So... here is the Graph
Gist: http://gist.neo4j.org/?github-benneq%2Fgists%2F%2Fmeta%2FSimple.adoc
And the PDF (from the previous
post): http://www.docdroid.net/er3w/acl-cheat-sheet.pdf.html
*The permission resolution algorithm:*
1. Look if the User has a direct Permission relation to the Object
2. Look if the User has a relation to some parent of the Object (find
first parent in the hierarchy)
3. Look at the Roles (here it get's a bit complicated):
- Find all Permission relations from a Role to the Object *and *its
parents.
- If one of these Permission relations says "true", return "true,
else return "false"
*Example #1:*
- User has a Permission relation to the Object
- Group (where user is member of) has Permission relation to the Object
- -> Take the Permission relation of the User
*Example #2:*
- User has a Permission relation to one (or more) of the Object's parents
- Some of the User's Groups has a direct Permission relation to the
Object
- -> Ignore the Group permissions! Take the Permission relation between
the User and the closest found parent of the Object
*Example #3:*
- User has *no *Permission relation to the Object or one of its parents
- Any of the User's Groups have a direct Permission relation to the
Object
- -> Return "true", if some of the Group's Permission relations says
"true", else return "false"
*Example #4:*
- User has *no *Permission relation to the Object or one of its parents
- Some of the User's Groups have a direct Permission relation to the
Object *and *some have a direct relation to any of the Object's parents
- -> Return "true", if some of the Group's Permission relations says
"true", else return "false"
*Example #5:*
- User has *no *Permission relation to the Object or one of its parents
- There's no direct Permission relation from any of the User's Groups to
the Object *and *but some have a direct relation to any of the Object's
parents
- -> Return "true", if some of the Group's Permission relations says
"true", else return "false"
I hope, now the requirements are clear :)
--
You received this message because you are subscribed to the Google Groups
"Neo4j" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.