Sync GovOPlaN module state
This commit is contained in:
@@ -1,5 +1,6 @@
|
||||
from __future__ import annotations
|
||||
|
||||
from govoplan_core.core.access import CAPABILITY_AUTH_PERMISSION_EVALUATOR, CAPABILITY_AUTH_PRINCIPAL_RESOLVER
|
||||
from govoplan_core.core.modules import (
|
||||
DocumentationLink,
|
||||
DocumentationTopic,
|
||||
@@ -41,7 +42,7 @@ manifest = ModuleManifest(
|
||||
id="docs",
|
||||
name="Docs",
|
||||
version="0.1.6",
|
||||
dependencies=("access",),
|
||||
required_capabilities=(CAPABILITY_AUTH_PRINCIPAL_RESOLVER, CAPABILITY_AUTH_PERMISSION_EVALUATOR),
|
||||
optional_dependencies=("policy", "audit", "ops", "workflow", "search"),
|
||||
permissions=(
|
||||
_permission(
|
||||
@@ -138,6 +139,39 @@ manifest = ModuleManifest(
|
||||
],
|
||||
},
|
||||
),
|
||||
DocumentationTopic(
|
||||
id="docs.reference.organization-identity-idm-access-boundary",
|
||||
title="Organization, identity, IDM, and access boundary",
|
||||
summary="Organizations defines structures and functions. Identity defines people and accounts. IDM links identities to functions. Access turns accepted facts into roles and rights.",
|
||||
body=(
|
||||
"Use Organizations to model units, structures, relations, and function definitions. "
|
||||
"Use Identity to maintain normalized identities and account links. "
|
||||
"Use IDM to link an identity or account to a function in an organization unit, including delegated or acting-for cases. "
|
||||
"Use Access to map accepted function facts to roles and permissions. "
|
||||
"This split keeps organization modeling separate from identity lifecycle and keeps authorization decisions explicit."
|
||||
),
|
||||
layer="configured",
|
||||
documentation_types=("admin", "user"),
|
||||
audience=("tenant_admin", "access_admin", "operator", "user"),
|
||||
related_modules=("organizations", "identity", "idm", "access"),
|
||||
order=21,
|
||||
links=(
|
||||
DocumentationLink(label="Organizations", href="/organizations", kind="runtime"),
|
||||
DocumentationLink(label="IDM assignments", href="/idm", kind="runtime"),
|
||||
DocumentationLink(label="Access administration", href="/admin", kind="runtime"),
|
||||
),
|
||||
metadata={
|
||||
"kind": "reference",
|
||||
"admin_explanation": "Function-to-role effects are owned by Access. IDM assignment changes can be governed independently from organization model changes.",
|
||||
"user_explanation": "A person can hold a function because IDM links their identity to the organization function. Access decides which application permissions that function gives.",
|
||||
"module_boundaries": [
|
||||
{"module": "organizations", "owns": "unit types, structures, relations, units, and function definitions"},
|
||||
{"module": "identity", "owns": "identities and account links"},
|
||||
{"module": "idm", "owns": "identity-to-function assignments, delegation, acting-for links, and synchronization mapping"},
|
||||
{"module": "access", "owns": "roles, permissions, and accepted function-to-role mappings"},
|
||||
],
|
||||
},
|
||||
),
|
||||
),
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user