Managing Permissions and Roles

The authentication and the authorization services are based on LDAP (Lightweight Directory Access Protocol). LDAP is an industry standard application for accessing and maintaining distributed directory information services over an Internet Protocol network. It plays the role as a central place to store usernames and passwords which allows many different applications and services to connect to the LDAP server to validate users.

Authentication

The Cleveland Metroparks LDAP Server tree is implemented as in the figure below:

../_images/LDAP_tree.png

In the figure above, assigning the user uid as an attribute in the memberUid field of a certain group, the user will make part automatically of that group. Moreover, it will be authenticated to compute some operations according to its role. Anonymous users can not access any of the NFD data.

AUTH_LDAP_SERVER_URI = "ldap://localhost:389"


"""
Configuration for OpenLDAP
"""
AUTH_LDAP_BIND_DN = "cn=admin,dc=nfd,dc=geo-solutions,dc=it"
AUTH_LDAP_BIND_PASSWORD = "1geosolutions2"
AUTH_LDAP_USER_SEARCH = LDAPSearch("dc=nfd,dc=geo-solutions,dc=it",
    ldap.SCOPE_SUBTREE, "(uid=%(user)s)")


AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    ldap.SCOPE_SUBTREE
)
AUTH_LDAP_GROUP_TYPE = PosixGroupType()

AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 300
AUTH_LDAP_MIRROR_GROUPS = True

AUTH_LDAP_USER_FLAGS_BY_GROUP = {
    "is_staff": "cn=nfdadmins,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_superuser": "cn=nfdadmins,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_plant_writer": "cn=plant_writer,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_plant_publisher": "cn=plant_publisher,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_animal_writer": "cn=animal_writer,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_animal_publisher": "cn=animal_publisher,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_slimemold_writer": "cn=slimemold_writer,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_slimemold_publisher": "cn=slimemold_publisher,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_fungus_writer": "cn=fungus_writer,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_fungus_publisher": "cn=fungus_publisher,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_naturalarea_writer": "cn=naturalarea_writer,ou=groups,dc=nfd,dc=geo-solutions,dc=it",
    "is_naturalarea_publisher": "cn=naturalarea_publisher,ou=groups,dc=nfd,dc=geo-solutions,dc=it"
}

AUTH_LDAP_USER_ATTR_MAP = {
    "first_name": "cn",
    "last_name": "sn",
    "email": "mail"
}

Authorization

Groups and Roles

The existing features in the portal are Animals, Plants, Fungi, Slime mold, and Natural areas. Each feature has two corresponding groups on LDAP tree Feature_Writer and Feature_Publisher (e.g. Animals_Writer and Animals_Publisher).

Feature_Writer members are allowed to add new features belonging to that group, which will be saved but not published by default. They are allowed to edit their own features and to edit features added by other members belonging to that group. Modifying an existing feature will create automatically a new version of that feature and will automatically unpublish it.

Note

Unpublished features won’t be visible to other users not belonging to that group.

Feature_Publisher members can view all the features belonging to that group and accordingly if unpublished they can publish it. This allows other authenticated users to access them (beyond the author and the rest of members of the Feature_Writer or Feature_Publisher).

Note

Only published features are visible (in READ only mode) to authenticated users not belonging to any of the above groups for the specific feature.

A user can be a member of both, just one or none of the above groups for each feature.