Labstory has a flexible system for controlling access to documents. It may be customized for local installations for most likely it will be similar to what it presented here.
The permissions are based on a Role-Based Access Model (RBAC). It is based on the following principles:
When logging in, the server assigns you roles depending on how you authenticated and the server configuration. You may for instance log in using your private cryptographic key, which commonly will assign you the role a:YourAuthorID. If you login by user/pass, you may obtain u:UserName. However, additional roles may be assigned depending on local fine tuning.
There are only a few permissions available for roles:
a | Administrator (can do anything) |
---|---|
c | Can create new documents |
Permissions on a document apply to one particular role and the following ones are default:
v | Document is visible |
---|---|
r | Can read the document |
e | Can edit the document (limited) |
E | Can edit the document (full access) |
d | Can delete document |
s | Can share permissions with others |
When a document is first created, some set of standard permissions will be applied to it. It is expected that the roles of the one that created it will at least get “vres”-access. This can be set by the administrator. After creating it, the user may wish to add additional permissions to let his/her group be able to read or edit it.
The limited edit access makes it illegal to modify signed parts of the document or delete signatures. Thus once a part of the document has been signed, the editing is locked for all future. New signatures may however be added at any time point, though with less value than had the document been signed right away.