Groups , Roles and Users
These 3 entities are used to handle the security in the repository. Simply put, each node should have a group or role associated to its permissions. In the most basic form, permissions are applied in the form of Guests = Read only, Members = Modify, add and Coordinator= Full access. They can be applied more granularly but that should be only left to power users or administrators of the system and it (personal permissions) should be done in special cases or what your policy mandates. Permissions can be assigned in a hierarchy structure that allows more or less privileges. Every system I've seen did not take seriously roles until the modules for workflows gave or required users to define roles for the flows at hand, as many tasks in a given flow are more readable if we use roles than if we use a personÂs name or a group. Groups are important to organize people, and there should be a special type of group that holds other groups, but to prevent deadlock loops, we should limit it to 2-3 loops when the system is checking for permissions. Recursive groups can grow in complexity, that is why we need to but some safety measures to prevent the system from crashing or slowing down.
It's important to note that there needs to be some kind of synching between these groups and roles with a central directory or at least at the messanging level. Ideally pairing it with a directory services automatically will save you from some headaches.
There should be three sets of roles seen as pools of people that can be assigned to each object:
Owner Or Administrator.
To each of those we should be able to add any group, role, or user in a temporal or permanent basis. Temporal should be set for 1 day, or 1 week. , and permanent should be allowed only to the administrator. A report on this assigments should be available for review .
The permissions should be set by roles. This means that the administrator has full permissions, the member can add and modify objects into the place, and guest has read only priviledges. A special member can be created where permissions are set so that they can add documents, but they cannot modify any .