Group
A group is an entity that allows to define rights for users. A user can belong to several groups and inherits the rights granted to them.
Easydb creates automatically some “system groups”. See below for a description.
There are different formats to present a user: full, short and short search.
Full format
This format is used by /api/group and contains all attributes that can be set for a group.
It is intended for administrators and is managed by the right bag_write.
| Name | Description |
|---|---|
_basetype |
Name of the base type (string, r): group |
_owner |
Owner of this group (group (short) or user (short), rw): see below |
_acl |
ACL (array of acl entries, rw, optional) |
_system_rights |
System rights (rights specification, rw, optional) |
_has_acl |
Whether this group has a non-empty ACL (boolean, r) |
_generated_rights |
Rights that the session user has for the group (rights specification): bag_read, bag_write, bag_delete |
_automatic_auth |
Information of source of this group link. Only available in _groups list in user records, read-only |
↦ type |
Authentication type of the group link source, something like sso or ldap (string, r) |
↦ timestamp |
Time of authentication, when the group was linked to the user (timestamp, r) |
_auth_method_group_maps |
Configuration for mapping groups when using single-sign-on (optional) |
↦ <type-1> |
- for each type (for example “sso”), an array of mappings can be defined |
↦ <type-2> |
- each element contains a method (“eq” or “regexp”) and a value |
| ↦ … | - the order is relevant: the first match is used |
_ipv4_subnet_filter |
IPv4 subnet filter for group (array of strings, rw, optional, non-system groups only). When set, a group associated to the user is only valid in session when at least one of the subnets given matches the IPv4 address of the client during authentication. Examples: 127.0.0.0/8, 203.0.113.42/32 |
group |
Group attributes: |
↦ _id |
Group ID (integer, unique, r*) |
↦ _version |
Group version (integer, rw) |
↦ type |
Group type (text, rw, optional): “easydb” (default), “system” or any text beginning with “custom-” (see “Group types” below) |
↦ name |
Name (string, unique, rw): name of the group (not writable for “system” groups) |
↦ displayname |
Name used to display the group (l10n, unique) |
↦ comment |
Comment (text, rw) |
↦ frontend_prefs |
Extra properties that the frontend can set and retrieve (object, optional, rw) |
↦ authorization_info |
Extra information required for authorization purposes (string, optional, rw) |
↦ reference |
Group reference (string, unique, optional, rw): can be used for lookups for _id |
↦ created_timestamp |
timestamp of creation of this group (timestamp, r) |
↦ last_updated_timestamp |
timestamp of the last update of this group (timestamp, r) |
Remarks:
_idhas to be set for POST operations to identify the object
Short format
This is a short format that is used by some calls. This form allows to set and retrieve groups,
for example: the owner of a collection or the groups a user belongs to.
If the attribute referencing this group is marked as writable, group._id is writable. The other fields are readable-only.
It contains the following attributes:
| Name | |
|---|---|
_basetype |
|
group |
|
↦ _id |
|
↦ _displayname |
|
↦ type |
|
↦ name |
Short search format
The column “Search” specifies the search type that can be used (see /api/search).
| Name | Search |
|---|---|
_basetype |
|
group |
|
↦ _id |
Number |
↦ _version |
Number |
↦ displayname |
L10n (all) |
↦ comment |
|
↦ type |
NotAnalyzed |
↦ name |
NotAnalyzed |
Owner
The group always has an owner. On creation, it is set automatically by the server to the group’s creator, but the API won’t complain if it is explicitly set. It will return an error if it is set to something different. The owner cannot be set to null but can always be left out, meaning that it should not be changed.
System groups have the system user “root” as owner.
Group types
System groups are created automatically and cannot be deleted:
| Name | |
|---|---|
:all |
All users. |
:non_system |
All users, except for the system users root, oai_pmh and deep_link (see User types). |
:internet_connection |
User is connected through internet channels. |
:intranet_connection |
User is connected through safer intranet channels. |
:authenticated |
User is authenticated. |
:easydb |
Regular users. |
:email |
User who was invited by e-mail (by collection sharing or e-mail tranport of an export). |
:collection |
User is a pseudo user, allowed to see one or more collections. |
:anonymous |
Anonymous users. |
:easydb-self-register |
Self-registered users |
:fallback |
Fallback owner for (base) objects that have lost their owner (the owner was deleted). |
:sso |
Users authenticated using single-sign on. |
These groups cannot be assigned to users directly. They are assigned dynamically by the server.
Regular groups are created by the user. Their default type is “easydb”, but the user is allowed to create custom types, which begin with “custom-”.