Talk:ESciDoc Admin Roles

From MPDLMediaWiki
Jump to navigation Jump to search

Default role in 1.2[edit]

    • modified: each group member may see its groups
      • to consider with next releases if it may also see the group members
      • can certainly see the group privileges
    • modified: logged-in users can see following roles:

escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier

Moderator in 1.2[edit]

    • removed right to retrieve roles and user-accounts
    • role retrieval comes via default policy
    • removed user-account retrieval, possible via other roles..
    • sharing scenario is working only with the user groups
    • moderator can retrieve all user groups she is member of

UserAdministrator in 1.2[edit]

info:escidoc/names:aa:1.0:action:create-user-account info:escidoc/names:aa:1.0:action:retrieve-user-account info:escidoc/names:aa:1.0:action:update-user-account info:escidoc/names:aa:1.0:action:activate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant

  • creation allowed without limitations
  • all other actions allowed if user who had created the user account is in same OU with OU of the user-account
  • workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups.
  • can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself

Context administrator 1.2[edit]

info:escidoc/names:aa:1.0:action:create-context info:escidoc/names:aa:1.0:action:retrieve-context info:escidoc/names:aa:1.0:action:update-context info:escidoc/names:aa:1.0:action:delete-context info:escidoc/names:aa:1.0:action:close-context info:escidoc/names:aa:1.0:action:open-context info:escidoc/names:aa:1.0:action:retrieve-role

  • additionally coming from default policy: can create/retrieve grants for context she created
  • can see following roles:

escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor

UserGroupAdministrator 1.2[edit]

info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group info:escidoc/names:aa:1.0:action:update-user-group info:escidoc/names:aa:1.0:action:delete-user-group info:escidoc/names:aa:1.0:action:activate-user-group info:escidoc/names:aa:1.0:action:deactivate-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant info:escidoc/names:aa:1.0:action:revoke-user-group-grant info:escidoc/names:aa:1.0:action:add-user-group-selectors info:escidoc/names:aa:1.0:action:remove-user-group-selectors info:escidoc/names:aa:1.0:action:retrieve-role

  • can not inherit from default role, therefore explicitly create-user-group-grant.
  • can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector
  • can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only

(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface).

  • However, due to missing evaluation attributes poilcy not complete.
  • status: finished for 1.2 (latest-coreservice)

Organizational Unit

Enhanced Scientific Documentation

Retrieved from "https://colab.mpdl.mpg.de/mw010/index.php?title=Talk:ESciDoc_Admin_Roles&oldid=52770"