https://wiki.davical.org/index.php?title=Permissions&feed=atom&action=historyPermissions - Revision history2024-03-29T15:34:30ZRevision history for this page on the wikiMediaWiki 1.40.1https://wiki.davical.org/index.php?title=Permissions&diff=3752&oldid=prevFsfs: reference LDAP group sync settings, caldav scheduling is RFC now2017-06-12T12:02:06Z<p>reference LDAP group sync settings, caldav scheduling is RFC now</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:02, 12 June 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l35">Line 35:</td>
<td colspan="2" class="diff-lineno">Line 35:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== How can I translate my LDAP Groups into DAViCal groups ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== How can I translate my LDAP Groups into DAViCal groups ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* At present you cannot do this, but patches will be reviewed promptly!</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Since </ins>0.9.9<ins style="font-weight: bold; text-decoration: none;">, the LDAP driver can sync LDAP groups to DAViCal: [[Configuration/Authentication_Settings/LDAP_groups]]</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">* This feature will be present in </del>0.9.9</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Do members inherit the access rights of the group user? ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Do members inherit the access rights of the group user? ===</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l70">Line 70:</td>
<td colspan="2" class="diff-lineno">Line 69:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* CALDAV:read-free-busy </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* CALDAV:read-free-busy </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Furthermore, <del style="font-weight: bold; text-decoration: none;">with the approach of </del>{{CalDAV Scheduling RFC}} several further CalDAV permissions <del style="font-weight: bold; text-decoration: none;">are added</del>:</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Furthermore, {{CalDAV Scheduling RFC}} <ins style="font-weight: bold; text-decoration: none;">adds </ins>several further CalDAV permissions:</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* CALDAV:schedule-deliver-invite</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* CALDAV:schedule-deliver-invite</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* CALDAV:schedule-deliver-reply</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>* CALDAV:schedule-deliver-reply</div></td></tr>
<!-- diff cache key davical:diff::1.12:old-3602:rev-3752 -->
</table>Fsfshttps://wiki.davical.org/index.php?title=Permissions&diff=3602&oldid=prevGorka: Added a link to davical.org/administration where the basics conceps of users, groups etc are explained2015-12-03T12:34:13Z<p>Added a link to davical.org/administration where the basics conceps of users, groups etc are explained</p>
<p><b>New page</b></p><div>{{TOCright}}<br />
== Overview ==<br />
<br />
For a general overview on Users, Resources and Groups and some configuration examples please refer to the information given on the [http://davical.org/administration.php DAViCal project website]. This page here will only try to deliver some background information to the instructions given on the website.<br />
<br />
Essentially the permissions are divided into two parts, from a user perspective:<br />
<br />
* Groups - ways of grouping a set of users together.<br />
* Grants - ways of providing access to a user, or a group of users.<br />
<br />
DAViCal also implements a concept of "default privileges", so that as well as granting specific privileges to a user or group, you may grant privileges to 'everyone'.<br />
<br />
=== Grouping ===<br />
<br />
A 'group' is in effect any user, although in a normal installation these will be users who are specially set up to mediate between an individual and a set of permissions. The group (or someone with administrative rights to the group) controls who is a member. Groups may also be members of other groups, although multiple levels of nesting can add significant overhead and it is recommended that you keep this shallow.<br />
<br />
=== Granting ===<br />
<br />
The permissions which can be granted are fine-grained and directly map to the DAV privileges defined in RFC3744, and to the other privileges from CalDAV and so forth. All permissions are stored as a bitmap, so permission operations & tests are much simpler logical '''''AND''''' or '''''OR''''' operations.<br />
<br />
=== Collection-level Privileges ===<br />
<br />
While grants can still be applied between users, as with relationships in older DAViCal versions, then can now also be applied to collections, so a user might grant more public rights to one [calendar] collection, while restricting access to another.<br />
<br />
== Questions ==<br />
<br />
=== How do I make new users members of a default group on creation ===<br />
''Prior to 0.9.8 it was possible to make new users automatically be set up with some default relationships. How do I do this now?''<br />
* From 0.9.8 you should configure the targets of any default access to grant privileges by default. This is much more flexible, and means that an individual user might configure an individual calendar to have global access.<br />
* You can also configure the set of default privileges which are granted by new users (to everyone) by setting the [[Configuration/settings/default_privileges|'''$c->default_privileges''']] value in your configuration file with something like:<br />
$c->default_privileges = array('read-free-busy', 'schedule-deliver');<br />
(i.e. to allow free-busy access from anyone, which is the default). The names of all of the privileges which can be used in the array are listed below.<br />
<br />
Note that these default privileges are only what is assigned when a new principal (i.e. a user, group or resource) is created. If you change this default it won't apply to any previously created principals.<br />
<br />
=== How can I translate my LDAP Groups into DAViCal groups ===<br />
* At present you cannot do this, but patches will be reviewed promptly!<br />
* This feature will be present in 0.9.9<br />
<br />
=== Do members inherit the access rights of the group user? ===<br />
Yes. Group membership is transitive (each member of a group receives the privileges granted to that group) and additive (if you are a member of several groups, each granted different privileges to the same resource, your effective privileges will include all of the privileges granted to any of the groups you are a member of.<br />
<br />
So members of a 'resource administrators' group granted write access to a set of resources might also be members of a 'resource users' group which only has read access granted to it, and the administrators will receive read+write access as a result.<br />
<br />
=== Do other group members gain access to my collections? ===<br />
Group members will only gain access to your collections if you grant them access to your collections. They won't gain access by default. All access is granted either through explicit '''''Grants''''' by a collection or a principal, or through setting the default privileges on a collection or a principal.<br />
<br />
=== Further Reading ===<br />
<br />
Take a look at [[Permissions/Examples]] for some more examples of how to do particular things within the new permissions model, and look into [[Configuration/settings/default_privileges]] for details of setting the default privileges granted by new users.<br />
<br />
== What the Privileges Mean ==<br />
<br />
The DAV permissions are as follows: <br />
* read <br />
* write-properties <br />
* write-content <br />
* unlock <br />
* read-acl <br />
* read-current-user-privilege-set <br />
* write-acl <br />
* bind <br />
* unbind <br />
<br />
Some permissions are aggregate:<br />
* write - aggregate of write-properties, write-content, bind & unbind<br />
* all - aggregate of all permissions<br />
<br />
Since none of those cover what might be desirable for Freebusy there is an additional one defined by CalDAV, which is: <br />
* CALDAV:read-free-busy <br />
<br />
Furthermore, with the approach of {{CalDAV Scheduling RFC}} several further CalDAV permissions are added:<br />
* CALDAV:schedule-deliver-invite<br />
* CALDAV:schedule-deliver-reply<br />
* CALDAV:schedule-query-freebusy<br />
* CALDAV:schedule-send-invite<br />
* CALDAV:schedule-send-reply<br />
* CALDAV:schedule-send-freebusy<br />
<br />
Two more aggregate permissions are also added with this RFC:<br />
* CALDAV:schedule-deliver - CALDAV:schedule-deliver-invite, CALDAV:schedule-deliver-reply and CALDAV:schedule-query-freebusy<br />
* CALDAV:schedule-send - CALDAV:schedule-send-invite, CALDAV:schedule-send-reply and CALDAV:schedule-send-freebusy<br />
<br />
=== read ===<br />
Grants basic read access to the principal or collection.<br />
<br />
=== write-properties ===<br />
Grants access to update properties of the principal or collection. In DAViCal, when granted to a user principal, this will only grant access to update properties of the principal's collections and not the user principal itself. When granted to a group or resource principal this will grant access to update the principal properties.<br />
<br />
=== write-content ===<br />
Grants access to write content (i.e. update data) to the collection, or collections of the principal.<br />
<br />
=== unlock ===<br />
Grants access to write content (i.e. update data) to the collection, or collections of the principal.<br />
<br />
=== read-acl ===<br />
Grants access to read ACLs on the collection, or collections of the principal.<br />
<br />
=== read-current-user-privilege-set ===<br />
Grants access to read the current user's privileges on the collection, or collections of the principal.<br />
<br />
=== write-acl ===<br />
Grants access to writing ACLs on the collection, or collections of the principal.<br />
<br />
=== bind ===<br />
Grants access to creating resources in the collection, or in collections of the principal. Created resources may be new collections, although it is an error to create collections within calendar collections.<br />
<br />
=== unbind ===<br />
Grants access to deleting resources (including collections) from the collection, or from collections of the principal.<br />
<br />
=== CALDAV:read-free-busy ===<br />
Grants other users the privilege to query my free/busy, via the CalDAV free-busy-query report.<br />
<br />
=== CALDAV:schedule-deliver ===<br />
<br />
These privileges will typically be granted wholesale within a small busines or workgroup environment, where everyone should be able to schedule meetings.<br />
<br />
==== CALDAV:schedule-deliver-invite ====<br />
Grants other users the privilege to deliver invitations to me.<br />
<br />
==== CALDAV:schedule-deliver-reply ====<br />
Grants other users the privilege to deliver replies to invitations I sent to them.<br />
<br />
==== CALDAV:schedule-query-freebusy ====<br />
Grants other users the privilege to query my free/busy, via the methods defined in the scheduling extensions to CalDAV.<br />
<br />
=== CALDAV:schedule-send ===<br />
<br />
These privileges will typically be granted by a person to their assistant, or to the people in their team, or direct manager, who might be expected to schedule meetings on their behalf. You would expect these to be granted along with the 'write-content', 'bind' and 'unbind' privileges.<br />
<br />
==== CALDAV:schedule-send-invite ====<br />
Grants other users the privilege to send invitations on my behalf.<br />
<br />
==== CALDAV:schedule-send-reply ====<br />
Grants other users the privilege to reply to invitations on my behalf.<br />
<br />
==== CALDAV:schedule-send-freebusy ====<br />
Grants other users the privilege to send freebusy queries on my behalf.<br />
<br />
== Notes ==<br />
=== iCal Does Not See Granted Calendars ===<br />
Apple iCal only sees delegations at the principal level, so if you are using iCal and you wish to grant access to only a subset of your collections it is necessary to first grant access by default to the principal, and then set narrower privileges on each individual collection which you want to restrict access to.<br />
<br />
At present iCal will '''''not''''' see the calendar if you grant a default of restricted privileges at the principal level, and grant broader specific privileges to individual calendars.</div>Gorka