amy/venice-main-classic
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
e3717ca62c
venice-main-classic/doc/security-levels.html
Eric J. Bowersox dde12bdf2e THE GREAT RENAMING! All that was "SIG" should now be "community," except for 
the database and the URLs (for backward compatibility).  Do a full rebuild
after browsing this one!
2001-11-07 08:43:09 +00:00

181 lines
8.5 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Doc: Security Levels in Venice</TITLE>
</HEAD>
<BODY>
<H1>Security Levels in Venice</H1>
<EM>Eric J. Bowersox &lt;<A HREF="mailto:erbo@silcom.com">erbo@silcom.com</A>&gt; -
January 26, 2001</EM><P>
The security level system in Venice is based on a concept of "levels" represented by small 16-bit
integers. A number of different security "scope" values are defined, each with a "low band" and a
"high band" range of values, defined such that, for any scope level <EM>n</EM> (<EM>n</EM>&gt;=0),
the "low band" range for scope <EM>n</EM>+1 is immediately adjacent to, but greater than, the "low
band" range for scope <EM>n</EM>, and the "high band" range for scope <EM>n</EM>+1 is immediately
adjacent to, but less than, the "high band" range for scope <EM>n</EM>. A table of scopes and their
ranges will help visualize this:<P>
<TABLE BORDER=1>
<TR VALIGN=MIDDLE>
<TH ALIGN=LEFT><B>Scope Level</B></TH>
<TH ALIGN=LEFT><B>"Low Band" Range</B></TH>
<TH ALIGN=LEFT><B>"High Band" Range</B></TH>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>0</TD>
<TD ALIGN=LEFT>0-1999</TD>
<TD ALIGN=LEFT>63000-64999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>1</TD>
<TD ALIGN=LEFT>2000-3999</TD>
<TD ALIGN=LEFT>61000-62999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>2</TD>
<TD ALIGN=LEFT>4000-5999</TD>
<TD ALIGN=LEFT>59000-60999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>3</TD>
<TD ALIGN=LEFT>6000-7999</TD>
<TD ALIGN=LEFT>57000-58999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>4</TD>
<TD ALIGN=LEFT>8000-9999</TD>
<TD ALIGN=LEFT>55000-56999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>5</TD>
<TD ALIGN=LEFT>10000-11999</TD>
<TD ALIGN=LEFT>53000-54999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>6</TD>
<TD ALIGN=LEFT>12000-13999</TD>
<TD ALIGN=LEFT>51000-52999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>7</TD>
<TD ALIGN=LEFT>14000-15999</TD>
<TD ALIGN=LEFT>49000-50999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>8</TD>
<TD ALIGN=LEFT>16000-17999</TD>
<TD ALIGN=LEFT>47000-48999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>9</TD>
<TD ALIGN=LEFT>18000-19999</TD>
<TD ALIGN=LEFT>45000-46999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>10</TD>
<TD ALIGN=LEFT>20000-21999</TD>
<TD ALIGN=LEFT>43000-44999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>11</TD>
<TD ALIGN=LEFT>22000-23999</TD>
<TD ALIGN=LEFT>41000-42999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>12</TD>
<TD ALIGN=LEFT>24000-25999</TD>
<TD ALIGN=LEFT>39000-40999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>13</TD>
<TD ALIGN=LEFT>26000-27999</TD>
<TD ALIGN=LEFT>37000-38999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>14</TD>
<TD ALIGN=LEFT>28000-29999</TD>
<TD ALIGN=LEFT>35000-36999</TD>
</TR>
<TR VALIGN=MIDDLE>
<TD ALIGN=LEFT>15</TD>
<TD ALIGN=LEFT>30000-31999</TD>
<TD ALIGN=LEFT>33000-34999</TD>
</TR>
</TABLE>
Within each scope level, a "low band" security level refers to an ordinary user at that scope, and a
"high band" security level refers to someone who exercises administrative control over that scope
(and therefore all scopes greater than or "inside" it). Objects which are logically "enclosed" by
other objects have a higher scope value; for instance, a conference would have a higher scope value
than a community, which in turn would have a higher scope value than 0 (the "global" scope).<P>
The values 65000-65535 are not used, except that the value 65500 is defined as "no access" (something
not even the global system administrator can touch). Neither are the values 32000-32999, except that
the value 32500 is defined as "unrestricted user" (lying above the low bands of all scopes but below
the high bands of any of them).<P>
Within the "global scope" (scope 0), the following values are defined:
<UL>
<LI>100 - User that has not logged in ("Anonymous Honyak")</LI>
<LI>500 - User that has logged in, but email address is unverified</LI>
<LI>1000 - User logged in and verified (normal user level)</LI>
<LI>64000 - Assistant administrator accounts ("PFY" level)</LI>
<LI>64999 - Global system administrator ("BOFH" level)</LI>
</UL><P>
Communities use the scope level 3; the following values are defined within that scope:
<UL>
<LI>6500 - Community member</LI>
<LI>58000 - Community co-host</LI>
<LI>58500 - Community host</LI>
</UL><P>
Within communities, conferences use scope 6; the following values are defined within that scope:
<UL>
<LI>12500 - Conference member (for private conferences)</LI>
<LI>52500 - Conference host</LI>
</UL><P>
Each user has a "base access" level, within scope 0, that is stored in the "users" table. Each community
has four defined access levels associated with it:
<UL>
<LI><B>Read level</B> - minimum access level required to read the community's data. This is commonly
6500 (must be a member) but may be lower for special cases.</LI>
<LI><B>Write level</B> - minimum access level required to write the community's data. Since this
refers to the community itself, this is commonly 58000 (hosts/co-hosts only)</LI>
<LI><B>Create level</B> - minimum access level required to create new objects in the community.
Typically 58000 (hosts/co-hosts only).</LI>
<LI><B>Delete level</B> - minimum access level required to delete the community. Typically 58500 (host
only).</LI>
</UL><P>
The "sigmember" table maps UIDs to community IDs, adding a "granted level" field that specifies a given
user's access level within the community itself. (If a user already has a higher access level than the
"granted" access level, as in the case of the global sysadmin, the higher level takes precedence.) Note
that this level grant is within the context of <EM>that community only,</EM> and does not affect access
privileges to any other community.<P>
Each conference has seven defined access levels associated with it:
<UL>
<LI><B>Read level</B> - minimum access level required to read the posts. Commonly 6500 (member of
community) for public confs, 12500 (conference member) for private confs.</LI>
<LI><B>Post level</B> - minimum access level required to post new messages. Commonly 6500 (member of
community) for public confs, 12500 (member of conference) for private confs.</LI>
<LI><B>Create level</B> - minimum access level required to create new topics. Commonly 6500 (member
of community) for public confs, 12500 (member of conference) for private confs.</LI>
<LI><B>Hide level</B> - minimum access level required to archive topics, or hide posts of which you
are not the owner. Commonly 52500 (conference hosts only).</LI>
<LI><B>Nuke level</B> - minimum access level required to scribble posts of which you are not the
owner, to nuke posts, or to delete topics. Commonly 52500 (conference hosts only).</LI>
<LI><B>Change level</B> - minimum access level required to change the conference's profile or
membership list. Commonly 52500 (conference hosts only).</LI>
<LI><B>Delete level</B> - minimum access level required to delete the conference. Commonly 58000
(hosts/cohosts of the enclosing community only).</LI>
</UL><P>
As with communities, there is a "confmember" table that maps UIDs to CONFIDs, adding a "granted level"
field that grants additional access privileges. (There is also a field in the table that maps
conferences into communities that allows a community to grant its users additional privileges within a
conference. Normally, this field is 0, and so it "drops out" of the calculation of access levels.) Note
that, if a user has no membership entry for a conference, the entry for the conference's enclosing
community takes precedence, or the base level if there is no entry in any enclosing community. Also
note that a grant of level for a conference or community only applies with respect to <EM>that</EM>
conference or community, not any other.<P>
Additional scopes and levels will be defined for additional objects as they are added to Venice.<P>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink