Origin properties do not need privileges. Relationships access directly through an edge request, through request fields, and through body attributes (such as during a patch) do need privileges.
The approach should be to implement the current access rules through a DelegatedAdmin RequestVisitor along with adding support for relationship fields filtered by privileges.
- Access rules removed - Should work for origin, relationships and edge.
- Access rules left in place - Should work for relationships and edge with original rules handling origin requests.
- Document how to move/update to DAF handling origin ownData from using access rules. -> remove access rules, enableDynamicRoles : true, ...
- Determine precedence of schemaConfig such as isViewable/userEditable over privileges that have permission otherwise.
EDIT: This will not be enforced by Java. Customer needs to understand their own implementation with access.json rules, router-authz customizations and custom-authz customizations, and then create privileges that work with them.
The reason behind this is the fact that we cannot enforce something natively in the source that is meant to be configured/customized by the customer.
In terms of being able to make privileges for accessing your own data, a filter of "_id eq '_id'" on the privilege will apply that privilege only to a resource where its _id matches that of the authenticated resource.
- depends on
-
OPENIDM-13944 Investigate: "Own data" when a delegated administrator reads their own _id with relationship fields
-
- Closed
-