Difference between revisions of "Talk:ESciDoc Admin Roles"

From MPDLMediaWiki
Jump to navigation Jump to search
m
Line 1: Line 1:
*defaultrole
===Default role in 1.2===
**modified: each group member may see its groups
**modified: each group member may see its groups
***to consider with next releases if it may also see the group members
***to consider with next releases if it may also see the group members
Line 6: Line 6:
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier


*moderator
===Moderator in 1.2===
**removed right to retrieve roles and user-accounts
**removed right to retrieve roles and user-accounts
**role retrieval comes via default policy
**role retrieval comes via default policy
Line 12: Line 12:
**sharing scenario is working only with the user groups
**sharing scenario is working only with the user groups
**moderator can retrieve all user groups she is member of
**moderator can retrieve all user groups she is member of
===UserAdministrator in 1.2===
info:escidoc/names:aa:1.0:action:create-user-account            info:escidoc/names:aa:1.0:action:retrieve-user-account            info:escidoc/names:aa:1.0:action:update-user-account            info:escidoc/names:aa:1.0:action:activate-user-account            info:escidoc/names:aa:1.0:action:deactivate-user-account            info:escidoc/names:aa:1.0:action:deactivate-user-account            info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant
* creation allowed without limitations
* all other actions allowed if user who had created the user account is in same OU with OU of the user-account
* workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups.
*can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself
===Context administrator 1.2===
info:escidoc/names:aa:1.0:action:create-context            info:escidoc/names:aa:1.0:action:retrieve-context            info:escidoc/names:aa:1.0:action:update-context            info:escidoc/names:aa:1.0:action:delete-context            info:escidoc/names:aa:1.0:action:close-context            info:escidoc/names:aa:1.0:action:open-context  info:escidoc/names:aa:1.0:action:retrieve-role
*additionally coming from default policy: can create/retrieve grants for context she created
*can see following roles:
escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor
===UserGroupAdministrator 1.2 coreservice===
info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group         
info:escidoc/names:aa:1.0:action:update-user-group            info:escidoc/names:aa:1.0:action:delete-user-group           
info:escidoc/names:aa:1.0:action:activate-user-group            info:escidoc/names:aa:1.0:action:deactivate-user-group           
info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant           
info:escidoc/names:aa:1.0:action:revoke-user-group-grant
info:escidoc/names:aa:1.0:action:add-user-group-selectors       
info:escidoc/names:aa:1.0:action:remove-user-group-selectors 
info:escidoc/names:aa:1.0:action:retrieve-role
*can not inherit from default role, therefore explicitly create-user-group-grant.
*can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector
*can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only
(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface).
*However, due to missing evaluation attributes poilcy not complete.
*status: finished for 1.2 (latest-coreservice)

Revision as of 09:45, 29 June 2010

Default role in 1.2[edit]

    • modified: each group member may see its groups
      • to consider with next releases if it may also see the group members
      • can certainly see the group privileges
    • modified: logged-in users can see following roles:

escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-user-account-inspector escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier

Moderator in 1.2[edit]

    • removed right to retrieve roles and user-accounts
    • role retrieval comes via default policy
    • user-account retrieval if same user created this user account or if has inspector policy for the user-account
    • sharing scenario is working only with the user groups
    • moderator can retrieve all user groups she is member of

UserAdministrator in 1.2[edit]

info:escidoc/names:aa:1.0:action:create-user-account info:escidoc/names:aa:1.0:action:retrieve-user-account info:escidoc/names:aa:1.0:action:update-user-account info:escidoc/names:aa:1.0:action:activate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:deactivate-user-account info:escidoc/names:aa:1.0:action:revoke-grant info:escidoc/names:aa:1.0:action:retrieve-grant

  • creation allowed without limitations
  • all other actions allowed if user who had created the user account is in same OU with OU of the user-account
  • workaround to allow users to be created (and automatically become members in groups of sub-ous (departments): user-account-administrator shall be affiliated to each OU below the master OU - if needed to have such groups.
  • can revoke grants if granted to UA with appropriate OU, or if the grant had been created by UA itself

Context administrator 1.2[edit]

info:escidoc/names:aa:1.0:action:create-context info:escidoc/names:aa:1.0:action:retrieve-context info:escidoc/names:aa:1.0:action:update-context info:escidoc/names:aa:1.0:action:delete-context info:escidoc/names:aa:1.0:action:close-context info:escidoc/names:aa:1.0:action:open-context info:escidoc/names:aa:1.0:action:retrieve-role

  • additionally coming from default policy: can create/retrieve grants for context she created
  • can see following roles:

escidoc:role-audience escidoc:role-collaborator-modifier-container-add-remove-any-members escidoc:role-collaborator-modifier-container-add-remove-members escidoc:role-collaborator-modifier-container-update-any-members escidoc:role-collaborator-modifier-container-update-direct-members escidoc:role-collaborator-modifier escidoc:role-collaborator escidoc:role-content-relation-manager escidoc:role-content-relation-modifier escidoc:role-cone-closed-vocabulary-editor escidoc:role-cone-open-vocabulary-editor escidoc:role-moderator escidoc:role-privileged-viewer escidoc:role-depositor

UserGroupAdministrator 1.2 coreservice[edit]

info:escidoc/names:aa:1.0:action:create-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group info:escidoc/names:aa:1.0:action:update-user-group info:escidoc/names:aa:1.0:action:delete-user-group info:escidoc/names:aa:1.0:action:activate-user-group info:escidoc/names:aa:1.0:action:deactivate-user-group info:escidoc/names:aa:1.0:action:retrieve-user-group-grant info:escidoc/names:aa:1.0:action:create-user-group-grant info:escidoc/names:aa:1.0:action:revoke-user-group-grant info:escidoc/names:aa:1.0:action:add-user-group-selectors info:escidoc/names:aa:1.0:action:remove-user-group-selectors info:escidoc/names:aa:1.0:action:retrieve-role

  • can not inherit from default role, therefore explicitly create-user-group-grant.
  • can retrieve only roles of escidoc:user-group-administrator and escidoc:user-group-inspector
  • can grant to own user-groups (note: any role, as role-id can not be otherwise restricted - however not from eSciDoc Admin) + the object on which grant is created is the own usergroup only

(idea: to allow granting user-group-inspector role to own user group, but not to a context - which is also visible from eSciDoc Admin interface).

  • However, due to missing evaluation attributes poilcy not complete.
  • status: finished for 1.2 (latest-coreservice)