 
> 
> Object
> Attribute
> Action
> Role
> RoleAction
> RoleUser
> 
> at a minimum.
> 
> As far as using the SELF instance, this is only supported for User (when
> the user is querying themselves) and any object which has an attribute
> named User and the user is querying their own instances (like: Password,
> Transaction, Reservation, Quotation, Job (goldsh Attribute Query
> Name==User Show:=Object)).
> 
> The MEMBERS instance can be used for associations where the child object
> is User (like: ProjectUser, AccountUser (goldsh Object Query
> Association==True Child==User Show:=Name)) or for objects which have
> User associations (like: Project, Account (goldsh Object Query
> Association==True Child==User Show:=Parent)). 
> 
> It's actually a bit tough to get them to be able to query only their own
> account balance since the queries involved in this calculation involve
> several objects and the queries used are elaborate joins that do not
> restrict themselves to the user-owned objects. You will have to
> experiment by running a query and examining the goldd.log to see all of
> the independent queries that are made to perform the balance query.
> 
> I hope this helps,
> 
> Scott
> 
> 
> and On Thu, 2006-11-23 at 14:15 +0100, Alessandro Federico wrote: 
>> Hi Scott,
>>
>> I'm starting to configure Gold'role to fit our needs.
>> First of all I would like to avoid normal users
>> ('Anonymous') to query all gold's object.
>> By default the following roles (Action & Users)
>> are defined:
>>
>> gold at cmslab:~> goldsh RoleAction Query Role==Anonymous
>> Role      Object   Name    Instance
>> --------- -------- ------- --------
>> Anonymous Password ANY     SELF
>> Anonymous ANY      Query   ANY
>> Anonymous Account  Balance ANY
>> gold at cmslab:~> goldsh RoleUser Query Role==Anonymous
>> Role      Name
>> --------- ----
>> Anonymous ANY
>>
>> With these ACL everyone can query any gold object.
>> I want 'Anonymous' users to be able to query only
>> their account balance. More generally I would like
>> they can only query the objects their own objects.
>>
>> I have tried to change the 'Instance' of the two
>> last RoleAction of 'Anonymous' to 'SELF' but it's
>> not working. How can I do it?
>>
>> Best regards,
>> Ale
>>
> 

-- 
 Alessandro Federico
 CASPUR     http://www.caspur.it/
 e-mail:    alessandro.federico at caspur.it
 phone:     +39 06 44486708
 fax:       +39 06 4957083
------------------------------------------
 Military intelligence is a contradiction
 in terms.                 (Groucho Marx)
------------------------------------------


More information about the gold-users mailing list