codatum.com Early access

Access Control Overview

Codatum has a simple yet powerful role-based access control system.

Users can hold roles such as Viewer or Editor for a workspace or individual resources (like Notebooks or Connections). Authorizations for various operations are determined based on the combination of roles a user holds.

Terminology

  • User

    • An account belonging to a Workspace.

  • Group

    • A collection of users managed together. Groups can be assigned several Resource Roles.

  • Resource

    • Represents various objects within Codatum and their types.

    • Example: Resource: A specific Notebook “nb1”, Resource Type: Notebook.

  • Operation

    • Various actions that can either be linked to individual resources or to the workspace as a whole.

    • Example: Inviting users, Editing a notebook,...

  • Role

    • Workspace roles

      • A role assigned to a user within the Workspace, required for every user. Determines the permissions for workspace-level operations.

      • Example: Workspace.Owner → Determines the permissions for managing workspace settings and inviting new members.

    • Resource roles

      • A role linked to individual resources. Can be assigned to groups or individual users.

      • Example: notebook.Viewer(nb) → Determines the permissions for viewing operations on a specific notebook “nb”.

  • Permission

    • The combination of Resource roles or Workspace roles with users or groups, granting authorization to perform specific operations which linked to the resource or workspace.

Access Control Rule Basics

Access rights are determined by the combination of roles a user holds, following a defined calculation method.

  • Roles are hierarchical, so if a lower role has an access right, a higher role will also have that access right.

  • Workspace roles and Resource roles usually both need to grant access rights for an operation to be permitted (calculated with AND).

  • If a user has multiple Resource roles for the same resource, either assigned directly or through different groups, permission is granted if any one of those Resource Roles allows it (calculated with OR).

Below is a conceptual diagram illustrating these principles.

This diagram illustrates the pattern with an operation linked to a specific resource A. There is also a pattern with an operation linked solely to the workspace, not to any specific resource. This pattern is simpler, as shown below:

In this pattern, access rights are determined solely by the Workspace role.

These principles ensure a robust and flexible access control system within Codatum.

PreviousPublic Link and EmbedNextAccess Control for Workspace

Last updated

Reference

Privacy policyTerms of serviceJP Docs Site