 |  |
| | |
every user has one identity
+---------------+
+---------+ | o_bs_identity |
| o_user | +---------------+
+---------+ | id |
| user_id | 1 -- 1 | fk_user_id |
+---------+ +---------------+every identity is in one ore more security groups and every security group has one or more identities
+-----------------+
| o_bs_membership | +---------------+
+---------------+ +-----------------+ | o_bs_secgroup |
| o_bs_identity | | id | +---------------+
+---------------+ | secgroup_id | n -- 1 | id |
| id | 1 -- n | identity_id | +---------------+
| fk_user_id | +-----------------+
+---------------+
every group has one or more policies
every resource belongs to one ore more policies
+--------------+
| o_bs_policy | +----------------+
+--------------+ +--------------+ | o_olatresource |
|o_bs_secgroup | | id | +----------------+
+--------------+ | oresource_id | n --1 | resource_id |
| id | 1 -- n | group_id | | resname |
+--------------+ | permission | | resid |
+--------------+ +----------------+The policy shows you which group has what kind of permission for which resource-type (resname). Permissions are e.g: "access", "read", "hasRole", etc. It depends on the particular business case how they are to interpret. Resources can be everything, e.g. BaseSecurityModules, FileResources, Controllers, etc.
Table 7.2. Access Rights Example 1
| GroupKey | Policy | Resource-Key | Resource-Type |
|---|---|---|---|
| 2 | hasRole | BaseSecurityModule:RAuthor |
Every identity which is in the security-group id=2 is author.
Table 7.3. Access Rights Example 2
| GroupKey | Policy | Resource-Key | Resource-Type |
|---|---|---|---|
| 26 | access | 26 | SecGroup |
| 26 | hasRole | BaseSecurityModule:RAuthor | |
| 26 | admin | 71252385216138 | CourseModule |
If a user's identity is in the secgroup id=26 he has admin permissions to the resource '71252385216138'. He is also OLAT-author as long his identity belongs to the secgroup id=26. Additionally he might add and remove other users from the secgroup id=26.
| |  | |
 |