User Roles

From DOC

All users of Tolven must exist in LDAP. Even when a user is not yet logged in, they are assigned the Pseudo User tolvenGuest. Further, the capabilities of any particular user are determined by a set of extensible roles.

Each of the roles specified below can be defined as a Group in LDAP. Applicable users can then be added to each group.

Limiting access to users with specific roles is provided by various mechanisms.

Role	Description
tolvenWeb	A user with this role is able to use the tolvenWeb application. The tolvenWeb application allows access to patient data that is further controlled by a separate set of delegated responsibilities administered within each account by an Account Administrator. A tolvenWeb user is only able to access data with a single account. Data to be shared between accounts must be explicitly sent via message to the receiving account.
tolvenRegister	A user with this role is able to register as a new Tolven user. This role is typically assigned to the tolvenGuest Pseudo User.
tolvenMobile	A user with this role is able to access the Mobile Applications.
tolvenWS	A user with this role is allowed to call Tolven Web Services from a remote application.
tolvenBrowse	A user with this role is able to use the Browse Everything application. Despite it's name, this application does not provide access beyond what would be allowed with normal permission. However, this web application does allow the user to see data that an Account Administrator for an account can see. In other words, the user can see everything within that Account. As the name implies, this is a read-only function and is normally only used by developers and system administrators to understand the underlying structures of an application within a very simple User Interface.
tolvenDemoRegister	A user with this role is able to register as a demo user, that is, without requiring a valid email address for activation. This ability is further restricted using a system property which disables the function system-wide.
tolvenAdmin	A user with this role is able to perform administrative functions. This includes the functions related to configuration, Tolven Plugin Framework, and loading application metadata to the database.
tolvenWriteRule	A user with this role is able to submit messages to the ruleQueue. Most regular application users should have this role. If a normal application user does not have this role, that user may still be able to view application data but will not be able to cause any change to the database beyond being able to set preferences. Also, logging functions do not require the user to have this role.
tolvenWriteInvitation	A user with this role is able to submit messages to the invitationQueue. Most regular application users should have this role. This include the tolvenGuest Pseudo User which is needed in order to send an activation message to a new user that self-registers. If self-registration is not allowed, then the tolvenGuest user does not need this role.
tolvenTrimBrowser	A user with this role is able to run the TRIM Browser web application. As the name implies, this is a read-only application that displays TRIM templates, in other words, this role does not allow access to patient data.
tolvenTrimUpload	A user with this role, typically a system administrator, is able to load TRIM templates to the database.
tolvenAdminApp	A user with this role, typically the Pseudo User tolvenAdminApp, is able to consume messages from the adminApp queue to perform system administration functions. Such functions do not involve access to patient data.
tolvenWriteAdminApp	A user with this role, typically a system administrator, is able to submit messages to the AdminApp queue.
tolvenWriteGen	A user with this role is able to request that test data to be generated. In additional, a system property controls the maximum number of test patients that can be generated by a user.
tolvenGen	A user with this role is able to consume messages from the tolvenGen queue. This role is typically assigned to the Pseudo User tolvenGen.
tolvenRule	A user with this role is able to consume messages from the rule queue. This role is typically assigned to the Pseudo User tolvenRule.
tolvenInvitation	A user with this role is able to consume message from the invitation queue. This role is typically assigned to the Pseudo User tolvenInvitation.

Default Role Assignments

If no roles are found in LDAP for a user, then a set of roles is automatically assigned to that user, depending on the user (principal) name.

admin
- tolvenAdmin
- "tolvenTrimBrowser
- tolvenTrimUpload
- tolvenAdminApp
- tolvenWriteAdminApp
- tolvenAdminAppDLQ
guest user
- tolvenWriteInvitation
- tolvenRegister
- tolvenDemoRegister
tolvenInvitation
- tolvenInvitationDLQ
- tolvenInvitation
tolvenGen
- tolvenGen
- tolvenWriteRule
- tolvenGenDLQ
tolvenAdminApp
- tolvenAdminApp
- tolvenWriteAdminApp
- tolvenAdminAppDLQ
tolvenRule
- tolvenRule
- tolvenRuleDLQ
any other user
- tolvenWriteInvitation
- tolvenWriteRule
- tolvenWriteGen
- tolvenWeb
- tolvenWS
- tolvenMobile
- tolvenBrowse

Setting Roles in LDAP

If you add any role to a user in LDAP, then that user must have all of the roles in LDAP needed by that user. In other words, adding a single role to LDAP does not supplement the default roles, rather, it replaces the default roles for that user.

Facts about User RolesRDF feed

User Roles

From DOC

Contents

How roles are used by EJB

Build-in Roles

Default Role Assignments

Setting Roles in LDAP

Views

Personal tools

Navigation

Search

Toolbox