Authorization

Authorization is the process of determining what someone is allowed to do. Authentication_dup proves the identity of a user, but authorization makes that identity useful by applying rules as to what activities the user is allowed to undertake.

Rich authorization mechanisms is a particular strength of uPortal.

You can apply authorization in a crude way by restricting which users are allowed to actually log in to the portal.

But once a user has logged in (is authenticated), the richer authorization mechanisms afforded by the Groups and Permissions subsystem are available.

The most common way of accomplishing authorization is by restricting who has permission to subscribe to and render particular channels. This configuration happens in the "Groups" step of channel publication via the Channel Manager. Users who are not in a Group authorized to use a channel simply cannot access that channel.

Some channels support finer grained permissions. For instance, the Columbia Announcements channel offers permission configuration on particular activities on particular announcement topics within the channel. You could grant to the "rugby-coaches" group the permission to create new announcements in the "rugby news" announcement topic, for instance.

Authorization in uPortal is closely related to groups because permissions are typically granted to groups. They can also be explicitly granted to particular users. It is a common practice to create a group for any given role and then put the users in that role into that group and grant permissions to that group, rather than ad-hoc granting permissions to particular users.

Since permissions are typically granted to groups, and since the PAGS group store provides a mechanism to assign group membership automatically based on user attributes, and since user attributes can be retrieved from LDAP, it is feasible to base permissions (authorization) in uPortal on LDAP attributes.