forked from DSpace/DSpace
-
Notifications
You must be signed in to change notification settings - Fork 18
FineGrainedFieldPermissions
Ondřej Košarko edited this page Jan 11, 2016
·
1 revision
Fine-grained field permissions have been implemented based on Access Control Lists (ACL) consisting of multiple Access Control Entries (ACE).
Input fields in input-forms.xml can now have ACLs specified in the following manner:
<acl>
policy=allow,action=write,grantee-type=group,grantee-id=10;
policy=deny,action=read,grantee-type=user,grantee-id=*
</acl>
ACL consists of semicolon separated ACEs. The first matching entry for user that is logged in is applied in order to verify, that the user is able to see and possibly edit given field.
Asterisk can be used as grantee id used and will be interpreted as a wildcard character that matches any value.
Possible values for ACE fields are:
- policy: allow or deny
- action: read or write
- grantee-type: user or group
- grantee-id: user id or group id or *
Fields that are shown based on ACL are rendered with a special background in GUI.
Complete example of a field definition:
<!-- DC.Relation.Replaces -->
<field>
<dc-schema>dc</dc-schema>
<dc-element>relation</dc-element>
<dc-qualifier>replaces</dc-qualifier>
<component-label> </component-label>
<repeatable>true</repeatable>
<label>Replaces</label>
<input-type>onebox</input-type>
<hint>A related resource that is supplanted, displaced, or superseded by the described resource.</hint>
<autocomplete>solr-handle</autocomplete>
<required></required>
<collapsible>Special fields</collapsible>
<acl>
policy=deny,action=read,grantee-type=user,grantee-id=*
</acl>
</field>