wiki:AccessDelegation

Version 3 (modified by saw, 9 years ago) (diff)

--

The repository must have the capability to allow a particular user to access data sets that they have been given permission to access. The initial concept for this delegation functionality is to use the LDAP database to store information about what repositories a user has access to, and what folder levels within a repository they have access to.

A directory will be created for each repository entity (individual counties for example) that contains folders for a predefined number of levels. The initial concept is to provide 3 levels in each repository.

Here is an example repository directory structure:

\repositories
 -counties
  -jasper
   -1
   -2
   -3
  -marshall
   -1
   -2
   -3
  -warren
   -1
   -2
   -3
 -cities
  -indianola
   -1
   -2
   -3
 -other
  -alliantenergy
   -1
   -2
   -3

When a user logs in to https://www.iowagisdata.org/, they will be presented with a list of repositories that they have been given permission to access. When the user selects a repository to browse , they will be presented with a list of the levels that they have been given permission to access within that repository. When the user selects a level to browse, the BrowseRepository module will present the directory and file structure within the level subdirectory that corresponds to the level and repository that was selected.

The LDAP_USER environment variable supplied by Apache will be used to query the LDAP database for repositories and levels that are available to that user. Site administrators can use the MaintainGroup function to create groups that can also be given permission to a repository. A user will have access to any repository level that has been assigned directly to them or to a group they are a member of.

A web interface must be developed to allow repository administrators to select the levels that will be available to a user or group diring normal and EmergencyDeclaration situations. Repository administrators should also be able to specify an expiration date for the permission that is granted. This will allow for users who only need access during specific projects, or who purchased access for a period of time. A possible interface might look like:

User: John Doe
Access expires on .
Normal Permissions
Level 1
Level 2
Level 3
Level 4
Level 5
Permissions During Declared Emergency
Level 1
Level 2
Level 3
Level 4
Level 5

The DataUpload process will store files in the repository directories for a given user.