A use case has come up in discussion with groups from SKA (highlighted by the Canadian SRC Regional Centre via CADC), augmenting the guidance around authorisation. Specifically, the "standard model" of "user joining group" is not sufficient, we also need groups to be able to join groups and to have multiple parents.
Details
In the following, the term "team" is used as a synonym for "group" with the following additional property: the team can be a subgroup of multiple groups.
In the example below, a User joins a Team. The team as as a whole joins one or more groups and gets authorisation through the group. Users may join or leave the team independently of which groups the team is part of.
Whenever authorisation is required, the User gets authorisation from all the groups that the team is a member of.
Example
- Users A, B and C join team T.
- At this point, users A, B, C have authorisation
<NAMESPACE>:group:T
(in the sense of G002)
- At this point, users A, B, C have authorisation
- Team T joins groups X, Y
- At this point, users A, B, C have authorisation
<NAMESPACE>:group:T
and<NAMESPACE>:group:X:T
and<NAMESPACE>:group:Y:T
- At this point, users A, B, C have authorisation
- User C leaves T
- At this point, users A, B have authorisation
<NAMESPACE>:group:X:T
and<NAMESPACE>:group:Y:T
- At this point, user C has authorisation
<NAMESPACE>:group:X
or<NAMESPACE>:group:Y
only if they have it by independent means (not through T)
- At this point, users A, B have authorisation
- T leaves Y and joins W
- At this point, users A, B have authorisation
<NAMESPACE>:group:X:T
and<NAMESPACE>:group:W:T
- At this point, users A, B have authorisation
- User D joins T
- At this point, users A, B, D have authorisation as in point 4