The examples from beneath exemplify the creation of roles. The available services for role handling are listed in chapter Role administration.
Here is a simple example, a right that allows retrieving all revisions with the operation “getRevision”:
<right outcome="permitted">
<query>
restrict(=(
ima:webservice:operationName(ref("webservice:operations")),
const(("getRevision")
galaxy(webservice:operation))
</query>
<functions>execute</functions>
</right>
Figure 565: Example – right for document retrieval
The following right allows users to get only the latest revisions:
<right outcome="permitted">
<query>
restrict(=(
ima:webservice:operationName(ref("webservice:operations")),
const(("getLatestRevision")
galaxy(webservice:operation))
</query>
<functions>execute</functions>
</right>
Figure 566: Example – right for retrieval of latest revision
Permissions on documents
The following snippet (Example – permissions on existing documents) illustrates the definition of a role named “RoleStatisticsAmerica”, which combines rights and involves queries. This role allows read only access to all documents of the type “statistics”, and grants further rights to those documents of the type “statistics” with the country attribute being "Canada", "USA", or "Mexico". Notice however, that certain parts of this example are subject to an assumed specific ImageMaster environment that involves certain document types, which will not apply to any ImageMaster environment (detailed explanations follow beneath):
1 <ns:createRole>
2 <role name="RoleStatisticsAmerica">
3
4 <!--
5
6 This role allows creation, retrieval and modifications of documents
7 from the document type "statistics" with country "Canada", "USA" or
8 "Mexico".
9 General rights (such as WebService access and WebClient rights) are
10 defined in the role "CommonRights" referenced as a constituent.
11
12 -->
13
14 <combinator>union</combinator>
15 <constituents>
16 <roles>
17 <!-- common access rights -->
18 <role name="CommonRights"/>
19 </roles>
20 <rights>
21
22 <!-- Read-only access to the type definition of "statistics" -->
23 <right outcome="permitted">
24 <query>
25 restrict(=(ima:documentType:name(ref("documentTypes")),
26 const("statistics")), galaxy(documentTypes))
27 </query>
28 <functions>
29 <function>read</function>
30 </functions>
31 </right>
32 <!-- Full access to "statistics" for Canada, USA and Mexico -->
33 <!-- Access to revisions -->
34 <right outcome="permitted">
35 <query>
36 restrict(
37 and(
38 =(ima:documentType:name
(ima:revision:documentType(ref("revisions"))),
const("statistics")),
39 or(
40 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("Canada")),
41 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("USA")),
42 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("Mexico"))
)
),
43 galaxy(revisions))
44 </query>
45 <functions>
46 <function>lock</function>
47 <function>unlock</function>
48 <function>read</function>
49 <function>update</function>
50 <function>delete</function>
51 </functions>
52 </right>
53
54 <!-- Right to create revisions -->
55 <!-- Only documents where "statistics.result" is empty are allowed to
be created by this role for Canada, USA and Mexico -->
56 <right outcome="permitted">
57 <query>
58 restrict(
59 and(
60 =(ima:documentType:name(ima:revision:documentType
(ref("params:createRevision"))),
const("statistics")),
61 ima:attribute:isEmpty(ima:metadata:statistics.result
(ref("params:createRevision"))),
62 or(
63 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("params:createRevision")), const("Canada")),
64 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("params:createRevision")), const("USA")),
65 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("params:createRevision")), const("Mexico")))),
66 galaxy(params:createRevision))
67 </query>
68 <functions>
69 <function>create</function>
70 </functions>
71 </right>
72
73 <!-- Access to documents for Canada, USA and Mexico -->
74 <right outcome="permitted">
75 <query>
76 project(["document", ima:revision:document(ref(revisions))],
77 restrict(
78 and(
79 =(ima:documentType:name(ima:revision:documentType
(ref("revisions"))), const("statistics")),
80 or(
81 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("Canada")),
82 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("USA")),
83 ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("Mexico"))
)
),
84 galaxy(revisions)))
85 </query>
86 <allFunctions/>
87 </right>
88
89 <!-- Access to contents, content properties and binary objects
within these documents -->
90 <right outcome="permitted">
91 <query>galaxy(contents)</query>
92 <allFunctions/>
93 </right>
94 <right outcome="permitted">
95 <query>galaxy(contentProperties)</query>
96 <allFunctions/>
97 </right>
98 <right outcome="permitted">
99 <query>galaxy(binaryObjects)</query>
100 <allFunctions/>
101 </right>
102
103 </rights>
104 </constituents>
105 <description>Rights to access type "statistics" for Canada, USA and Mexico </description>
106 </role>
107 </ns:createRole>
In particular the role definition from Example – permissions on existing documents can be characterized by the following statements:
-
The role combines rights, and each is based on one query. These rights cover: read access to the type definition of statistics, execution of all functions regarding revision of statistics of the countries, the right (for the document type “statistics” of certain countries) to create revisions and with full access to documents of this type concerning access to contents, content properties and binary objects. The rights are formulated with a positive outcome i.e. each one is granting permission instead of prohibiting:
…
<right>
<right outcome="permitted">
…
</right>
</rights>
…
-
Within each query, which is used in the different sections “<right>”, there is a restriction which picks the document type “statistics”:
…
restrict(
and(=(ima:documentType:name
(ima:revision:documentType(ref("revisions"))),
const("statistics")),
or(…
…
-
Furthermore, within the queries concerning the full access rights, it is specified that only the countries “Canada”, “USA”, and “Mexico” are considered, as e.g. in the following lines:
…
or(
ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("Canada")),
ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("USA")),
ima:attribute:hasValue(ima:metadata:statistics.country
(ref("revisions")), const("Mexico")))),
…
-
Each query restricts the scope of the permission to the statistics documents of the countries “Canada”, “USA”, or “Mexico” based on an attribute with the name “statistics.country”
In general it must be ensured that an attribute name is unique. By convention in this example the attribute name “statistics.country” was chosen to point that the attribute belongs to the document type called “statistics”. Although attribute names technically need not include the corresponding document type name, such a naming convention is recommended.
-
The user with this role has the right to create revisions of the document type “statistics” (for “Canada”, “USA”, or “Mexico”). However, the role does not allow overwrite the attribute “statistics.result” if this is already filled with a value, as there is a condition that checks whether the attribute is empty:
restrict(
and(
=(ima:documentType:name(ima:revision:documentType
(ref("params:createRevision"))),const("statistics")),
ima:attribute:isEmpty(ima:metadata:statistics.result
(ref("params:createRevision"))),
or(
ima:attribute:hasValue(ima:metadata:statistics.country
(ref("params:createRevision")), const("Canada")),
ima:attribute:hasValue(ima:metadata:statistics.country
(ref("params:createRevision")), const("USA")),
ima:attribute:hasValue(ima:metadata:statistics.country
(ref("params:createRevision")), const("Mexico"))
)
),
galaxy(params:createRevision))