Difference between revisions of "Talk:ESciDoc Admin Roles"
m |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
===Default role in 1.2=== | |||
**modified: each group member may see its groups | **modified: each group member may see its groups | ||
***to consider with next releases if it may also see the group members | ***to consider with next releases if it may also see the group members | ||
Line 6: | Line 6: | ||
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier | escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier | ||
===Moderator in 1.2=== | |||
**removed right to retrieve roles and user-accounts | **removed right to retrieve roles and user-accounts | ||
**role retrieval comes via | **role retrieval comes via default policy | ||
**user-account retrieval | **removed user-account retrieval, possible via other roles.. | ||
**sharing scenario is working only with the user groups | **sharing scenario is working only with the user groups | ||
**moderator can retrieve all user groups she is member of | **moderator can retrieve all user groups she is member of | ||
===UserAdministrator in 1.2=== | |||
info:escidoc/names:aa:1.0:action:create-user-account info:escidoc/names:aa:1.0:action:retrieve-user-account info:escidoc/names:aa:1.0:action:update-user-account info:escidoc/names:aa:1.0:action:activate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant | |||
* creation allowed without limitations | |||
* all other actions allowed if user who had created the user account is in same OU with OU of the user-account | |||
* workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups. | |||
*can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself | |||
===Context administrator 1.2=== | |||
info:escidoc/names:aa:1.0:action:create-context info:escidoc/names:aa:1.0:action:retrieve-context info:escidoc/names:aa:1.0:action:update-context info:escidoc/names:aa:1.0:action:delete-context info:escidoc/names:aa:1.0:action:close-context info:escidoc/names:aa:1.0:action:open-context info:escidoc/names:aa:1.0:action:retrieve-role | |||
*additionally coming from default policy: can create/retrieve grants for context she created | |||
*can see following roles: | |||
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor | |||
===UserGroupAdministrator 1.2=== | |||
info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group | |||
info:escidoc/names:aa:1.0:action:update-user-group info:escidoc/names:aa:1.0:action:delete-user-group | |||
info:escidoc/names:aa:1.0:action:activate-user-group info:escidoc/names:aa:1.0:action:deactivate-user-group | |||
info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant | |||
info:escidoc/names:aa:1.0:action:revoke-user-group-grant | |||
info:escidoc/names:aa:1.0:action:add-user-group-selectors | |||
info:escidoc/names:aa:1.0:action:remove-user-group-selectors | |||
info:escidoc/names:aa:1.0:action:retrieve-role | |||
*can not inherit from default role, therefore explicitly create-user-group-grant. | |||
*can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector | |||
*can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only | |||
(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface). | |||
*However, due to missing evaluation attributes poilcy not complete. | |||
*status: finished for 1.2 (latest-coreservice) |
Latest revision as of 13:51, 1 July 2010
Default role in 1.2[edit]
- modified: each group member may see its groups
- to consider with next releases if it may also see the group members
- can certainly see the group privileges
- modified: logged-in users can see following roles:
- modified: each group member may see its groups
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier
Moderator in 1.2[edit]
- removed right to retrieve roles and user-accounts
- role retrieval comes via default policy
- removed user-account retrieval, possible via other roles..
- sharing scenario is working only with the user groups
- moderator can retrieve all user groups she is member of
UserAdministrator in 1.2[edit]
info:escidoc/names:aa:1.0:action:create-user-account info:escidoc/names:aa:1.0:action:retrieve-user-account info:escidoc/names:aa:1.0:action:update-user-account info:escidoc/names:aa:1.0:action:activate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant
- creation allowed without limitations
- all other actions allowed if user who had created the user account is in same OU with OU of the user-account
- workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups.
- can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself
Context administrator 1.2[edit]
info:escidoc/names:aa:1.0:action:create-context info:escidoc/names:aa:1.0:action:retrieve-context info:escidoc/names:aa:1.0:action:update-context info:escidoc/names:aa:1.0:action:delete-context info:escidoc/names:aa:1.0:action:close-context info:escidoc/names:aa:1.0:action:open-context info:escidoc/names:aa:1.0:action:retrieve-role
- additionally coming from default policy: can create/retrieve grants for context she created
- can see following roles:
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor
UserGroupAdministrator 1.2[edit]
info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group info:escidoc/names:aa:1.0:action:update-user-group info:escidoc/names:aa:1.0:action:delete-user-group info:escidoc/names:aa:1.0:action:activate-user-group info:escidoc/names:aa:1.0:action:deactivate-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant info:escidoc/names:aa:1.0:action:revoke-user-group-grant info:escidoc/names:aa:1.0:action:add-user-group-selectors info:escidoc/names:aa:1.0:action:remove-user-group-selectors info:escidoc/names:aa:1.0:action:retrieve-role
- can not inherit from default role, therefore explicitly create-user-group-grant.
- can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector
- can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only
(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface).
- However, due to missing evaluation attributes poilcy not complete.
- status: finished for 1.2 (latest-coreservice)