CAS: Developer's Guide
Overview
APIs
Database Design
CAS Requests
>Permissions
CAS Permissions
A user (U) is said to have permission to perform service/action S/A on object (O) if there is a statement in the policy_statement table that meets these three conditions:- The user element applies: U appears in the user table and the user element
is either:
- a user_group_specification referring to a user_group containing U,
or
- the community_specification.
- a user_group_specification referring to a user_group containing U,
or
- The action element applies:
- the action specification refers to service_type S and the action
A.
- the action specification refers to a service_action group that
has service type S and action A as a member.
- the action specification is superuser.
- the action specification refers to service_type S and the action
A.
- The object element applies: it's either:
- An object that "matches" O - that is, the appropriate matching function
(based on the namespace that the object belongs to) applied to O and
the object_name yields a match, or
- An object group that contains an object that "matches" O.
- An object that "matches" O - that is, the appropriate matching function
(based on the namespace that the object belongs to) applied to O and
the object_name yields a match, or