[gold-users] Re: Gold role based ACL
alessandro.federico at caspur.it
Thu Nov 30 02:09:18 MST 2006
thank you very much for the explanation.
I will work on it and let you know.
Thank you again.
Scott Jackson wrote:
> Sorry it took me so long to reply. I'm trying desperately to unbury
> If you take off Query for ANY object, you will have to explicitly add
> Query for all of the objects you want Anonymous users to see. These must
> at a minimum.
> As far as using the SELF instance, this is only supported for User (when
> the user is querying themselves) and any object which has an attribute
> named User and the user is querying their own instances (like: Password,
> Transaction, Reservation, Quotation, Job (goldsh Attribute Query
> Name==User Show:=Object)).
> The MEMBERS instance can be used for associations where the child object
> is User (like: ProjectUser, AccountUser (goldsh Object Query
> Association==True Child==User Show:=Name)) or for objects which have
> User associations (like: Project, Account (goldsh Object Query
> Association==True Child==User Show:=Parent)).
> It's actually a bit tough to get them to be able to query only their own
> account balance since the queries involved in this calculation involve
> several objects and the queries used are elaborate joins that do not
> restrict themselves to the user-owned objects. You will have to
> experiment by running a query and examining the goldd.log to see all of
> the independent queries that are made to perform the balance query.
> I hope this helps,
> and On Thu, 2006-11-23 at 14:15 +0100, Alessandro Federico wrote:
>> Hi Scott,
>> I'm starting to configure Gold'role to fit our needs.
>> First of all I would like to avoid normal users
>> ('Anonymous') to query all gold's object.
>> By default the following roles (Action & Users)
>> are defined:
>> gold at cmslab:~> goldsh RoleAction Query Role==Anonymous
>> Role Object Name Instance
>> --------- -------- ------- --------
>> Anonymous Password ANY SELF
>> Anonymous ANY Query ANY
>> Anonymous Account Balance ANY
>> gold at cmslab:~> goldsh RoleUser Query Role==Anonymous
>> Role Name
>> --------- ----
>> Anonymous ANY
>> With these ACL everyone can query any gold object.
>> I want 'Anonymous' users to be able to query only
>> their account balance. More generally I would like
>> they can only query the objects their own objects.
>> I have tried to change the 'Instance' of the two
>> last RoleAction of 'Anonymous' to 'SELF' but it's
>> not working. How can I do it?
>> Best regards,
e-mail: alessandro.federico at caspur.it
phone: +39 06 44486708
fax: +39 06 4957083
Military intelligence is a contradiction
in terms. (Groucho Marx)
More information about the gold-users