ACL Security
Cooperator
is the primary ACL SID principal in GRIN-Global. SysGroup
is an authority (! principal
).
SysUser
(and eventually WebUser
) implement Spring UserDetails
and can authenticate against the server, but they are not SIDs. We need a custom SidRetrievalStrategy sidRetrievalStrategy
added to SecurityConfig#aclAuthorizationStrategy()
to fetch the Cooperator
from the Spring authentication object.
Our UserServiceImpl
already loads authorities for SysUser
after login.
Original GG Permissions
There is no ACL inheritance in the original GG. Permissions need to be granted explicitly to each object. From CT Manual # Security:
Currently the inheritance only cascades one level. This implies that it may be necessary for you to establish certain permissions at the accession level, and then again at the inventory level.
There is no inheritance, permissions must be set explicitly on every object.
ACL version
Accession
inherits permissions from the Site
of the owner of the record: .owner.site
.
Inventory
inherits permissions from its inventoryMaintenancePolicy
. Whoever has permissions on the policy, has permissions on the inventory. The inventory is therefore detached from the Accession
in terms of security. InventoryMaintenancePolicy
can be linked to a Site
through its .owner.site
.
Cooperator can link to one single site. That means that any accessions and policies she owns are attached to the single site. Site permissions apply.
Therefore, if a cooperator is assigned to a new site, all the associated accessions and inventories "move" from the original site to the new site. As permissions in the original GG are not inherited and must be granted explicitly to other users, this is a non-issue in the old system.