CSO Domain Roles

The outer content mgt. systems manage userid/password - user/role bindings which are passed thru to internal domain application processes. DCMS performs this function.

The function is meant to be transparent at the domain level so that once you log or sign-in you should not see a login for an integral subsystem without qualification because this functionality is applied at the scripting level of the domain. This does not mean that it is an error condition for you to see a login or registration screen of an integrated package since that interface of the package may be made available for operation outside of or in preparation for participation in DCMS.

Although the nomenclature used in a particular space may vary, the following user classes are fundamental and express the essence of the domain class structure, distinct from the root user:

Public Group

Much active content and service here requires higher priviledge levels but some is provided as a public service to this class of user. For clarity, the public group is considered to be a single anonymous user, i.e. a discrete spacetime sample from a population of individuals. This user ("nobody") is defined by its sessions which are in turn defined to be a tuple consisting of an IP address, a session start and stop datetime, and a unique identifier assigned by the domain web server processes to user agent sessions initiated by a browser process. A change in user status caused by logging out, timing out, or authenticating with an identity ends the current session.

Basic User Group
A unique user identity can be created in any integral application, and is defined by a unique integer person id determined by DCMS. Logging into the application creates a session in the domain owning the application. A given real person may have any number of such application identities which may or may not be associated with their real identity through registration and transactioning constituting the most basic level of membership in this class. To register here you complete a simple registration form and execute a transaction at which point you have an authenticated identitiy which you can associate with one or more application identities.
Entitled User Group
Entitlement refers to additional services and privileges which an authenticated user may have. A basic level of entitlment is the ability to create projects.
Producer Group
A domain producer is an entitled user who can create and administer enterprise domains.
cf. license rate chart.

Summary ontology, nomenclature, and pragmatics:

A basic user can use a domain application. Also sometimes called a "logged in" user.
An authenticated user maps 1-1 to a legal person is some real economic system. AKA registered user.
A unique real person, or simply person, is an abstract concept which DCMS attempts to manage as a semantic primitive. Every real persion maps to one or more authenticated users and possibly many basic users. The correct binding of real persons to authenticated users is a high level integration constraint/requirement of DCMS.