Table of Contents
Once your application has verified a user's credentials (authentication), it may need to determine what the user is allowed to do (authorization). Marmot provides authorization services that your application can use.
Authorization services are provided by the MU_Authorize class. To check authorizations, you need only create a new object of this class and call the appropriate check method.
An object of the MU_Authorize class must be instanciated with either a username or an LDAP DN as a parameter:
This username or DN is then used to perform any required authorizations.
Three types of authorization are supported:
Attribute comparison (LDAP)
Group membership - Miami University only (Novell eDirectory)
Explicitly granted - Miami University only (Authorization Manager)
Every LDAP user object has a variety of attributes, such as title, department, or classification. These attributes can be used to authorize a user to access certain features of the application. Attribute checking is done using the check_attribute method:
This method returns true if matched, false if failed, and -1 on error.
Miami University mantains various groups in its Novell eDirectory and membership in those groups can be used as a basis for authorization. (Miami maintains two different directory services. At most institutions, one would just use the check_attribute method to check group membership.) Group checking is done using the check_group method:
This method returns true if matched, false if failed, and -1 on error.
Miami University has created a central authorization management application in order to better administer the diverse authorizations made to clients. The authorization manager is still in development and more information will be forthcoming. The authorization manager can be checked using the check_authorization method:
This method returns true if matched, false if failed, and -1 on error.