Difference between revisions of "ESciDoc Admin Roles"
m |
|||
(54 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
==Administrative roles in eSciDoc== | ==Administrative roles in eSciDoc== | ||
To allow for more clear separation between various administrative privileges for | To allow for more clear separation between various administrative privileges for eSciDoc master data and system resources, instead of originally envisioned Local administrator role, there will be several separate roles for management of each resource in the system. | ||
Below more precise definition of these roles. | Below more precise definition of these roles. | ||
Schedule for new/modification of roles: core-service 1.3 | |||
See also [[ESciDoc_User_Roles|eSciDoc User Roles]] | |||
==UserAdministrator== | ==UserAdministrator== | ||
*'''internal id:''' tbd (proposed: escidoc:role-user-administrator) | *'''internal id:''' tbd (proposed: escidoc:role-user-administrator) | ||
*'''granted-by''': System administrator | *'''granted-by''': System administrator | ||
Line 10: | Line 15: | ||
*create user account | *create user account | ||
*retrieve, modify, activate, deactivate user accounts (s)he created | *retrieve, modify, activate, deactivate user accounts (s)he created | ||
*create, retrieve and revoke user-account-grants for user accounts (s)he created | |||
*grant user-inspector role to other users for the user accounts (s)he created | |||
This role is unlimited role (has no scope definitions). | This role is unlimited role (has no scope definitions). | ||
*'''status:''' partly implemented, see also [[Talk:ESciDoc_Admin_Roles#UserAdministrator_in_1.2]] | |||
==User Inspector== | ==User Inspector== | ||
Line 23: | Line 32: | ||
This role is limited role. It is restricted to a user-account. | This role is limited role. It is restricted to a user-account. | ||
Motivation: to allow for sharing and collaboration. A user may grant the possibility to other users for retrieving basic details on user account. User who is granted with this privilege may further grant privileges to any user account he can see for own resources or for resources he is able to grant privileges on. | Motivation: to allow for sharing and collaboration. A user may grant the possibility to other users for retrieving basic details on user account. User who is granted with this privilege may further grant privileges to any user account he can see for own resources or for resources he is able to grant privileges on. | ||
:clarify last sentence--[[User:Natasab|Natasa]] 13:41, 12 January 2010 (UTC) | |||
:Info: can be defined without additional attribute resolver | |||
*'''status:''' implemented | |||
==Organizational Unit Administrator== | ==Organizational Unit Administrator== | ||
*'''internal id''': escidoc:role-ou-administrator | *'''internal id''': escidoc:role-ou-administrator | ||
*'''granted-by''': System administrator, organizational unit administrator (for scope) | *'''granted-by''': System administrator, organizational unit administrator (for defined OU scope) | ||
*create organizational units as children in of provided parent Organizational Unit (defined OU scope) | *create organizational units as children in of provided parent Organizational Unit (defined OU scope) | ||
Line 38: | Line 51: | ||
See [[PubMan_Func_Spec_Organizational_Unit_Management#General_rules|General rules for organizational unit management ]] for more details. | See [[PubMan_Func_Spec_Organizational_Unit_Management#General_rules|General rules for organizational unit management ]] for more details. | ||
*'''status:''' not implemented | |||
==Context Administrator== | ==Context Administrator== | ||
Line 47: | Line 62: | ||
*create contexts | *create contexts | ||
*modify, delete, open, close contexts (s)he created | *modify, delete, open, close contexts (s)he created | ||
*grant Context | *grant Context Modifier role for contexts (s)he created | ||
*grant other context-scoped roles to the context (s)he created | |||
This role is unlimited role (has no scope definitions). | This role is unlimited role (has no scope definitions). | ||
'''Note:''' Context operations have additionally some more logical restrictions. | '''Note:''' Context operations have additionally some more logical restrictions. | ||
For more details see [[PubMan_Func_Spec_Collection_Administration#General_rules|Rules on context administration]]. | For more details see [[PubMan_Func_Spec_Collection_Administration#General_rules|Rules on context administration]]. | ||
**'''status:''' implemented, see also [[Talk:ESciDoc_Admin_Roles#Context_administrator_1.2]] | |||
==Context Modifier == | ==Context Modifier == | ||
Line 61: | Line 78: | ||
*modify, delete, open, close context granted for | *modify, delete, open, close context granted for | ||
*grant other context-scoped roles to the context (s)he has privileges for (except Context Modifier role) | |||
This role is limited role. It is scoped on a context. | This role is limited role. It is scoped on a context. | ||
Line 66: | Line 84: | ||
'''Note:''' Context operations have additionally some more logical restrictions. | '''Note:''' Context operations have additionally some more logical restrictions. | ||
For more details see [[PubMan_Func_Spec_Collection_Administration#General_rules|Rules on context administration]]. | For more details see [[PubMan_Func_Spec_Collection_Administration#General_rules|Rules on context administration]]. | ||
*'''status:''' implemented | |||
==UserGroup Administrator== | ==UserGroup Administrator== | ||
Line 80: | Line 100: | ||
This role is a unlimited role. (Has no scope-definitions). | This role is a unlimited role. (Has no scope-definitions). | ||
:needs change | |||
**'''status:''' partly implemented, see also [[Talk:ESciDoc_Admin_Roles#UserGroupAdministrator_1.2]] | |||
==UserGroup Inspector== | ==UserGroup Inspector== | ||
*'''internal id:''' escidoc:role-user-group-inspector | *'''internal id:''' escidoc:role-user-group-inspector | ||
*'''granted-by''': System administrator, User group administrator (for | *'''granted-by''': System administrator, User group administrator (for own user groups) | ||
A User-Group-Inspector is allowed to: | A User-Group-Inspector is allowed to: | ||
Line 91: | Line 115: | ||
This role is a limited role. It is restricted to a user-group. | This role is a limited role. It is restricted to a user-group. | ||
[[Category:eSciDoc]] | *'''status:''' implemented | ||
[[Category:eSciDoc|Admin Roles]] |
Latest revision as of 07:24, 26 July 2011
Administrative roles in eSciDoc[edit]
To allow for more clear separation between various administrative privileges for eSciDoc master data and system resources, instead of originally envisioned Local administrator role, there will be several separate roles for management of each resource in the system. Below more precise definition of these roles.
Schedule for new/modification of roles: core-service 1.3
See also eSciDoc User Roles
UserAdministrator[edit]
- internal id: tbd (proposed: escidoc:role-user-administrator)
- granted-by: System administrator
A User Administrator is allowed to:
- create user account
- retrieve, modify, activate, deactivate user accounts (s)he created
- create, retrieve and revoke user-account-grants for user accounts (s)he created
- grant user-inspector role to other users for the user accounts (s)he created
This role is unlimited role (has no scope definitions).
- status: partly implemented, see also Talk:ESciDoc_Admin_Roles#UserAdministrator_in_1.2
User Inspector[edit]
- internal id: tbd (proposed: escidoc:role-user-inspector)
- granted-by: any user for his own user-account
A User Inspector is allowed to:
- retrieve user account he has been granted for
This role is limited role. It is restricted to a user-account.
Motivation: to allow for sharing and collaboration. A user may grant the possibility to other users for retrieving basic details on user account. User who is granted with this privilege may further grant privileges to any user account he can see for own resources or for resources he is able to grant privileges on.
- clarify last sentence--Natasa 13:41, 12 January 2010 (UTC)
- Info: can be defined without additional attribute resolver
- status: implemented
Organizational Unit Administrator[edit]
- internal id: escidoc:role-ou-administrator
- granted-by: System administrator, organizational unit administrator (for defined OU scope)
- create organizational units as children in of provided parent Organizational Unit (defined OU scope)
- retrieve, modify, open, close organizational unit within the children path of the defined OU scope
- grant Organizational Unit Administrator privileges for same OU scope and any organizational unit in its children path
This role is a limited role. It is scoped to an organizational unit.
Note: any creation or modification of an organizational unit structure has additional constraints in the logic.
See General rules for organizational unit management for more details.
- status: not implemented
Context Administrator[edit]
- internal id: escidoc:role-context-administrator
- granted-by: System administrator
Context Administrator (unlimited) role is allowed to:
- create contexts
- modify, delete, open, close contexts (s)he created
- grant Context Modifier role for contexts (s)he created
- grant other context-scoped roles to the context (s)he created
This role is unlimited role (has no scope definitions).
Note: Context operations have additionally some more logical restrictions. For more details see Rules on context administration.
- status: implemented, see also Talk:ESciDoc_Admin_Roles#Context_administrator_1.2
Context Modifier[edit]
- internal id: escidoc:role-context-modifier
- granted-by: System administrator, Context administrator (for own contexts)
Context Modifier role is allowed to:
- modify, delete, open, close context granted for
- grant other context-scoped roles to the context (s)he has privileges for (except Context Modifier role)
This role is limited role. It is scoped on a context.
Note: Context operations have additionally some more logical restrictions. For more details see Rules on context administration.
- status: implemented
UserGroup Administrator[edit]
- internal id: escidoc:role-user-group-administrator
- granted-by: System administrator
A User-Group-Administrator is allowed to:
- create user-groups
- retrieve, update, delete, activate, deactivate user-groups (s)he created
- add and remove user-group-selectors to user-groups (s)he created.
- create, retrieve and revoke user-group-grants for user groups (s)he created
- grant user-group-inspector role to other users for the user groups (s)he created
This role is a unlimited role. (Has no scope-definitions).
- needs change
- status: partly implemented, see also Talk:ESciDoc_Admin_Roles#UserGroupAdministrator_1.2
UserGroup Inspector[edit]
- internal id: escidoc:role-user-group-inspector
- granted-by: System administrator, User group administrator (for own user groups)
A User-Group-Inspector is allowed to:
- retrieve user-groups he has respective grants for
User group inspector is a role that should be granted to users who are not members of a user-group, but would have the right to retrieve a particular user-group in order to e.g. grant some privileges for their objects.
This role is a limited role. It is restricted to a user-group.
- status: implemented