A privilege is the combination of a permission, a privilege object on which the permission is granted and a privilege subject (a user or a user group) to whom the permission is granted. Permissions can only be granted through the definition of privileges.
Privileges define the permissions that a privilege subject has on a privilege object, the permissions granted through a privilege with a specific privilege object can implicitly give permissions on other privilege objects through privilege inheritance and privilege transformation.
•Through privilege inheritance the permission granted in a privilege may be propagated to subordinate privilege objects. Privilege inheritance is used with view privileges, domain privileges and feature privileges.
•Through privilege transformation a permission granted on a privilege object can imply another permission on a (possibly) different privilege object.
▪E.g. The view permission Modify features on a view privilege object is transformed to the feature permission Modify on all members of the view. Privilege transformation is transitive.
▪E.g. The view permission Modify subordinate views on a view privilege object is transformed into the view permission Modify on all subordinate views
Figure 1 shows privilege inheritance and transformation paths for all privilege object types. Note that the effective permission a given user has on a specific object will also include all permissions that any user group that the user is member of is given on that specific object.
Indirect permissions that are available for some privilege object types affect objects that are linked to the privilege object but are not privilege objects themselves. E.g. the Modify classification permission that can be granted on a domain does not affect the domain itself but only classifications that are member of that domain.
The access to some objects of the Application Server that are secured by combined privileges. I.e. the access is regulated by granting related permission on two different privilege object types. E.g. a user can only create or modify a feature subtype for a specific feature type in a domain if he has the domain permission Modify feature subtypes (14) and the feature type permission Modify feature subtypes (3). Figure 1 shows possible combined privileges.
Figure 1: Inheritance, transformation and combination of privileges.
Privilege object |
Inherits from |
Gets transformed permissions from |
Feature type |
System permission |
|
Feature |
If a feature is member of a platform feature it inherits all permission from that platform feature. If a feature is instantiated from a calculated feature it inherits all permissions from that instantiating calculated feature. |
View permissions that affect all member features are transformed to the corresponding feature permissions. |
Views |
Permissions on all parent views (in the view's path) are inherited. |
The system permission All permissions on root views (1) is transformed into all available view permissions on all root views. The System permission List all Features (27) is transformed into a List features (2) on every view. The view permission Modify subordinate views (5) is transformed into the view permission Modify view (0) on all subordinate views |
Domain |
All domain permissions except Read (0) are inherited to subordinate domains. Read (0) is inherited to all parent domains. |
If a user has feature permission Read (0) permission that permission is transformed into the domain Read (0) on the domain the feature belongs to. |
System |
Table 1: Inheritance and transformation of permissions.
