The Problem

The HR team wished to use Objective to store the files they have on each employee. The information in these files is obviously sensitive, so they needed a way of limiting access. Objective provides two approaches: priviliges and caveats. The first is much easier to manage, but the second is more secure.

If it was just the HR team, then we would only need to create a single Caveat group and apply it to the parent folder and all the files below it would inherit the same access restrictions, but of course it was not that simple.

Each employee would have a batch of files. Some files would be restricted to HR, some would be available to the line managers as well, and some would be available to the employee and their line manager as well as HR. Maintaining these permissions for all staff and updating them whenever staff moved positions would be a full time job for some poor soul. We needed to automate this.

The Solution

The first stage was to design the structure of the caveat groups. The line manager groups was a bit trickier, but eventually I realised that we could create a single group for each individual. Membership of that group would consist of the person, their manager's group plus the HR group. That way, if there was a change in the line manager structure, all the groups lower down in the chain would inherit the change.

Rather than hard-code the information on the files that each employee would require, I created a database table to store this. This allows the HR team to add new files as required.

I developed a series of Jsp pages, linked using Java server Faces. The majority of the work is done in a single Java bean. I'll describe how this works in a different page.

      if( staffCaveatGroup == null )
      {
        // we need to create it
        debug = debug + " networkId=" + networkId;
        staffCaveatGroup = apiSession.initGroup();
        staffCaveatGroup.setName("Z_" + networkId); // our local naming convention
        staffCaveatGroup.setParent( (OjiGroup) apiSession.getObject("gA9999") );// local setting
        staffCaveatGroup.create();
      }
      else
      {
        // it already exists, so we should clear it out
        collect = staffCaveatGroup.getContents();
        for (Object o : collect)
        {
          if( ((OjiObject) o).getTypeDefinition().getInternalName().startsWith("alias") )
          {
            ((OjiAlias) o).delete();
          }
        }
      }

      // Now lets fill this caveat group, starting with the API User
      apiSession.getCurrentUser().createAlias( staffCaveatGroup );
      if( ojiStaffUser != null )
      {
        ojiStaffUser.createAlias( staffCaveatGroup );
      }
      if( managerCaveatGroup != null )
      {
        managerCaveatGroup.createAlias( staffCaveatGroup );
      }
      // now add HR services to this caveat group
      ((OjiGroup) apiSession.getObject("gA9999")).createAlias( staffCaveatGroup );

The vital think to remember is to add the user which you are using for the API to the membership of the caveat group, othewise you're going to have real problems.

Patrick Haston
22 November 2007