""" RBAC Permission Matrix Default role-to-resource permission mappings for Klausur-Korrektur and Zeugnis workflows. Extracted from rbac.py for file-size compliance. """ from typing import Dict, Set from rbac_types import Role, Action, ResourceType # ============================================= # RBAC PERMISSION MATRIX # ============================================= # Standard-Berechtigungsmatrix (kann durch Policies ueberschrieben werden) DEFAULT_PERMISSIONS: Dict[Role, Dict[ResourceType, Set[Action]]] = { # Erstkorrektor Role.ERSTKORREKTOR: { ResourceType.EXAM_PACKAGE: {Action.READ, Action.UPDATE, Action.SHARE_KEY, Action.LOCK}, ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE}, ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE}, ResourceType.RUBRIC: {Action.READ, Action.UPDATE}, ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE}, ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Zweitkorrektor (Standard: FULL visibility) Role.ZWEITKORREKTOR: { ResourceType.EXAM_PACKAGE: {Action.READ}, ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE}, ResourceType.EH_DOCUMENT: {Action.READ}, ResourceType.RUBRIC: {Action.READ}, ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.EXPORT: {Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Drittkorrektor Role.DRITTKORREKTOR: { ResourceType.EXAM_PACKAGE: {Action.READ}, ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE}, ResourceType.EH_DOCUMENT: {Action.READ}, ResourceType.RUBRIC: {Action.READ}, ResourceType.ANNOTATION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.EVALUATION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.REPORT: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.GRADE_DECISION: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Fachvorsitz Role.FACHVORSITZ: { ResourceType.TENANT: {Action.READ}, ResourceType.NAMESPACE: {Action.READ, Action.UPDATE}, ResourceType.EXAM_PACKAGE: {Action.READ, Action.UPDATE, Action.LOCK, Action.UNLOCK, Action.SIGN_OFF}, ResourceType.STUDENT_WORK: {Action.READ, Action.UPDATE}, ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE}, ResourceType.RUBRIC: {Action.READ, Action.UPDATE}, ResourceType.ANNOTATION: {Action.READ, Action.UPDATE}, ResourceType.EVALUATION: {Action.READ, Action.UPDATE}, ResourceType.REPORT: {Action.READ, Action.UPDATE}, ResourceType.GRADE_DECISION: {Action.READ, Action.UPDATE, Action.SIGN_OFF}, ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Pruefungsvorsitz Role.PRUEFUNGSVORSITZ: { ResourceType.TENANT: {Action.READ}, ResourceType.NAMESPACE: {Action.READ, Action.CREATE}, ResourceType.EXAM_PACKAGE: {Action.READ, Action.SIGN_OFF}, ResourceType.STUDENT_WORK: {Action.READ}, ResourceType.EH_DOCUMENT: {Action.READ}, ResourceType.GRADE_DECISION: {Action.READ, Action.SIGN_OFF}, ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Schul-Admin Role.SCHUL_ADMIN: { ResourceType.TENANT: {Action.READ, Action.UPDATE}, ResourceType.NAMESPACE: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE}, ResourceType.EXAM_PACKAGE: {Action.CREATE, Action.READ, Action.DELETE, Action.ASSIGN_ROLE}, ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.DELETE}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Land-Admin (Behoerde) Role.LAND_ADMIN: { ResourceType.TENANT: {Action.READ}, ResourceType.EH_DOCUMENT: {Action.READ, Action.UPLOAD, Action.UPDATE, Action.DELETE, Action.PUBLISH_OFFICIAL}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Auditor Role.AUDITOR: { ResourceType.AUDIT_LOG: {Action.READ}, ResourceType.EXAM_PACKAGE: {Action.READ}, # Nur Metadaten # Kein Zugriff auf Inhalte! }, # Operator Role.OPERATOR: { ResourceType.TENANT: {Action.READ}, ResourceType.NAMESPACE: {Action.READ}, ResourceType.EXAM_PACKAGE: {Action.READ}, # Nur Metadaten ResourceType.AUDIT_LOG: {Action.READ}, # Break-glass separat gehandhabt }, # Teacher Assistant Role.TEACHER_ASSISTANT: { ResourceType.STUDENT_WORK: {Action.READ}, ResourceType.ANNOTATION: {Action.CREATE, Action.READ}, # Nur bestimmte Typen ResourceType.EH_DOCUMENT: {Action.READ}, }, # Exam Author (nur Vorabi) Role.EXAM_AUTHOR: { ResourceType.EH_DOCUMENT: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE}, ResourceType.RUBRIC: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE}, }, # ============================================= # ZEUGNIS-WORKFLOW ROLLEN # ============================================= # Klassenlehrer - Erstellt Zeugnisse, Kopfnoten, Bemerkungen Role.KLASSENLEHRER: { ResourceType.NAMESPACE: {Action.READ}, ResourceType.ZEUGNIS: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS_ENTWURF: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE}, ResourceType.ZEUGNIS_VORLAGE: {Action.READ}, ResourceType.SCHUELER_DATEN: {Action.READ, Action.UPDATE}, ResourceType.FACHNOTE: {Action.READ}, # Liest Fachnoten der Fachlehrer ResourceType.KOPFNOTE: {Action.CREATE, Action.READ, Action.UPDATE}, ResourceType.FEHLZEITEN: {Action.READ, Action.UPDATE}, ResourceType.BEMERKUNG: {Action.CREATE, Action.READ, Action.UPDATE, Action.DELETE}, ResourceType.VERSETZUNG: {Action.READ}, ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Fachlehrer - Traegt Fachnoten ein Role.FACHLEHRER: { ResourceType.NAMESPACE: {Action.READ}, ResourceType.SCHUELER_DATEN: {Action.READ}, # Nur eigene Schueler ResourceType.FACHNOTE: {Action.CREATE, Action.READ, Action.UPDATE}, # Nur eigenes Fach ResourceType.BEMERKUNG: {Action.CREATE, Action.READ}, # Fachbezogene Bemerkungen ResourceType.AUDIT_LOG: {Action.READ}, }, # Zeugnisbeauftragter - Qualitaetskontrolle Role.ZEUGNISBEAUFTRAGTER: { ResourceType.NAMESPACE: {Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS: {Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS_VORLAGE: {Action.READ, Action.UPDATE, Action.UPLOAD}, ResourceType.SCHUELER_DATEN: {Action.READ}, ResourceType.FACHNOTE: {Action.READ}, ResourceType.KOPFNOTE: {Action.READ, Action.UPDATE}, ResourceType.FEHLZEITEN: {Action.READ}, ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE}, ResourceType.VERSETZUNG: {Action.READ}, ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Sekretariat - Druck, Versand, Archivierung Role.SEKRETARIAT: { ResourceType.ZEUGNIS: {Action.READ, Action.DOWNLOAD}, ResourceType.ZEUGNIS_VORLAGE: {Action.READ}, ResourceType.SCHUELER_DATEN: {Action.READ}, # Fuer Adressdaten ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Schulleitung - Finale Zeugnis-Freigabe Role.SCHULLEITUNG: { ResourceType.TENANT: {Action.READ}, ResourceType.NAMESPACE: {Action.READ, Action.CREATE}, ResourceType.ZEUGNIS: {Action.READ, Action.SIGN_OFF, Action.LOCK}, ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS_VORLAGE: {Action.READ, Action.UPDATE}, ResourceType.SCHUELER_DATEN: {Action.READ}, ResourceType.FACHNOTE: {Action.READ}, ResourceType.KOPFNOTE: {Action.READ, Action.UPDATE}, ResourceType.FEHLZEITEN: {Action.READ}, ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE}, ResourceType.KONFERENZ_BESCHLUSS: {Action.CREATE, Action.READ, Action.UPDATE, Action.SIGN_OFF}, ResourceType.VERSETZUNG: {Action.CREATE, Action.READ, Action.UPDATE, Action.SIGN_OFF}, ResourceType.EXPORT: {Action.CREATE, Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, # Stufenleitung - Stufenkoordination (z.B. Oberstufe) Role.STUFENLEITUNG: { ResourceType.NAMESPACE: {Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS: {Action.READ, Action.UPDATE}, ResourceType.ZEUGNIS_ENTWURF: {Action.READ, Action.UPDATE}, ResourceType.SCHUELER_DATEN: {Action.READ}, ResourceType.FACHNOTE: {Action.READ}, ResourceType.KOPFNOTE: {Action.READ}, ResourceType.FEHLZEITEN: {Action.READ}, ResourceType.BEMERKUNG: {Action.READ, Action.UPDATE}, ResourceType.KONFERENZ_BESCHLUSS: {Action.READ}, ResourceType.VERSETZUNG: {Action.READ, Action.UPDATE}, ResourceType.EXPORT: {Action.READ, Action.DOWNLOAD}, ResourceType.AUDIT_LOG: {Action.READ}, }, }