User Roles

Although you can assign permissions to individual Users, doing so unnecessarily complicates administration. You should instead assign permissions to Roles and make the Users members of those Roles. The Oware security framework was designed according to this paradigm.

When you assign permission to a specific User it overrides any permissions based on the User’s Roles. Assigning permission to an individual User rather than a Role results in that User having that specific permission and no other. This behavior also applies to permissions granted to OWPublic. The User specific permission assignment negates any OWPublic assignments to the same extended target. This lets you revoke permissions when a User’s rights should be limited and is an effective means for the administrator to handle exceptions to a general policy.

To assign rights to all Users, except those with specific permission assignments, the administrator may assign permissions OWPublic User. The permissions assigned to OWPublic combine with any permissions the User receives as a result of Role membership. Permissions assigned to OWPublic also apply any time a specific User identity has not been established via authentication.

There is also a special User identity that is used by Oware’s internal processes. The OWSystem User has full rights; all permission checks on the OWSystem User succeed. The OWSystem User does not appear in the Oware management center. Use of the OWSystem User is a development function.

To manage Roles, from the Oware Management Center, double-click the Policy > Roles node to produce the Roles dialog (Figure 21-1).

Figure 21-1  Roles + Edit/Add Roles Dialog

Here, you can Add, Edit, and Delete Roles that name and describe user permissions in Oware.