Object level permission (OLP) is an access-control model that controls permissions on objects of aiWARE instances. In aiWARE, all applications share the same OLP model.
How OLP works
Using groups to manage permissions is an easy-to-use mechanism for users to grant access to data objects. Groups can be created, deleted, modified, and so can the permissions associated with a group.
Groups encompass users that share the same permissions. A permission set contains the functional permissions that a user is granted on an object if the user is part of a group that is associated with that permission set.
For OLP, two initial organization-wide groups are created by default:
| Group | Description | Permission set | User accounts |
|---|
| Org_Name administrators | Groups administrators of this organization and cannot be removed. | aiWARE administrator | User accounts with administrator roles are added to the administrator group of the default organization. |
| Org_Name users | Groups all users of this organization, including administrators. | aiWARE full access | All users are added to the users group, including admins. |
where Org_Name is the organization name.
Which objects are protected
In an aiWARE instance, the following objects are securable:
- Organizations
- Folders
- Temporal Data Objects (TDO)
These objects can be independently secured with an access-control list (ACL). An ACL consists of access-control entries (ACE), where each entry is a combination of a group, an object, and a permission set.
Terminology
This documentation uses the following terminology.
| Term | Definition |
|---|
| ACE (Access-control entries) | The combination of a group, an object, and the permission set that can be used on an object by a member of the group. |
| ACL (Access-control list) | A collection of ACEs. |
| Functional permission | A single permission, for example, read. |
| Group | An object that contains user accounts as members of a particular group. |
| Object | The object that is going to be controlled (secured). |
| OLP (Object level permission) | An access control model that allows users to control who can access which objects, how, and when. |
| Organization | An object that contains a set of groups. |
| Permission set | A named set of functional permissions. |
| User | A user account, when referred to in the context of permissions. |
| System control | The feature that assigns permission sets to objects. |
