DE EN EN (Google)

Group

A group is an entity that allows to define rights for users. A user can belong to several groups and inherits the rights granted to them.

Easydb creates automatically some “system groups”. See below for a description.

There are different formats to present a user: full, short and short search.

Full format

This format is used by /api/group and contains all attributes that can be set for a group. It is intended for administrators and is managed by the right bag_write.

Name Description
_basetype Name of the base type (string, r): group
_owner Owner of this group (group (short) or user (short), rw): see below
_acl ACL (array of acl entries, rw, optional)
_system_rights System rights (rights specification, rw, optional)
_has_acl Whether this group has a non-empty ACL (boolean, r)
_generated_rights Rights that the session user has for the group (rights specification): bag_read, bag_write, bag_delete
_automatic_auth Information of source of this group link. Only available in _groups list in user records, read-only
type Authentication type of the group link source, something like sso or ldap (string, r)
timestamp Time of authentication, when the group was linked to the user (timestamp, r)
_auth_method_group_maps Configuration for mapping groups when using single-sign-on (optional)
<type-1> - for each type (for example “sso”), an array of mappings can be defined
<type-2> - each element contains a method (“eq” or “regexp”) and a value
↦ … - the order is relevant: the first match is used
_ipv4_subnet_filter IPv4 subnet filter for group (array of strings, rw, optional, non-system groups only). When set, a group associated to the user is only valid in session when at least one of the subnets given matches the IPv4 address of the client during authentication. Examples: 127.0.0.0/8, 203.0.113.42/32
group Group attributes:
_id Group ID (integer, unique, r*)
_version Group version (integer, rw)
type Group type (text, rw, optional): “easydb” (default), “system” or any text beginning with “custom-” (see “Group types” below)
name Name (string, unique, rw): name of the group (not writable for “system” groups)
displayname Name used to display the group (l10n, unique)
comment Comment (text, rw)
frontend_prefs Extra properties that the frontend can set and retrieve (object, optional, rw)
authorization_info Extra information required for authorization purposes (string, optional, rw)
reference Group reference (string, unique, optional, rw): can be used for lookups for _id
created_timestamp timestamp of creation of this group (timestamp, r)
last_updated_timestamp timestamp of the last update of this group (timestamp, r)

Remarks:

Short format

This is a short format that is used by some calls. This form allows to set and retrieve groups, for example: the owner of a collection or the groups a user belongs to. If the attribute referencing this group is marked as writable, group._id is writable. The other fields are readable-only.

It contains the following attributes:

Name
_basetype
group
_id
_displayname
type
name

Short search format

The column “Search” specifies the search type that can be used (see /api/search).

Name Search
_basetype
group
_id Number
_version Number
displayname L10n (all)
comment
type NotAnalyzed
name NotAnalyzed

Owner

The group always has an owner. On creation, it is set automatically by the server to the group’s creator, but the API won’t complain if it is explicitly set. It will return an error if it is set to something different. The owner cannot be set to null but can always be left out, meaning that it should not be changed.

System groups have the system user “root” as owner.

Group types

System groups are created automatically and cannot be deleted:

Name
:all All users.
:non_system All users, except for the system users root, oai_pmh and deep_link (see User types).
:internet_connection User is connected through internet channels.
:intranet_connection User is connected through safer intranet channels.
:authenticated User is authenticated.
:easydb Regular users.
:email User who was invited by e-mail (by collection sharing or e-mail tranport of an export).
:collection User is a pseudo user, allowed to see one or more collections.
:anonymous Anonymous users.
:easydb-self-register Self-registered users
:fallback Fallback owner for (base) objects that have lost their owner (the owner was deleted).
:sso Users authenticated using single-sign on.

These groups cannot be assigned to users directly. They are assigned dynamically by the server.

Regular groups are created by the user. Their default type is “easydb”, but the user is allowed to create custom types, which begin with “custom-”.