On 22.08.2012 11:46, Samuele Kaplun wrote:
Hi!
In data lunedì, 20 agosto 2012 14.48:27, Alexander Wagner ha scritto:
Guessing that there were some holidays involved,
Indeed!
Hope you enjoyed those well deserved days off :)
However, as far as I can see, it is not possible to have two
roles here, nor can I combine this with the "allow groups
'STAFF'" rule mentioned in the first example.
That's exact. If you go for role/firerole/group/email etc. only one value can
be currently specified.
Ok.
Also prefixing
with "firerole:" like
<datafield tag="FFT" ind1=" " ind2=" ">
<subfield code="a">/tmp/arwagner/fulltext.pdf</subfield>
<subfield code="r">role: 'Institutes-Role-ID'
firerole:allow groups 'STAFF'
</subfield>
</datafield>
doesnt work.
Yep. The involved parser does not expect this situation.
Ok. And I understand that I can not have
role: 'Institues-Role-ID'
role: 'hgfstaff'
either as only one stanza is allowed and role does not allow the comma
syntax you describe below for firerules, ie.
role: 'Institutes-Role-ID','hgfstaff'
Right?
Alternatively, I could set up a new role by combining our
Institute-Role-ID with hgfstaff (matching 'STAFF' above),
but I do not see a way to accomplish this in firerole
language.
Unfortunately, since Firerole language is used mainly to directly define
roles, it is not possible to use roles as rules, because this might lead to
definition loop (and would actually be quite complex to implement in an
efficient way)..
Understood.
Maybe, this however is just thinking out loud now, our main issue stems
from the connection of roles and the concepts of a group of people that
should get this role. Together with certain rights on documents in a
collection. It is a similar to the thesis-example except that we do not
have document types specified (noting that I didn't really understand
how this is done in your thesis example, it seems a bit special) but on
collection membership.
Say, we use external auth via LDAP, I get people belonging to group X.
On our systems this should trigger to have the right to see a certain
restricted collection and have access to the (sometimes otherwise
locked) full texts there. Now a document could belong to the collections
of group X, Y, Z, so we have the necessity for specifying several groups
with logical OR. In other words we want to have personal collections for
groups of people who log in via external auth and who should be able to
see everything in their collection and other open collections.
Could it be, that this is just not possible? Or do I just
miss the obvious?
Indeed, what you are aiming at is currently not possible. The first solution,
i.e. to have one firerole rule:
[...]
firerole: allow groups 'InstitutesID'
allow groups 'STAFF'
[...]
is, currently the most flexible one. Note that you can also put it in one line
as in:
firerole: allow groups 'InstitutesID','STAFF'
Ok, sounds the way to go. As I understan it this would allow all users
belonging to the group InstitutesID or the group STAFF access to the
full text. Right?
[...]
role: 'Institutes-Role-ID'
firerole:allow groups 'STAFF'
[...]
I'll ticketize it.
Thanks :)
--
Kind regards,
Alexander Wagner
Subject Specialist
Central Library
52425 Juelich
mail : [email protected]
phone: +49 2461 61-1586
Fax : +49 2461 61-6103
www.fz-juelich.de/zb/DE/zb-fi
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Dr. Karl Eugen Huthmacher
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt,
Prof. Dr. Sebastian M. Schmidt
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Kennen Sie schon unsere app? http://www.fz-juelich.de/app
