Permissions, rights and governance

Marc Dutoo edited this page Jan 11, 2016 · 15 revisions

This document targets app developers.

Ozwillo & Datacore Actors

Ozwillo is an App Store, so its actors are, in the words of the OAuth2 authentication standard it uses :

  • the resource owner, i.e. commonly the user (identified in the token by its sub) or (users belonging to) its organization (identified in the token by sub_groups). However, when the user is unkown, such as when importing an existing database in batch mode, it can be system accounts for ex. the application itself i.e. its developer, or its instance i.e. the buyer, or the IT service provider that has installed it if any. Such system accounts use refresh tokens to get authenticated.
  • the resource, i.e. Datacore data resources
  • the client, i.e. the application instance that has authenticated the user and has consecutively received an access token with scopes that the user has granted to it, ex. email, address, datacore, datacore_organization.

Resource ownership defaults to its creator

(unless creator is not author, in which case the author should be allowed to claim rights)

According to those types of Ozwillo actors, the regular, most common way Ozwillo works is that users create data resources and own them, meaning that they have full rights over them, while business domain owners (often application developers) usually still keep admin rights over any data created in the business domain that they have designed, i.e. any data of this business domain's projects and models (which models are, in turn, data resources owned by said business domain owners).

New applications developed for Ozwillo can and should be developed along this scheme right away.

Existing applications, on the other hand, usually have existing data that must be imported, and of which the original contributing users are not known or not (yet) on Ozwillo. In this case, existing data must be imported, either with the Datacore online Import tool, or by directly calling the Datacore API, and in both cases by using a system / application / developer account. However, ideally, the application should allow users to claim rights over their contributed data back, for instance by checking the user account's email (available in access tokens with the scope "email") against user emails that are still stored in the original application database.

Why should users own data they contribute, rather than ex. the application ? because otherwise, users won't be able to use another application to manage said data, meaning that 1. Ozwillo won't be able to achieve its mission of fostering emergence of new use cases (i.e. new applications by different developers) of existing data, and 2. users won't be able to use Ozwillo-developed tooling to manage their data - that is for now use the Datacore Playground and later compare, merge, check and ensure quality. In other words, Ozwillo Datacore would become a mere application database (like an SQL database) rather than a collaborative data management platform (like a document or content management solution), and applications would become data silos that it would be very hard to get out of later.

Ownership beyond creator : the example of organizations

How to give ownership of a Resource to other people than its creator ?

Here's how organization rights work with the Portal :

  • anybody can CREATE an org (as configured in /dc/type/dcmp:Project_0/org_1 by dcmp:securityDefaults.dcms:isAuthentifiedCreatable : true)
  • but when created, its ownership is auto given to the creator, who is the only one that can modify it (except members of the Ozwillo Datacore org Admins in My Network)
  • so the Portal uses a system account to modify it and give its ownership also to the Kernel organization that corresponds to this Datacore organization
  • concretely, AtolCD Kernel admins has created a refresh token for this Portal system account, so the Portal system account can use it to log in i.e. get an access token that will have the rights to GET and PUT this dc org's rights using the Datacore Rights API (have a look at it in the Playground at ex.!/r/replaceRightsOnResource_put_2 and at details in How to use Rights API and setup permissions)
  • and then all members of the Kernel org can modify / update their Datacore org

The same process can be used to configure any other right policy (give rights to your organization's IT admin...).

So in a few words, you have to talk to AtolCD Kernel admins (and Ozwillo admins) in order to get such a refresh token (and maybe for another, dedicated account) if you want other people to update the data than the original creator.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.