View source | View content page | Page history | Printable version   

Projects:Extensible Security Model

Contents

Overview

Security Model is currently based on record's client/organization to determine whether a row is visible and editable.

In some cases, it would be desirable to allow through modules to extend this model so a record can be accessed based on any arbitrary rule defined within that module.

Technical Design

Functional Specification

Modules can define new security policies to determine which are the accessible records. It is possible one of these module to take into account not all the entities but just a set of them.

For example, it would be possible to install a module that provides Project Based Security, having this module installed only the records that are in the granted projects would be accessible. This module would restrict only those entities that are related (at any level) to projects, having the rest of entities the default security model.

Technical Specification

Modules providing a new security model, implement a new interface. Through dependency injection they are used, where it is needed, to extend the queries restricting access.

Interface Definition

The simplest approach would be this interface to define which are the entities it affects to. For each of these entities, it would return the property to restrict based on current session info.

In the example of Project Based Security, this interface would affect to entities like Order, Order Line and Order Line Tax but not to Business Partner. For order and order line the property to be checked would be Project in both cases, in Order Line Tax, as this entity has no direct project info, it would use its parent's (Order Line) one.

Where it should be used

OBCriteria
In initialize method, different restrictions are added.
OBQuery
addOrgClientActiveFilter method sets Client, Org and Active filtering.
SecurityChecker
checkWriteAccess determines whether it is possible to write a Dal object. This is used when using OBDal.save and OBDal.remove methods.
AdvancedQueryBuilder
Used to fetch data for grids, getWhereClause method is in charge of creating the where query's where clause.
Web Services
xml web service is using OBCriteria. JSON web service is using AdvancedQueryBuilder

Open Items to Discuss

Retrieved from "http://wiki.openbravo.com/wiki/Projects:Extensible_Security_Model"

This page has been accessed 411 times. This page was last modified on 2 April 2013, at 08:33. Content is available under Creative Commons Attribution-ShareAlike 2.5 Spain License.