Hi,
There are four ways (perhaps there are more), to grant to the user U the privilege P over the object O:
********************
(1) Through the context hierarchy:
The O's security context points to an object O2 over which U has the privilege P, and the O's security_inherits_p = 't'
(2) Through a direct privilege grant:
i- Adding the row [O_object_id, U_user_id, P] to the table "acs_permissions" (instead of P is possible to use P' where P is included in P' through the privilege hierarchy)
(3) Through party hierarchy without relational segments:
i- Creating the group G
ii- Adding U to G through a membership_rel or composition_rel relation (or a relation that inherits from one of both)
iii- Adding the row [O_object_id, G_group_id, P] to the table "acs_permissions" (instead of P is possible to use P' where P is included in P' through the privilege hierarchy)
(4) Through party hierarchy with relational segments:
i- Creating the group G
ii- Creating a new relation type R that inherits from membership_rel or composition_rel
iii)- Creating the relational segment S that relates G with R
iv)- Adding the row [O_objetc_id, S_segment_id, P] to the table "acs_permissions" (instead of P is possible to use P' where P is included in P' through the privilege hierarchy)
v)- Adding U to G using the function membership_rel__new or composition_rel__new where the parameter "rel_type" is R
********************
At the end, the permission checking is done with the following statement in the query's where clause:
exists (select 1
from
acs_object_party_privilege_map ppm
where
ppm.object_id = O.object_id AND
ppm.party_id = U.user_id AND
ppm.privilege = 'P')
The view "acs_object_party_privilege_map" consolidates the tables: "acs_permissions", "party_approved_member_map", "acs_object_context_index", and "acs_privilege_descendant_map".
Well I have the following doubt about the permission inheritance from a relational segment (through the fourth option):
How is added to the table "party_approved_member_map" the row [S_segment_id, O_object_id, tag] when for example the the function membership_rel__new is used?
I understand that when S is created, through the trigger "rel_segments_in_tr" all the elements E included in G through the relation R are added to "party_approved_member_map" as [S_segment_id, E_element_id, tag]. But I'm not able to track how the row [S_segment_id, E_element_id, tag] is added to "party_approved_member_map", when E is added to G in the case where S is already created.
Thanks a lot for the help!
Jorge.
