enhancement to metacat: overall access controls
I am submitting this bug to archive discussions we have been having regarding
access priviledges to the entire metacat system. Basically, I would like to (1)
allow write access and the ability to create new EML documents to only a subset
of the authenticated users, i.e. to an LDAP group/user and (2) provide the name
of a LDAP user or group that always has full priviledges on all documents, i.e.
a sysadmin type priviledge.
I envision a special access list that would be stored in the database that
contained access priviledges for the entire metacat system. This document could
set all the same type of priviledges that you can set in a normal ACL document
associated with a package, but they would apply to all documents before applying
the documents own ACL list. The owner of this special ACL list would be a
user/group specified in the config file and this would essentially create an
I haven't looked at the code, but this might not be that difficult to implement
considering that you already have to do the same sort of access control on
updates with the package ACL document. You could just consider it a
concatenation of priviledges, although you might have to take care that the user
can never overide overall access controls in his document's ACL list. If not,
it could just be another level of checking before taking any action.