Access Control Overview

Codatum has a simple yet powerful role-based access control system.

Users can hold roles, such as Viewer or Editor, for a workspace or individual resources (like Notebooks or Connections). Authorizations for various operations are determined based on the combination of roles a user holds.

Terminology

• User

  • An account belonging to a Workspace.

• Group

  • A group of users that can be managed together and granted multiple Resource roles at once.

• Resource

  • Represents various objects within Codatum and their types.

  • Example: notebook, connection, teamspace, etc.

• Operation

  • Various actions that can either be linked to individual resources or to the workspace as a whole.

  • Example: Inviting users, Editing a notebook, etc.

• Role

  • Workspace roles

    • A role assigned to a user within the Workspace, (required for every user). Determines the permissions for workspace-level operations.

    • Example: Workspace.Owner → Determines the permissions for managing workspace settings and inviting new members.

  • Resource roles

    • A role linked to individual resources. Can be assigned to groups or individual users.

    • Example: notebook.Viewer → Determines the permissions for viewing operations on the notebook.

• Permission

  • The combination of Resource roles or Workspace roles with users or groups, granting authorization to perform specific operations that are linked to the resource or workspace.

Access Control Rule Basics

Access rights are determined by the combination of roles a user holds, following a defined calculation method.

• Roles are hierarchical, so if a lower role has an access right, a higher role will also have that access right.

• Both Workspace and Resource roles must allow access for an operation to be permitted (evaluated with logical AND).

• If a user has multiple Resource roles for the same resource, either assigned directly or through groups, permission is granted if any one of those Resource roles allow it (evaluated with logical OR).

Below is a conceptual diagram illustrating these principles.

This diagram illustrates the pattern with an operation linked to a specific resource A.

There is also a pattern with an operation linked solely to the workspace, and not to any specific resource. This pattern is simple, as shown below:

In this pattern, access rights are determined solely by the Workspace role.

These principles ensure a robust and flexible access control system within Codatum.