Users, roles and groups inheritance
In Pydio Cells, the major IDM objects are linked to a role: a user has its own role, a group has its own role, and the administrator can define roles as needed.
A user is always part of a group, either the
root group or a subgroup defined in the interface. Groups are a way to hierarchically organise users, and a user can only belong to one group. On the other hand, admin roles can be applied to any users, and a user can be assigned any number of roles. In that sense, roles are closer to AD/LDAP groups.
At run time, these roles are sequentially traversed to define the actual permissions of a user, as described below:
- Apply all permissions inherited from the user groups
- Apply all admin roles applied to this user
- Finally apply the user-specific role.
Permissions can be of 3 types:
- ACLs (see below)
- Parameters values: frontend plugins parameters can have their default values overridden by a given role
- Actions enable/disable: frontend plugins actions can be dynamically enabled/disabled by a given role.
This permissions are applied at various workspace “scopes”: they can be applied to all workspaces, only shared workspaces (cells), or to only one specific workspace.Back to top