Difference between revisions of "ESciDoc Admin Roles"

Administrative roles in eSciDoc[edit]

To allow for more clear separation between various administrative privileges for some eSciDoc master and system resources, instead of originally envisioned Local administrator role, there will be several separate roles for management of each resource in the system. Below more precise definition of these roles.

Schedule for new/modification of roles: core-service 1.3

UserAdministrator[edit]

• internal id: tbd (proposed: escidoc:role-user-administrator)
• granted-by: System administrator

A User Administrator is allowed to:

• create user account
• retrieve, modify, activate, deactivate user accounts (s)he created
• create, retrieve and revoke user-account-grants for user accounts (s)he created
• grant user-inspector role to other users for the user accounts (s)he created

This role is unlimited role (has no scope definitions).

UserAdministrator in 1.2[edit]

info:escidoc/names:aa:1.0:action:create-user-account info:escidoc/names:aa:1.0:action:retrieve-user-account info:escidoc/names:aa:1.0:action:update-user-account info:escidoc/names:aa:1.0:action:activate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant

• creation allowed without limitations
• all other actions allowed if user who had created the user account is in same OU with OU of the user-account
• workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups.
• can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself

User Inspector[edit]

• internal id: tbd (proposed: escidoc:role-user-inspector)
• granted-by: any user for his own user-account

A User Inspector is allowed to:

• retrieve user account he has been granted for

This role is limited role. It is restricted to a user-account. Motivation: to allow for sharing and collaboration. A user may grant the possibility to other users for retrieving basic details on user account. User who is granted with this privilege may further grant privileges to any user account he can see for own resources or for resources he is able to grant privileges on.

clarify last sentence--Natasa 13:41, 12 January 2010 (UTC)

Info: can be defined without additional attribute resolver

user inspector in coreservice 1.2[edit]

• implemented
• only users who have this role for another user can retrieve information on the other user

Organizational Unit Administrator[edit]

• internal id: escidoc:role-ou-administrator
• granted-by: System administrator, organizational unit administrator (for defined OU scope)

• create organizational units as children in of provided parent Organizational Unit (defined OU scope)
• retrieve, modify, open, close organizational unit within the children path of the defined OU scope
• grant Organizational Unit Administrator privileges for same OU scope and any organizational unit in its children path

This role is a limited role. It is scoped to an organizational unit.

Note: any creation or modification of an organizational unit structure has additional constraints in the logic.

See General rules for organizational unit management for more details.

Context Administrator[edit]

• internal id: escidoc:role-context-administrator
• granted-by: System administrator

Context Administrator (unlimited) role is allowed to:

• create contexts
• modify, delete, open, close contexts (s)he created
• grant Context Modifier role for contexts (s)he created
• grant other context-scoped roles to the context (s)he created

This role is unlimited role (has no scope definitions).

Note: Context operations have additionally some more logical restrictions. For more details see Rules on context administration.

Context administrator 1.2[edit]

info:escidoc/names:aa:1.0:action:create-context info:escidoc/names:aa:1.0:action:retrieve-context info:escidoc/names:aa:1.0:action:update-context info:escidoc/names:aa:1.0:action:delete-context info:escidoc/names:aa:1.0:action:close-context info:escidoc/names:aa:1.0:action:open-context info:escidoc/names:aa:1.0:action:retrieve-role

• additionally coming from default policy: can create/retrieve grants for context she created

• can see following roles:

escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor

Context Modifier[edit]

• internal id: escidoc:role-context-modifier
• granted-by: System administrator, Context administrator (for own contexts)

Context Modifier role is allowed to:

• modify, delete, open, close context granted for
• grant other context-scoped roles to the context (s)he has privileges for (except Context Modifier role)

This role is limited role. It is scoped on a context.

Note: Context operations have additionally some more logical restrictions. For more details see Rules on context administration.

can be created as policy - no attribute resolver is needed --Natasa 13:44, 12 January 2010 (UTC)

UserGroup Administrator[edit]

• internal id: escidoc:role-user-group-administrator
• granted-by: System administrator

A User-Group-Administrator is allowed to:

• create user-groups
• retrieve, update, delete, activate, deactivate user-groups (s)he created
• add and remove user-group-selectors to user-groups (s)he created.
• create, retrieve and revoke user-group-grants for user groups (s)he created
• grant user-group-inspector role to other users for the user groups (s)he created

This role is a unlimited role. (Has no scope-definitions).

needs change

UserGroupAdministrator 1.2 coreservice[edit]

info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group info:escidoc/names:aa:1.0:action:update-user-group info:escidoc/names:aa:1.0:action:delete-user-group info:escidoc/names:aa:1.0:action:activate-user-group info:escidoc/names:aa:1.0:action:deactivate-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant info:escidoc/names:aa:1.0:action:revoke-user-group-grant info:escidoc/names:aa:1.0:action:add-user-group-selectors info:escidoc/names:aa:1.0:action:remove-user-group-selectors info:escidoc/names:aa:1.0:action:retrieve-role

• can not inherit from default role, therefore explicitly create-user-group-grant.
• can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector
• can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only

(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface).

• However, due to missing evaluation attributes poilcy not complete.
• status: finished for 1.2 (latest-coreservice)

UserGroup Inspector[edit]

• internal id: escidoc:role-user-group-inspector
• granted-by: System administrator, User group administrator (for own user groups)

A User-Group-Inspector is allowed to:

• retrieve user-groups he has respective grants for

User group inspector is a role that should be granted to users who are not members of a user-group, but would have the right to retrieve a particular user-group in order to e.g. grant some privileges for their objects.

This role is a limited role. It is restricted to a user-group.

User group inspector in 1.2[edit]

• tested and implemented (latest-coreservice)