How it Works
How access control is checked is best explained through an example. Let's assume that Joe is attempting to edit the task T. The steps Celoxis would follow to determine if Joe can do this are:
Check for the administrative privilege
If Joe has administrative privilege, then he will be granted the privilege. No other check is required.
Determine the privilege required
Joe would require the Edit Task : Granted privilege on T
Check if the project can be viewed
Since T belongs to a project, the system will check if Joe has the View Project : Granted on T's project. If no, Joe will be denied the Edit Task privilege.
Gather all security roles played by the user
The system will build a set of all roles that Joe plays in T. This would include :
- All roles assigned to Joe in the project's workspace.
- All roles assigned to Joe in the project.
- Auto-assigned roles to Joe for the project and T.
Build the set of all privileges
Since a security role is a collection of privileges, based on all the roles played by Joe, the system would build a set of all the privileges for all the roles played by Joe collected in the previous step.
Check if the privilege has been unanimously granted
If the collection of privileges includes Edit Task : Granted and does not include Edit Task : Denied, then Joe will be granted the permission to edit the task T; else the permission will be denied.