Capabilities are the means through which DTaaS determines whether or not an action may be performed.
There are seven different types of capabilities that exist. Some Capabilities have no effect on some object types, and the exact semantics depend on the object type.
In general, objects have all Capabilities on objects they create, and Users are
CREATE Prototypes and
DISCOVER other Users. When a
User runs a Servable, DTaaS will prompt for Capabilities that the Servable
requires and the User will be able to delegate Capabilities that they have to
the Servable. :class:`~sightline.simon.trust.Trust`s can be used to
explicitly delegate Capabilities to other Users.
DISCOVER Capability is
generally used to indicate knowledge that an object exists. This will allow
access to only the most basic information about an object, its type and ID.
MANAGE capability is the
ability to manipulate Capabilities on the object itself. Having
MANAGE capabilities on an object
means you can grant new capabilities on it or revoke existing capabilities.
Users typically have this Capability on objects that they create and own.
Trusts are used to allow Users to explicitly delegate Capabilities on objects
they have, to other Users that they want to grant those Capabilities to. The
User that creates a Trust is referred to as a Trustee, which grants them
MANAGE on the Trust and on
objects in the Trust. Trustees can add other Users as Trustees.
Trustees control the content of a Trust and membership of the Trust. Members are Users and contents are other objects. When a Trust is created, it is defined with a set of Capabilities and ensures that all members have that set of Capabilities on all contents of the Trust. Members and contents can be removed, which will cease the delegation.
When a DTaaS node is in a
dtDomain, Users on different nodes will be able
to Discover each other. This allows adding users to Trusts that exist on other
nodes in the Domain. Once a remote User is added, they will have Capabilities
on remote objects, and they will be able to interact with those objects via
their own DTaaS node as though the object existed locally. DTaaS handles the
proxying of access.