-
Notifications
You must be signed in to change notification settings - Fork 149
Permissions
When designing the permission system for RatticDB we wanted it to be simple and easy to figure out. There were a few defining rules. I would however like to stress that these rules are completely open for discussion.
-
No read only access. People have access to the credentials, meaning they could potentially change them on the other end and not be able to update the database. Additionally some systems force you to change your password after a particular time. This could potentially mean that a user cannot possibly sync the database.
-
Simple. Groups that can be in groups, roles based access, access lists, and other complex authorisation themes increase the complexity of the solution, making it harder to understand who actually has access to what. Additionally the complexity of implementing these solutions make it possible for more bugs to appear.
The permission system in RatticDB works as follows:
-
Users can belong to many groups.
-
Credentials must belong to one single group.
-
Groups can have many members.
-
Only admins can create groups.
-
Users can fully access any credential that is in any of the groups they are in. This means they can also move it to another group they are also in.
-
Users can add new credentials to any group they are in.
-
Permissions applied to the latest version of a credential affect it, and all historical versions of that credential. So people who have access now can see all historical versions, and people who do not have access cannot see any version, even those they used to be able to see.
-
Tags do not have any effect on permissions; they are for organisation only.