- Each user in TisGraph is assigned to exactly one user group
- Some number of security contexts exists (they might e.g. correspond to different departments)
- Each category in the document tree is assigned to exactly one security context, which takes effect for all documents in that category
- Each user group has read- and write privileges for a custom set of security contexts; this set of privileges takes effect for all users in the user group at hand
- What privilege has user U concerning document D?
- Document D is in category C
- Category C has security context K
- User U is assigned to a user group, that provides a read privilege for security context K
- Thus, user U may read that document, but not write to it.
The set of security contexts can currently not be managed through the GUI.
The security context of a category can be defined using the corresponding field in the category properties. That context takes effect for all documents in that category.
Users login using a Wiski user. On first login, a user is assigned to a configurable default user group automatically. Usually, that user group has rather limited privileges.
The administrator can change the assignment from users to user groups using the following dialog (reachable via Administration ---> Users). Using the Delete button (below Actions), a user can be removed from the system if needed.
Using the following dialog (reachable via Administration ---> User Groups), the administrator can create, rename or delete user groups.
Using the following dialog (reachable via Administration ---> Privileges), the administrator can grant privileges to user groups, or revoke them. For each security context, either no permission, or a read permission, or a write permission can be granted. This can be done using the buttons on the right side of the list. The choose window for adding or removing privileges is already filtered for not yet added, or existing and thus revokable privileges.
If, given its user group, a user only has read permissions for a document, TisGraph automatically switches to a read-only-mode when opening that document. This means,
- The navigation bar at the top is usable, in particular the time range of interest can be adapted
- The tools at the right are mostly deactivated, only the tools for data inspection, and for changing the currently displayed portion of the drawing area are activated
- Document properties can be viewed, but not changed
Furthermore, document and tag tree will display only categories and documents for which a read permission actually exists.