-
Notifications
You must be signed in to change notification settings - Fork 1
4. Permissions (ACL)
An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.
- View View permission is applied for get/getall operations
- Create Create permission is applied for add operation
- Update Update permission is applied for update operation and add/delete operations in some cases (workty instance, workty instance property, workty property)
- Delete Delete permission is applied for delete operation
The list of objects are under protection: Account, Device, Payment, Workflow, Workty. Also all interactions between Rest API process and supervisor, supervisor and worker device are complied the ACL rules.
The Workty implements such security paradigm with using Node Acl library. Each account has the list of objects and operations are allowed on given objects. The accounts are separated on two groups: admin, regular. The admin account is predefined and exists in the database. The Account.aclRoleNames field is used to store the list of roles. The admin has all permissions for all objects:
- Account View/Create/Update/Delete
- Payment View/Create/Update/Delete
- Device View/Create/Update/Delete
- Workflow View/Create/Update/Delete
- Workty View/Create/Update/Delete
The regular account type is used for all registered in the system users. The registration process can be completed with Facebook, Google and Local strategies. By default the regular user has following objects/permissions:
- Account View/Update/Delete
- Payment View/Create
- Device None
- Workflow View/Create/Update/Delete
- Workty View
The regular user is able to access only for instances in the system that tie to his account id.
The list of db objects responsible to ACL support:
- acl_permissions Collection that stores the list of permissions names
- acl_resources Collection that stores the list of objects list
- acl_roles Collection that stores the list of roles and default permissions applied for them. These default permissions are used when a new user registers in the system
- account.aclRoleName Field that stores the list of roles for the user