question

Upvotes
Accepted
3 1 0 1

How to obtain permissions from a given RIC with openDACS

Within a given service, I would like to check permissions for a given RIC/item name.

Subscription Based Entitlement allows for checking against a service name, which returns expected results, but also allows for checking a service and item name. However, when checking the subscription, irrelevant of the data that is given in the item name, if the user has permisions to access the service, the check always returns an ACCESS_ALLOWED, even if the user does not have permissions to access the given item name. Is this the correct way to check the permissions for a RIC with openDACS?

Searching online, the only other alternatives I have found suggest using the Content Based Subscription and providing a dacsLock, however this is not possible in my case as I do not have the PE list, only the service name and RIC.

Any help would be greatly appreciated.

Thanks

ricsDACSopen-dacspermissioning
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
Accepted
23k 22 9 14

Hello @jjmarlow,

Is the service you are checking permission on defined in your DACS as content-based service or subject-based service?

The approach you use for checking needs to be consistent with the service definition in DACS.

Content-based service- only content based checks. Subject-based service- subject based checks.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
23k 22 9 14

Hello @jjmarlow,

Let's step back and remind ourselves that OpenDACS is a view, a window, into DACS permission system.

DACS contains definitions of service available, and permissions assigned to users, at any point of time, that are based on the service type.

Content-based service, most common, is permissioned based on Permission Entities (PEs) and each item will carry the info on PE(s) required to access it.

Subject-based- permissioning is based on subject, usually wild-card. Service-level permissions services are binary, yes or no, based on service.

OpenDACS is intended to perform permission check, to answer if a specific user should be allowed access to a an item, from a service, at a specific point of time. based on permissions contained within DACS.

The way this question can be answered by OpenDACS is either by checkSubscription test, or by comparing the list of pe assigned to user (getPEList) with the PE requirement with the item.

The knowledge what PEs are required to access item, is not necessary to answer this question, and is not contained within DACS. This info is with source of the content, the publisher. And it can change, be changed, by the service, so is valid at the point of time when the item is requested.

If you are looking to determine this info at a specific point of time, the best way is to subscribe to the item and to capture the PEs requirement with it.

Did I get the question right, is this the information you are looking for?

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
3 1 0 1

Hi Zoya, thanks for your response.

Subject-based- permissioning is based on subject, usually wild-card. Service-level permissions services are binary, yes or no, based on service. 
OpenDACS is intended to perform permission check, to answer if a specific user should be allowed access to a an item, from a service, at a specific point of time. based on permissions contained within DACS.

It is this second case that you mention that I am specifically trying to acheive. If I understand you correctly, I should be able to use OpenDACS to check permisions for a user within a service for a given item name, at a particular point in time. This is what the subject-based service description and the subject-based service tutorials also seem to indicate, but I am receiving inconsistent results for the given item name/RIC. It seems as though if the user has permisions to the service, an ACCESS_ALLOWED is always returned, and seemingly no check is done on the item name.

Maybe I am misunderstanding something, but what exactly is the purpose of providing an item name in a subject-based service check? I had expected that this should return with the binary yes/no that you mentioned if the user has permissions for both the service and the RIC.

To clarify, is there a way to use OpenDACS to check permissions for a user for a given service name and RIC, without having to first obtain it's PEs?

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Click below to post an Idea Post Idea