Access Control Overview

Codatum has a simple yet powerful role-based access control system.

Users can hold roles, such as Viewer or Editor, for a workspace or individual resources (like Notebooks or Connections). Authorizations for various operations are determined based on the combination of roles a user holds.

Terminology

User
- An account belonging to a Workspace.
Group
- A collection of users managed together. Groups can be assigned several Resource roles.
Resource
- Represents various objects within Codatum and their types.
- Example: Resource: A specific Notebook “nb1”; Resource Type: Notebook.
Operation
- Various actions that can either be linked to individual resources or to the workspace as a whole.
- Example: Inviting users, Editing a notebook, etc.
Role
- Workspace roles
  - A role assigned to a user within the Workspace, (required for every user). Determines the permissions for workspace-level operations.
  - Example: Workspace.Owner → Determines the permissions for managing workspace settings and inviting new members.
- Resource roles
  - A role linked to individual resources. Can be assigned to groups or individual users.
  - Example: notebook.Viewer(nb) → Determines the permissions for viewing operations on a specific notebook “nb”.
Permission
- The combination of Resource roles or Workspace roles with users or groups, granting authorization to perform specific operations that are linked to the resource or workspace.

Access Control Rule Basics

Access rights are determined by the combination of roles a user holds, following a defined calculation method.

Roles are hierarchical, so if a lower role has an access right, a higher role will also have that access right.
Workspace roles and Resource roles usually need to grant access rights for an operation to be permitted (calculated with AND).
If a user has multiple Resource roles for the same resource, either assigned directly or through different groups, permission is granted if any one of those Resource roles allow it (calculated with OR).

Below is a conceptual diagram illustrating these principles.

This diagram illustrates the pattern with an operation linked to a specific resource A. There is also a pattern with an operation linked solely to the workspace, and not to any specific resource. This pattern is simple, as shown below:

In this pattern, access rights are determined solely by the Workspace role.

These principles ensure a robust and flexible access control system within Codatum.

PreviousIntegration NextAccess Control for Workspace

Last updated 1 month ago

Terminology

User

An account belonging to a Workspace.

Group

A collection of users managed together. Groups can be assigned several Resource roles.

Resource

Represents various objects within Codatum and their types.
Example: Resource: A specific Notebook “nb1”; Resource Type: Notebook.

Operation

Various actions that can either be linked to individual resources or to the workspace as a whole.
Example: Inviting users, Editing a notebook, etc.

Role

Workspace roles
- A role assigned to a user within the Workspace, (required for every user). Determines the permissions for workspace-level operations.
- Example: Workspace.Owner → Determines the permissions for managing workspace settings and inviting new members.
Resource roles
- A role linked to individual resources. Can be assigned to groups or individual users.
- Example: notebook.Viewer(nb) → Determines the permissions for viewing operations on a specific notebook “nb”.

Permission

The combination of Resource roles or Workspace roles with users or groups, granting authorization to perform specific operations that are linked to the resource or workspace.

Access Control Rule Basics

Access rights are determined by the combination of roles a user holds, following a defined calculation method.

Roles are hierarchical, so if a lower role has an access right, a higher role will also have that access right.

Workspace roles and Resource roles usually need to grant access rights for an operation to be permitted (calculated with AND).

If a user has multiple Resource roles for the same resource, either assigned directly or through different groups, permission is granted if any one of those Resource roles allow it (calculated with OR).

Below is a conceptual diagram illustrating these principles.

In this pattern, access rights are determined solely by the Workspace role.

These principles ensure a robust and flexible access control system within Codatum.