Skip to content
This repository has been archived by the owner on Sep 18, 2018. It is now read-only.

Permissions

smarthall edited this page Apr 6, 2013 · 8 revisions

When designing the permission system for RatticDB we wanted it to be simple and easy to figure out. There were a few defining rules. I would however like to stress that these rules are completely open for discussion.

  • No read only access. People has access to the credentials so they could potentially change them on the other end, and not be able to update the database. Additionally some systems force you to change your password after a particular time. This could potentially mean that a user cannot possibly sync the database.

  • Simple. Groups that can be in groups, roles based access, access lists, and other complex authorisation themes increase the complexity of the solution, making it harder to understand who actually has access to what. Additionally the complexity of implementing these solutions make it possibly for more bugs to appear.

The permission system in RatticDB works as follows:

  • Users can belong to many groups.

  • Credentials must belong to one single group.

  • Groups can have many members.

  • Users can fully access any credential that is in any of the groups they are in. This means they can also move it to another group they are also in.

  • Users can add new credentials to any group they are in.

  • Permissions applied to the latest version of a credential affect it, and all historical versions of that credential. So people who have access now can see all historical versions, and people who do not have access cannot see any version, even ones they used to be able to see.

Clone this wiki locally