Difference between revisions of "ESciDoc Admin Roles"
| Line 27: | Line 27: | ||
'''internal id''': escidoc:role-ou-administrator | '''internal id''': escidoc:role-ou-administrator | ||
*create organizational units | *create organizational units as children in the children path of provided parent OU | ||
*retrieve | *retrieve, modify, open, close organizational unit within the children path of the provided parent OU | ||
*grant Organizational unit Administrator privileges for OU with same scope or for OU within the children path of the provided parent OU | |||
==Context Administrator== | ==Context Administrator== | ||
Revision as of 10:04, 5 January 2010
Administrative roles in eSciDoc[edit]
To allow for more clear separation between various administrative privileges for some eSciDoc master and system resources, instead of originally envisioned Local administrator role, there will be several separate roles for management of each resource in the system. Below more precise definition of these roles.
UserAdministrator[edit]
internal id: tbd (proposed: escidoc:role-user-administrator)
A User Administrator is allowed to:
- create user account
- retrieve, modify, activate, deactivate user accounts (s)he created
This role is unlimited role (has no scope definitions).
User Inspector[edit]
internal id: tbd (proposed: escidoc:role-user-inspector)
A User Inspector is allowed to:
- retrieve user account he has been granted for
This role is limited role. It is restricted to a user-account.
Motivation: to allow for sharing and collaboration. A user may grant the possibility to other users for retrieving basic details on user account. User who is granted with this privilege may further grant privileges to any user account he can see for own resources or for resources he is able to grant privileges on.
Organizational Unit Administrator[edit]
internal id: escidoc:role-ou-administrator
- create organizational units as children in the children path of provided parent OU
- retrieve, modify, open, close organizational unit within the children path of the provided parent OU
- grant Organizational unit Administrator privileges for OU with same scope or for OU within the children path of the provided parent OU
Context Administrator[edit]
- create 2 new roles ContextOwner (?), ContextAdmin (?)
UserGroup Administrator[edit]
internal id: escidoc:role-user-group-administrator
A User-Group-Administrator is allowed to:
- create user-groups
- retrieve, update, delete, activate, deactivate user-groups (s)he created
- add and remove user-group-selectors to user-groups (s)he created.
- create, retrieve and revoke user-group-grants for user groups (s)he created
- grant user-group-inspector role to other users for the user groups (s)he created
This role is a unlimited role. (Has no scope-definitions).
UserGroup Inspector[edit]
internal id: escidoc:role-user-group-inspector
A User-Group-Inspector is allowed to:
- retrieve user-groups he has respective grants for
User group inspector is a role that should be granted to users who are not members of a user-group, but would have the right to retrieve a particular user-group in order to e.g. grant some privileges for their objects.
This role is a limited role. It is restricted to a user-group.