Claims
What you might have seen in some systems as rights, permissions, and/or roles is handles as claims in this app.
Users are not a SysAdmin, manager, etc. A user has claims and those claims then provide the ability to perform actions. So a user that has a manager claim to the Dave4DogCatcher campaign is a manager in that campaign, but with that being their only claim, are a volunteer in all other campaigns.
All claims are broken out by the claim to Create, Read, Update, Delete + Administer which in shorthand is CRUD+A. This will also be listed at times in the form cRUd+a which signifies a user has Read and Update rights, but not create, delete or administer rights.
So a claim gives a user CRUD+A rights for a specific organization.
Administer is a claim that allows that user to approve (created by a volunteer) tasks, close and/or disable an organization or task. It also is the right to administer what user’s have managerial claims on an organization.
Organization Managerial Claims
A user’s claims on an organization, and its tasks, take the form of (Admin, Dave4DogCatcher). This claim says the user has Admin rights to the organization Dave4DogCatcher. The Dave4DogCatcher is the organization’s UniqueId and this is why a UniqueId cannot be changed as it would then make all claims to that organization invalid.
There is unfortunately two distinct uses of the word Admin here. There is the Administer claim as part of CRUD+A which is sometimes referred in the shorthand Admin. And there is the manager level Admin that is one of Admin, Organizer, TrustedHost, and Host. A claim of (Admin, Dave4DogCatcher) is giving a user the Admin manager level claim in the organization Dave4DogCatcher. From that claim they will have cRUD+A rights, which includes Administer, in the organization Dave4DogCatcher.
Rights of organization managers
Organizations
These are the rights that each claim gives a user on the organization they have the claim on.
| Create | Read | Update | Delete | Administer | |
|---|---|---|---|---|---|
| Admin | ✔ | ✔ | ✔ | ✔ | |
| Organizer | ✔ | ✔ | |||
| TrustedHost | ✔ | ||||
| Host | ✔ |
Children Organizations
And the user, from that claim, has rights on the children of the organization. For example, the user with the claim (Admin, Colorado) has the following rights on organizations that are children of the Colorado (Colorado State Party) organization. Note: this does not apply to grandchildren, just the direct children organizations
| Create | Read | Update | Delete | Administer | |
|---|---|---|---|---|---|
| Admin | ✔ | ✔ | ✔ | ✔ | ✔ |
| Organizer | ✔ | ✔ | ✔ | ||
| TrustedHost | |||||
| Host |
Organization +A (Administer) Rights
The following Organization properties can only be set by a user with Administrator rights. The boxes not checked may be set by a user with Administrator rights, and can also be set by a user with Update rights.
| True | False | |
|---|---|---|
| Enabled | ✔ | |
| Private | ✔ |
✔ In addition the +A (Administer) right is required to edit what users have manager claims for that organization.
Tasks
And then finally there are the rights the manager has to tasks in their organization. These rights do not extend to the tasks of the child organizations.
| Create | Read | Update | Delete | Administer | |
|---|---|---|---|---|---|
| Admin | ✔ | ✔ | ✔ | ✔ | ✔ |
| Organizer | ✔ | ✔ | ✔ | ✔ | |
| TrustedHost | ✔ | ✔ | ✔ | ✔ | |
| Host | ✓ | ✔ | ✔ | ||
| Volunteer | ✓ | ✓ | ✓ |
✓ Organizations may allow Volunteers (and Hosts) to create tasks. When a volunteer creates an task, they also have Read and Update rights to their tasks.
To create an task, a volunteer must be following the organization they are creating the task for. In addition, their email and phone number must be verified and they must have an address.
task +A (Administer) Rights
The following task properties can only be set by a user with Administrator rights. The boxes not checked may be set by a user with Administrator rights, and can also be set by a user with Update rights.
| True | False | |
|---|---|---|
| Accepted | ✔ | |
| Closed | ✔ | ✔ |
| Enabled | ✔ | |
| Private | ✔ |
SysAdmin Managerial Claims
The SysAdmin administers the users, their claims, and the lists of Certifications, Interests, Skills, and Tags. All of these objects are global to the application in that an organization and/or task uses them, but does not own them.
Rights of SysAdmins
A user gets SysAdmin rights with a claim like (SysAdmin, Users:Delete) which gives that user the right to delete users from the system.
These rights are CRUD (no Administer) and they are individually for Users, Claims, and Attributes.
There is no User:Create (only by registering can a user be created), Claims:Update (to update, delete the old claim and create a new claim), and Attributes:Delete (an attribute can be hidden, but it still exists as existing organizations & tasks are using it).
Wildcards
A user can be assigned the claim (Admin, *) or (SysAdmin, *). This gives them rights to all organizations or all SysAdmin rights. This will never be granted to regular users but is documented to provide complete definition of the system.