Community:NCore/Authorization

From NSDLWiki

Any user or application who wishes to modify contents, such as adding or updating an object, must have a corresponding Agent in the repository that represents their identity. Actions on repository objects, and the authorization required to permit them, are mentioned relative to the Agent object that represents the user initiating the action.

Basic ground rules

Agents must have explicit permission to:

• Modify an Aggregator or MetadataProvider's membership or contents
• Modify the contents of a Metadata, or other Agent object.

Currently, Agents may not modify the contents of a resource (aside from declaring that it is a member of an aggregation), Resources, for the time being, at least, are effectively considered immutable).

Mechanism

Specification of authorization primarily occurs through the authorizedToChage relationship, which is present in an Aggregator or MetadataProvider and grants authority to a particular Agent or group of Agents.

An agent that is authorized for an Aggregator may modify its relationships, properties, or datastreams, as well as add or remove members.

An Agent that is authorized for a MetadataProvider may modify its relationships, properties, or datastreams. In addition, it may add or remove members, and edit the Metadata objects that are provivded by that MetadataProvider,

Trusted Applications

Trusted applications are Agents that have enhanced privileges in the repository. In particular, trusted applications have permission to:

• Create new Agents
• Assign new Aggregators or assign new MetadataProviders to other Agents.

Trusted applications are denoted by membership in a specific Aggregator.