CedricReichenbach
commented
5 years ago This will need some consideration and possible follow-up work in terms of UI in the app project.
Closed CedricReichenbach closed 4 years ago
CedricReichenbach
commented
5 years ago This will need some consideration and possible follow-up work in terms of UI in the app project.
CedricReichenbach
commented
5 years ago Rough draft of design:
Entities to be access-controlled are:
This part addresses data with regards to editing, so whatever researchers (and admins) see and manipulate on the app's editor page.
Each of above entities has one or more owners. An owner is a user with the ability to edit access control to said entities (besides full edit access).
Each entity has a set of editors who can see and edit them, but not alter access control.
Each entity has a set of users with read access. This is relevant e.g. for cloning items.
For base users, i.e. participants, access control should not be explicitly managed through ACLs, but rather implicitly based on data relations, like study participation and answer submissions.
CedricReichenbach
commented
5 years ago Let's keep it simple for starters.
How to handle ACLs on users, e.g. generating a password reset token or deleting another user? Perhaps we still need some kind of explicit ACLs on users.
CedricReichenbach
commented
4 years ago App follow-up issue: https://github.com/upkbs-chronobiology/somnus-app/issues/77
Currently, users have complete horizontal access to all data matching their role (vertical restriction).
Access control lists (ACLs) should define which user has access to what data. Some particular examples: