Sync GovOPlaN module state

This commit is contained in:
2026-07-10 21:57:25 +02:00
parent 5413ddfc32
commit 9fe4522f76
3 changed files with 289 additions and 2 deletions

View File

@@ -1,5 +1,6 @@
from __future__ import annotations
from govoplan_core.core.access import CAPABILITY_AUTH_PERMISSION_EVALUATOR, CAPABILITY_AUTH_PRINCIPAL_RESOLVER
from govoplan_core.core.modules import (
DocumentationLink,
DocumentationTopic,
@@ -41,7 +42,7 @@ manifest = ModuleManifest(
id="docs",
name="Docs",
version="0.1.6",
dependencies=("access",),
required_capabilities=(CAPABILITY_AUTH_PRINCIPAL_RESOLVER, CAPABILITY_AUTH_PERMISSION_EVALUATOR),
optional_dependencies=("policy", "audit", "ops", "workflow", "search"),
permissions=(
_permission(
@@ -138,6 +139,39 @@ manifest = ModuleManifest(
],
},
),
DocumentationTopic(
id="docs.reference.organization-identity-idm-access-boundary",
title="Organization, identity, IDM, and access boundary",
summary="Organizations defines structures and functions. Identity defines people and accounts. IDM links identities to functions. Access turns accepted facts into roles and rights.",
body=(
"Use Organizations to model units, structures, relations, and function definitions. "
"Use Identity to maintain normalized identities and account links. "
"Use IDM to link an identity or account to a function in an organization unit, including delegated or acting-for cases. "
"Use Access to map accepted function facts to roles and permissions. "
"This split keeps organization modeling separate from identity lifecycle and keeps authorization decisions explicit."
),
layer="configured",
documentation_types=("admin", "user"),
audience=("tenant_admin", "access_admin", "operator", "user"),
related_modules=("organizations", "identity", "idm", "access"),
order=21,
links=(
DocumentationLink(label="Organizations", href="/organizations", kind="runtime"),
DocumentationLink(label="IDM assignments", href="/idm", kind="runtime"),
DocumentationLink(label="Access administration", href="/admin", kind="runtime"),
),
metadata={
"kind": "reference",
"admin_explanation": "Function-to-role effects are owned by Access. IDM assignment changes can be governed independently from organization model changes.",
"user_explanation": "A person can hold a function because IDM links their identity to the organization function. Access decides which application permissions that function gives.",
"module_boundaries": [
{"module": "organizations", "owns": "unit types, structures, relations, units, and function definitions"},
{"module": "identity", "owns": "identities and account links"},
{"module": "idm", "owns": "identity-to-function assignments, delegation, acting-for links, and synchronization mapping"},
{"module": "access", "owns": "roles, permissions, and accepted function-to-role mappings"},
],
},
),
),
)