...
The permissions to access documents or to perform certain actions are assigned to specific roles. Users of the system are assigned to particular roles, and through those role assignments acquire the permissions needed—they become the owner of the roles. In general, roles are reusable groups of various permissions. Each role has a unique name and contains one or more permissions that are granted to the owners.
Note: In the header of each incoming and authenticated API call, the roles of the corresponding user are included among other user-specific information. If you assign too many roles with long names to individual users, you might exceed the overall size limit of 8KB for the header.
...
Conditions are statements in the proprietary CMIS-based query language that define the subset of documents in the system affected by a permission. If the condition for a document is met (meaning evaluating the query language expression returns 'true'), the owner of the role gets to access that document. For example, conditions can limit a users access to a specific type of object or hide documents that are older than a specific date. The conditions are appended to all requests from the role owner and thereby act as filters for the corresponding search results.
Note: In a permission including the action create, the query function CONTAINS()cannot be used in a condition. The whole statement would always be evaluated to false even if the condition contains other sub-statements that do not use CONTAINS() and that would individually considered be evaluated to true. Thus, it is not possible to specify a condition on the content of objects to be created.
The condition can also be left out - indicating that the permission applies to all documents in the system.
The following code block explains the definition of permissions with an example of creation permissions assigned to different roles.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- Users with this role are not allowed to create, update or delete any object. -->
<role>
<name>CAN_CREATE_NOTHING</name>
</role>
<!-- Users with this role can create any object. No conditions have to be matched. -->
<role>
<name>CAN_CREATE_EVERYTHING</name>
<permission>
<action>create</action>
</permission>
</role>
<!-- Users with this role can create objects that match the condition. In this case only objects of type 'appTable:order' or 'appEmail:email' can be created. -->
<role>
<name>CAN_CREATE_SOMETHING</name>
<permission>
<action>create</action>
<condition>
system:objectTypeId IN ('appTable:order', 'appEmail:email')
</condition>
</permission>
</role> |
...
The AUTHENTICATION service decides for each API request of any user if the access is granted or not. In its configuration, the access conditions can be defined individually for each API endpoint. Thus, permissions in yuuvis® Momentum can be set not only for types of actions and the usage of specific object types, but also directly for API endpoints. It is even possible to allow the usage of an API endpoint for callers without authentication.
Summary
This article explained the role-based structure of the permission system provided by the Core API. The global and the tenant-specific role set can be changed via the corresponding endpoints. The user-role-mapping can be managed in Keycloak. The access authentication for individual yuuvis® API endpoints can be configured via the AUTHENTICATION service.
...