Authorization Requirements

This specification does not describe a discrete service but describes the model for authorization used by an Open Services for Lifecycle Collaboration provider. This specification assumes the implementation of the authentication specification.

Motivation

Just about every service described by the Open Services for Lifecycle Collaboration initiative has to describe the roles required to read or write to resources. This specification describes the model for authorization as well as the base set of required roles a client can expect to deal with.

Specification

Quite simply service operations all require that a user be authenticated and be assigned certain roles to perform the request. The following are the minimal set of required roles, a server may provide more roles and more granularity in roles, however they MUST provide all of the following.

Guest

An unauthenticated user, currently the only resource in this set of specifications that allows Guest access is the root service document. It is also possible for a user to be configured (i.e. they are in the users feed) but they have not been assigned any role.

Reader

Generally all GET and HEAD operations require the authenticated user have at least the Reader role. Also referred to as Repository Reader.

Writer

Generally all PUT, POST and DELETE operations require the authenticated user have at least the Writer role. Also referred to as Repository Writer, and also behaves as a super-set of Reader.

Admin

Certain sensitive operations require the authenticated user have at least the Admin role. Also referred to as Repository Admin, and also behaves as a super-set of Writer.

Example

The following example follows from the example in the authentication specification and shows the response when our example user requests an operation for which they do not have the correct role.

GET /jazz/resources/main/A HTTP/1.1
Host: example.com
Date: [t2000]
Authorization: Basic [zoe's credential hash]

HTTP/1.1 403 OK
Host: example.com
Date: [t200]