ESciDoc Admin Roles

Administrative roles in eSciDoc[edit]

To allow for more clear separation between various administrative privileges for some eSciDoc master and system resources, instead of originally envisioned Local administrator role, there will be several separate roles for management of each resource in the system. Below more precise definition of these roles.

UserAdministrator[edit]

A User Administrator is allowed to:

• create user account
• retrieve, modify, activate, deactivate user accounts (s)he created
• grant user administrator role to the users (s)he created
• grant user group administrator role to the users (s)he created

This role is unlimited role (has no scope definitions).

OUAdministrator[edit]

   *
         o create/modify/... org units within a parent OU (given as a scope)
         o grant / revoke OUAdmin privs for OU with same scope 

Context Administrator[edit]

• create 2 new roles ContextOwner (?), ContextAdmin (?)

UserGroup Administrator[edit]

internal id: escidoc:role-user-group-administrator

A User-Group-Administrator is allowed to:

• create user-groups
• retrieve, update, delete, activate, deactivate user-groups (s)he created
• add and remove user-group-selectors to user-groups (s)he created.
• create, retrieve and revoke user-group-grants for user groups (s)he created
• grant user-group-inspector role to other users for the user groups (s)he created

This role is a unlimited role. (Has no scope-definitions).

UserGroup Inspector[edit]

internal id: escidoc:role-user-group-inspector

A User-Group-Inspector is allowed to:

• retrieve user-groups he has respective grants for

User group inspector is a role that should be granted to users who are not members of a user-group, but would have the right to retrieve a particular user-group in order to e.g. grant some privileges for their objects.

This role is a limited role. It is restricted to a user-group.