RO protection
Research Object has one author (creator) and this is a start point. Research object can have many contributors as well as be totally private, be read-only and so on. Everything depends on the Research Object mode defined by creator and permission granted by him.
- PRIVATE - private mode makes Research Object invisible for everyone who doesn't have specific permissions. Access to private ROs is given by permission links. The permission link is generated by author of RO for a particular user to let them read or edit.
- PUBLIC - public is a default mode. It makes Research Object visible and readable for everyone. People with the contributor role can edit.
- OPEN - It makes Research Object visible, readable and editable for everyone.
Roles
- OWNER - Can change Research Object mode, grant permission, delete Research Object and edit.
- EDITOR - Can read and edit (Can upload new resources to Research Object and edit those already existing).
- READER - Can read (Can search for Research Objected and its annotations. Can also download a Research Object or particular resource aggregated in this Research Object).
Granularity
For simplicity, in the first implementation permissions can be applied only to Research Objects. The implementation and API should be easy to extend on other containers (folders) or even single resources if it's needed. In general in this concept everything what has own uri can be protected by access control policy if it's needed.
API
Granting Rules
add new role/roles
delete an existing role
query roles
Setting Research Object mode
set mode
query mode
Generate a permission link
add new role/roles
delete an existing permission link
query permission links