I was thinking we could have some kind of security transform.
-Adrian
David E Jones wrote:
Yes, a FTL file could be an artifact. I'm not aware of any instances
where an entire FTL file is wrapped by a permission (although I think
there are places where parts of an FTL file do permission checks... and
that's a complicated issue for external security... those would probably
need to be split into multiple files, preferably referred to through
multiple screen defs).
-David
On May 11, 2009, at 1:31 AM, Jacques Le Roux wrote:
I have a question about artifact and Freemarker template. In the
description below is a Freemarker template considered as an artifact ?
This question because in Freemarker template we may have several
entry points for permission and we don't have an xsd to constraint
things.
Jacques
From: "David E Jones" <david.jo...@hotwaxmedia.com>
This thread is specifically for discussing security requirements and
security use scenarios to drive OFBiz security functionality going
forward. Please keep other discussion in another thread.
These things tend to fall into two categories: functionality access
and record-level access, or a combination of both. That is a high
level generalization so just warning you that what I list below may
be limited by my own blindness since I usually think in terms of
those two things for security configuration. In other words, that's
the point of this brainstorming thread.
To get things started, here are a few I can think of and have heard
from others, these are in no particular order:
1. User X can use Artifact Y for anything that artifacts supports
and on any data (where "artifact" is a screen, web page, part of a
screen or page, service, general logic, etc)
2. User X can use Artifact Y only for records determined by Constraint Z
3. User X can use any artifact for records determined by Constraint Z
4. Artifact Y can be used by any user for any purpose it supports
5. Artifact Y can be used by any user for only for records
determined by Constraint Z
6. User X can use any artifact for any record (ie superuser)
Okay, you can see that my initial pass at this is sort of an
enumeration of combinations effort. If you can think of other
general scenarios, please share! Also, please feel free to share
specific requirements that are not in such generic terms (we can
worry about putting them in more generic terms like this later).
Thank You!
-David