Talk:ESciDoc Admin Roles

Default role in 1.2
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier
 * modified: each group member may see its groups
 * to consider with next releases if it may also see the group members
 * can certainly see the group privileges
 * modified: logged-in users can see following roles:

Moderator in 1.2

 * removed right to retrieve roles and user-accounts
 * role retrieval comes via default policy
 * removed user-account retrieval, possible via other roles..
 * sharing scenario is working only with the user groups
 * moderator can retrieve all user groups she is member of

UserAdministrator in 1.2
info:escidoc/names:aa:1.0:action:create-user-account            info:escidoc/names:aa:1.0:action:retrieve-user-account             info:escidoc/names:aa:1.0:action:update-user-account             info:escidoc/names:aa:1.0:action:activate-user-account             info:escidoc/names:aa:1.0:action:deactivate-user-account             info:escidoc/names:aa:1.0:action:deactivate-user-account            info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant


 * creation allowed without limitations
 * all other actions allowed if user who had created the user account is in same OU with OU of the user-account
 * workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups.
 * can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself

Context administrator 1.2
info:escidoc/names:aa:1.0:action:create-context            info:escidoc/names:aa:1.0:action:retrieve-context             info:escidoc/names:aa:1.0:action:update-context             info:escidoc/names:aa:1.0:action:delete-context             info:escidoc/names:aa:1.0:action:close-context             info:escidoc/names:aa:1.0:action:open-context  info:escidoc/names:aa:1.0:action:retrieve-role


 * additionally coming from default policy: can create/retrieve grants for context she created

escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor
 * can see following roles:

UserGroupAdministrator 1.2
info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group info:escidoc/names:aa:1.0:action:update-user-group            info:escidoc/names:aa:1.0:action:delete-user-group info:escidoc/names:aa:1.0:action:activate-user-group            info:escidoc/names:aa:1.0:action:deactivate-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant info:escidoc/names:aa:1.0:action:revoke-user-group-grant info:escidoc/names:aa:1.0:action:add-user-group-selectors info:escidoc/names:aa:1.0:action:remove-user-group-selectors info:escidoc/names:aa:1.0:action:retrieve-role

(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface).
 * can not inherit from default role, therefore explicitly create-user-group-grant.
 * can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector
 * can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only
 * However, due to missing evaluation attributes poilcy not complete.
 * status: finished for 1.2 (latest-coreservice)