Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

The DefaultPermissionPolicy and AnyUnblockedGrantPermissionPolicy permission policies appear both in uPortal 2 (for 2.5.4, 2.6) and in the next-gen GaP project.

IPermissionPolicy API

How you configure your default permission policy

Default permission policy is configured in portal.properties.

Motivating examples

My apologies for so many examples, but by setting these forth once, we can then talk about the available permission policies and how they treat each case.

Explicitly granted

Susan Bramhall is a uPortal administrator. As the Admin user, someone explicitly granted her (permission directly applied to the Principal) the permission to view the detailed results from the Error Channel instead of the low-information monkey wrench.

(GRANT) Susan Bramhall < Developers < Everyone

Explicitly denies

Andrew Petro has submitted too much feedback via the Feedback Channel and so he has been explicitly denied (permission applied directly to the Principal) permission to render the Feedback Channel. However, others are still below the maximum allowable feedback, and so are still allowed to subscribe.

(DENY) Andrew Petro < Developers < (GRANT) Everyone

Permission inheritance

The uPortal News Channel is potentially of interest to everyone (everyone needs at least one portal), so the Everyone group has been granted permission to subscribe to the channel.

Mark Boyd is a member of the Developers group which is a member of the Everyone group.

Mark Boyd < Developers < (GRANT) Everyone

No inheritance

The Developer Secrets channel is where technically minded folks discuss techy secrets kept from the non-programmers. Only Developers have permission to subscribe.
Mike Z. is not a Developer. He is not a member of any group that has a GRANT or DENY for this permission.

Mike Z. < Staff < Everyone

Path to GRANT blocked by DENY

Shawn Bayern is in the group Staff which is in the group Everyone.

Funny cartoons are innocuous, so you've granted permission to Everyone to subscribe to them.

But it turns out that upper management is humorless and wants to reduce the loss of productivity to funny cartoons. So they insist on denying permission to subscribe to Staff. Non-staff are still to be allowed to consume funny cartoons.

So you DENY subscribe permission to the group Staff.

Shawn Bayern < (DENY) Staff < (GRANT) Everyone

Shawn has an ancestor group with GRANT but no path to that ancestor unblocked by a DENY.

In a GRANTed group and also in a DENYed group

Shoji is both a Developer and a Faculty member. In order to improve portal project implementation metrics, someone decided to DENY Faculty the permission to subscribe to the Portal Issues channel, so it would appear that the end users were having no problems. But Developers have been GRANTed permission to subscribe to this channel so that they can mark issues resolved.

Shoji < (GRANT) Developer

Shoji < (DENY) Faculty

Concrete IPermissionPolicy implementations

DefaultPermissionPolicy

Applies rules in this order:
If the Principal is explicitly DENYed permission, this policy DENYs permission.
If the Principal is explicitly GRANTed permission, this policy GRANTs permission.
If the Principal has any ancestor group GRANTed permission, this policy GRANTs permission.
Otherwise the policy DENYs permission by default.

Potentially surprising DefaultPermissionPolicy behavior

DENYs applied to groups (rather than to individual principals) have no effect.

Here's how this policy treats each of the examples:
Susan is GRANTed permission to view detailed Error Channel results because of her personal GRANT.
Andrew is DENYed permission to subscribe to the Feedback Channel because of his personal DENY.
Mark is GRANTed permission to subscribe to the uPortal News Channel because he has some ancestor (Everyone) to which the permission is GRANTed and he has not been personally DENYed the permission.
Mike is DENYed permission to subscribe to the Developer Secrets Channel because neither he nor any of his ancestors are GRANTed the permission.
Shawn is GRANTed permission to subscribe to the Funny Cartoons Channel because he has some ancestor to which the permission has been GRANTed (Everyone) and while he is in a subgroup that has had the permission DENYed, he has not been personally DENYed the permission.
Shoji is GRANTed permission to subscribe to th Portal Issues channel because he has some ancestor group (Developer) to which permission has been granted.

AnyUnblockedPathPermissionPolicy

Applies rules in this order:
If the Principal is explicitly DENYed permission, this policy DENYs permission.
If the Principal is explicitly GRANTed permission, this policy GRANTs permission.
If the Principal has any "path" traversing child-parent relationships up the groups tree to a group GRANTed permission that is not blocked by a group that is DENYed permission, this policy GRANTs permission.
Otherwise the policy DENYs permission by default.

How AnyUblockedPathPermissionPolicy differs from the default

DENYs applied to groups (rather than to individual principals) have the effect of stopping the group from inheriting GRANT from above.

Here's how this policy treats each of the examples:
Susan is GRANTed permission to view detailed Error Channel results because of her personal GRANT.
Andrew is DENYed permission to subscribe to the Feedback Channel because of his personal DENY.
Mark is GRANTed permission to subscribe to the uPortal News Channel because he has an unblocked path to an ancestor (Everyone) to which the permission is GRANTed and he has not been personally DENYed the permission.
Mike is DENYed permission to subscribe to the Developer Secrets Channel because neither he has no unblocked path to a group GRANTed the permission nor is he personally explicitly granted the permission.
Shawn is DENYed permission to subscribe to the Funny Cartoons Channel because he has no unblocked path to an ancestor GRANTed the permission nor is he explicitly granted the permission. While he has some ancestor to which the permission has been GRANTed (Everyone), his inheritance path to that ancestor is blocked by the DENY on the Staff group.
Shoji is GRANTed permission to subscribe to th Portal Issues channel because he has some ancestor group (Developer) to which permission has been granted.

  • No labels