Users and Rights on VersaCloud
The relation among users and rights is defined as the set of rights associated to a specific user: think of each user as the owner of a basket containing his rights: this basket receives its first contents just upon registration, when the user will be assigned the 'User' right. In order to collect additional rights in his 'basket', the user needs that another user successfully calls the 'UserRightAddAllow' and 'UserRightAddCommit' APIs. The 'UserRightAddAllow' API requires the login handle of the user trying to assign the new right, the e-mail address identifying the user to be assigned the new right, plus the new right's signature as parameters.
Due to security reasons, the assignment of new rights is not granted automatically by calls to the 'UserRightAddAllow' API: instead, our finite state automaton contains state transition right management information to decide whether or not to allow the assignment of the new right. First note that only some user rights allow for the assignment of new rights to other users - standard users owning just the 'User' right are not able to assign any new right to other users. The second aspect involved is that in some cases the user must already own the right he is trying to assign to others.
All of this right transition information is depicted in Figure 14. Looking at the last line of the table, it is easy to see that owning the 'User' right does NOT allow assigning any additional right to any other user. On the other hand, owning the 'Developer' right allows to assign 'Auditor' and 'Debugger' rights to other users, even without owning these rights (in order to apply this rights, these privileged users will also need to know a solution token - created by the developer - hence effectively limiting the usage of these rights to the solution the developer created).
It is important to note that, as any other API calls, right assignment calls are logged by our single entry point engine. Hence, any user action, including right granting operations can be fully traced and audited. Also, user rights can be limited in time: although the initial timestamp is always the moment in time the user was granted the right (which can be retrieved by means of the 'UserRightSinceGet' API), the final timestamp can be retrieved and modified by means of the 'UserRightUntilGet', 'UserRightUntilSetAllow' and 'UserRightUntilSetCommit' APIs.
US Patent Requested