Access Controls

This page explains the access control system used to determine various types of access to content in Docs.

The type of access (read, write, etc) granted to a node is determined by the user's account role and the access controls that apply for that node. There are default access controls that apply to a node depending on its node type, and these defaults may be overridden by per-node access control settings.

For access of a requested type to be granted, users must possess the role required for that access. Roles are described in the section below.

The access control defaults for each node type is listed in the Node Types page. Per-node access control settings are specified using taxonomy terms (also known as tags) that are assigned to that node. These access control settings are described in a section further below.

If the above sounds confusing, unfortunately, security is not child's play. Please re-read these sections carefully, and refer to the examples at the end.

Roles

All users in Docs are assigned one or more roles. Users need to be logged in so that they can be identified, but even users who are not logged in will have the Anonymous role anyway.

Roles Description
Anonymous Users who are not logged in.
Authenticated Any user who is logged in.
TechStaff SoC Technical Staff: Includes Technical Services, Workshop and System Programmers.
TechSvc SoC Technical Services Staff.
NWOP SoC Network Operations Staff.
SiteAdmin Administrators of this site.

Note the users can have more than one role. E.g. a user with TechStaff role can also have TechSvc role (and obviously also Authenticated role since they will have to be logged in).

Access Control Settings

The following table describes the access control terms.

Read Access Term Role Required to Read
read:Public or Public-view Anonymous, Authenticated
read:Users or Users-view Authenticated
read:TechStaff or TechStaff-view TechStaff
read:Systech Systech
read:NWOP NWOP
read:AppnStaff AppnStaff

The XXX-view terms in the above table refer to terms in the View Access for CF Content taxonomy vocabulary (i.e. these are the terms used in the CF page node type).

Write Access Term Role Required to Write
write:Users Authenticated
write:TechStaff TechStaff
write:Systech Systech
write:NWOP NWOP
write:AppnStaff AppnStaff
write:Admin SiteAdmin

For CF page node types, there is no taxonomy vocabulary to implement per-node access controls override for writing. Write access is controlled globally (writable by TechStaff role), and will in future be subject to a moderation workflow.

File Attachments

Access control for file attachments depend on that of the node that they are attached to. In other words, only users who can read the node can also read the attachments attached to it.

Note: Images incorporated into the content of the node are always public accessible. In fact, any content that is incorporated or linked to the node is always public accessible. The inherited access controls apply only to content that has been attached via the "File attachments" section of the "Edit" page.

Examples

To help understand the above concepts, here are some examples to illustrate how the access controls work.

Case 1

The current Computing Facility Homepage (https://docs.comp.nus.edu.sg/cf) has a node type CF Page. The CF Page node type by default is readable by all, writable only by TechStaff.

This means that anyone, including users who are not logged in, can view the node. Only SoC Technical Staff users can edit the node.

Now, suppose this node has the taxonomy term TechStaff-view applied to it.

The default access controls for viewing the CF Page node type is now overridden. Only SoC Technical Staff users can view this node. Edit access is also restricted to SoC Technical Staff users, because the default for edit access always applies for this node type.

Case 2

Let's consider a node of node type Default Page. This node type is, by default, readable by all, writable by all logged-in users.

This is typical of a collaborative wiki where the content is viewable by anyone (including users who are not logged in). Any user who is logged in is allowed to edit the node.

Now, suppose this node has the taxonomy terms read:Users and write:TechStaff applied to it.

The default access controls for Default Page node type is now overridden. Only users who are logged in can view the node, and only SoC Technical Staff can edit the node.

© Copyright 2001-2012 National University of Singapore. All Rights Reserved.

This page is dynamically generated by the Drupal CMS.