Permission Data Model
Permissions can be assigned to both Users and Groups. A user’s permission set is the sum of all permissions assigned to the User and the Groups he belongs to.
Permissions can restrict access based on only two things:
- Media Type
- Content Source (“Category”)
As mentioned above, Content Source permissioning is optional, and applies only to Media Types that declare a “SOURCE” field in ADM_FIELDS.
If Content Source permissioning is applied to a Media Type, an user needs BOTH access to the Media Type and that particular object’s Content Source to view/edit that item. This lets us segregate each Media Type per Content Source, letting us create scenarios such as:
- User 1 has access to the Movies Media Type, but only for Movies in the category “Brazil”
- User 2 has access to the Movies Media Type, but only for Movies in the categories “20th Century Fox” and “Sony Pictures”
Notice that an object may only belong to a single Content Source. Therefore, properly defining the structure of the Content Source tree based on how you need to assign permissions is critical to the operation of the system.
For each individual Media Type and Source, the following permissions can be granted:
- Read
- Write
- Delete
- Owner Read
- Owner Write
- Owner Delete
This first three are self-explanatory. The last three have the added restriction “to items you created”. So, granting an user “Read” and “Owner Write” permissions lets him view all items, create items, but only modify items he created. Granting an user only “Owner Read” and “Owner Write” permission restricts this further, not even letting him view items created by other users.
If should be noted that the Read/Write/Delete permissions supercede the OwnerRead/OwnerWrite/OwnerDelete permissions. If an user has Read permission, the value set for the the OwnerRead permission is ignored, and the same applies to Write and Delete.
Finally, permissions apply to objects as a whole. Currently there’s no way to apply permissions per field in Media-iBox.