The document repository is an service that has two main components, a UI that a user interacts with, and a service by which users or third parties can manage a user's resources through the API.
The core concept of the repository is:
There are many documents. Each document can have any number of users and each of those users may have different permissions to that document. Users will share documents and change other users’ permissions as well as create, modify, and delete documents. We’ll assume there are two services, one that stores text documents and another than stores complex binary data, text and binary.
Additionally, each account in the document repository has multiple users authorized to access it. Some of them are full Admins of the account, which access to manage users, update billing information, or change global configuration for the account. Other users are only Viewers which have only limited access to read all the documents in the repository. The rest of the users have some configurable permission on a document by document basis that provides the capability to create, update, or delete existing documents. Depending on the permission assigned to them, they might be able to also share that document with other users in the account (and users outside the account).
For further simplicity, this document repository is private per account. Documents created in one account are not available on the public. And conversely, in order to create a document, the user must have the
The roles associated with the document repository might look like this:
Admin: Contains the permissions
✶. When assigned to a user in an access record, that user full control over that document as well as the ability to change other users permissions to that document.
Editor: Contains the permissions
documents:share. They can make changes to the document as necessary
Viewer: Contains the permission
documents:read, when given to a user for a document, they will be able to read the document only.
CreatorContains the permission
documents:create. Usually given to all users in an account. Users with this permission can create documents. When they create a document, they are given
Adminto that new document only.
Permissions: Allow, Grant, Delegate
To keep this scenario simple, we'll assume that only the
Admin role has
Delegate. That means that an
Editor cannot assign any roles--
Creator--to other users. To be able to assign a role to a user that user must have
Delegate on all the permissions in the relevant access record. For more details on
Delete, refer to the access record permissions article.
An example implementation of a document repository using AWS S3 is available on GitHub: Document Library Microservice