ESciDoc User Roles
eSciDoc User Roles can be granted to eSciDoc users as unlimited, or limited to various resources (context, item, container) etc.
Roles, Scopes and Actions[edit]
eSciDoc authorization component allows for a fine-grained definition of what users may do in the system.
Roles can be unlimited (are simply granted to the user for no particular object, such as the Default role). Roles can also be restricted to a particular scope which basically means, that when a role is granted to a user or a user group, it has to be restricted to a resource for which this is valid. Depending on the type of the resource to which privileges may be restricted, the following scopes are used:
Context[edit]
When a Role is defined on scope of a Context, the actions can be performed on all resources of type (defined by the action) in the context. For example, when a Collaborator role is granted to a user for a context, this user may retrieve all items and containers and components of the items in that context.
Sometimes, the role itself provides additional restriction (independently on the scope on which it has been defined). For example, when a Depositor role is granted to a user for a context, this user may create items and containers in this context. However, a user with this role may not retrieve all items and containers in the context. He may retrieve all released items and containers (default privilege) and items and containers he created (Depositor role only privilege).
- Item
- Component
- Container
Default role (default privileges)[edit]
Each eSciDoc user is granted with the default role whenever using any eSciDoc service (authenticated with known account or simply as anonymous user). Here description of what default role allows. This role should not be explicitly granted to any user. This is automatically granted to every user of the eSciDoc infrastructure. Each user of eSciDoc infrastructure is allowed to:
- retrieve released items and containers
- retrieve all released versions of items and containers
- retrieve contexts in the public-status open and closed
- retrieve content models
- retrieve components with public visibility of released items (or any released version of the item)
- retrieve organizational-units in status open and closed
- retrieve own user-account (if the user has been authenticated) and own grants
- log-in and logout with valid username and password
- unlock items that she/he has locked.
- unlock containers that she/he has locked.
- retrieve OAI-PMH set definitions
- retrieve repository information
- retrieve statistic-reports if she/he is in the role permitted by the record-definition
- create grants on own contexts, items (and components) or containers
- revoke grants she/he created
- retrieve grants she/he created
- retrieve grants of groups she/he is a member of
- search items, containers and organizational units
Audience[edit]
- Role-ID: escidoc:role-audience
- Action/Condition:
- retrieve content of components (files) with visibility "restricted" if the enclosing item is released
- Scope of assignment:- can be assigned to a user or a user group for following resources:
- Component of a released item
Examples of application[edit]
- Publication has attached a fulltext with visibility set to "Restricted". In PubMan "Sharing tab" the depositor or the moderator of the item may define to which user groups this fulltext is accessible after the item is released. For each file which is associated with the publication item, different level of restriction may be defined.
Used by[edit]
- PubMan
Collaborator roles[edit]
There are several types of collaborator roles, depending on the level of privilege user wants to grant to a certain set of items or containers.
Collaborator[edit]
- Role-ID: escidoc:role-collaborator
- Action/Condition:
- retrieve items and containers in any status (pending, submitted, released, withdrawn)
- retrieve item components (i.e. files) in any visibility when item is not withdrawn
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Component
- Item
- Container
- Context
Examples of application[edit]
An example use case may be a a working group who shares all of their resources for internal use before these are released.
Used-by[edit]
- not yet used by any solution. Planned usage: PubMan, FACES
Collaborator modifier[edit]
- Role-ID: escidoc:role-collaborator-modifier
- Includes rights from: escidoc:role-collaborator
- Action/Condition:
- retrieve items and containers in any status (pending, submitted, released, withdrawn)
- retrieve item components (i.e. files) in any visibility when item is not withdrawn
- update items (and their components) and containers
- lock/unlock items and containers
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Item - user or a member of a user group may retrieve and modify specified item and any associated component (inclusive internally managed content) of this item
- Container - user or a member of a user group may retrieve and modify specified container, but not necessarily all direct members of the container (as for some container members additional privileges may be needed)
- Context - user or a member of a user group may retrieve and modify all items, components (inclusive internally managed content) and containers in the context.
Examples of application[edit]
An example use case may be a a working group who shares and collaboratively modifies their resources.
Used-by[edit]
- not yet used by any solution. Planned usage: PubMan, FACES
Collaborator modifier container-add-remove-members[edit]
- Role-ID: escidoc:role-collaborator-modifier-container-add-remove-members
- Action/Condition:
- retrieve container in any status (pending, submitted, released, withdrawn)
- update container
- add/remove members to/from the container
- lock/unlock container
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Container - user or a member of a user group may retrieve and modify specified container, but not necessarily all direct members of the container (as for some container members additional privileges may be needed). May also add/remove members to/from this container.
Examples of application[edit]
An example use case may be a a working group who shares and collaboratively modifies an album of images, or collection of various resources. The working group does not have right to modify the images in the collection. Some members of the working group may not see images other members added (if there are not suffucient privileges granted from other roles) - in this case they may only see the references to these images.
If the container has sub-container as a member, this role does not allow to add members to the sub-container.
Used-by[edit]
- not yet used by any solution. Planned usage: FACES, VIRR
Collaborator modifier container-add-remove-any-members[edit]
- Role-ID: escidoc:role-collaborator-modifier-container-add-remove-any-members
- Action/Condition:
- retrieve container in any status (pending, submitted, released, withdrawn)
- retrieve any items which are members of the container (and sub-containers)
- retrieve any components of the items which are members of the container (and sub-containers)
- retrieve any containers which are members of the container (and sub-containers)
- update container
- add/remove members to/from the container (and any sub-containers)
- lock/unlock container
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Container - user or a member of a user group may retrieve and modify specified container, may retrieve all members of the container and sub-containers, may add/remove members to/from the specified container and all sub-containers.
Examples of application[edit]
An example use case may be a a working group who shares and collaboratively modifies an album of images, or collection of various resources, some of which can be collections themselves. The working group does not have right to modify the images in the collection or in the sub-collections.
Used-by[edit]
- not yet used by any solution. Planned usage: FACES, VIRR
Collaborator modifier container-update-direct-members[edit]
- Role-ID: escidoc:role-collaborator-modifier-container-add-remove-members
- Includes rights from: escidoc:role-collaborator-modifier-container-add-remove-members
- Action/Condition:
- retrieve container in any status (pending, submitted, released, withdrawn)
- update container
- add/remove members to/from the specified container
- update any items or containers that are direct members of the specified container
- lock/unlock container
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Container - user or a member of a user group may retrieve and modify specified container and all direct members of the container . May also add/remove members to/from this container.
Examples of application[edit]
An example use case may be a a working group who shares and collaboratively modifies an album of images. The working group may additionally modify the images in the collection.
If the collection has sub-collections as a member, this role does not allow to add or modify the members of the sub-collection.
Used-by[edit]
- not yet used by any solution. Planned usage: FACES, VIRR
Collaborator modifier container-update-any-members[edit]
- Role-ID: escidoc:role-collaborator-modifier-container-update-any-members
- Includes rights from: escidoc:role-collaborator-modifier-container-add-remove-any-members
- Action/Condition:
- retrieve container in any status (pending, submitted, released, withdrawn)
- retrieve any items which are members of the container (and sub-containers)
- retrieve any components of the items which are members of the container (and sub-containers)
- retrieve any containers which are members of the container (and sub-containers)
- update container
- add/remove members to/from the container (and any sub-containers)
- lock/unlock container
- update any members of the container (and any sub-containers)
- lock/unlock any members of the container (any any sub-containers)
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Container - user or a member of a user group may retrieve and modify specified container, may retrieve and modify all members of the container and sub-containers, may add/remove members to/from the specified container and all sub-containers.
Examples of application[edit]
An example use case may be a a working group who shares and collaboratively modifies a multivolume collection of volumes and books. The working group can modify all resources associated with any level i.e. to the multivolume, all volumes and books.
Used-by[edit]
- not yet used by any solution. Planned usage: FACES, VIRR
Depositor[edit]
- Role-ID: escidoc:role-depositor
- Action/Condition:
- create items and components (files, locators)
- create containers
- retrieve items he created (own items) in any status (pending, submitted, in-revision, released, withdrawn), including the components of these items
- retrieve containers he created (own containers) in any status
- update own items if these are not in status "withdrawn"
- update own containers if these are not in status "withdrawn"
- add/remove members to own containers if these are not in status "withdrawn"
- delete own items and containers if their status is "pending" or "in-revision" (and if there are no previous versions with status "released")
- submit, release and withdraw own items and containers
- lock own items and containers
- unlock own items and containers (if the lock owner as well)
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Context - user or a member of a user group may perform the operations stated above in the context for which the role is granted.
Examples of application[edit]
A Researcher may deposit publications in several contexts. For example, context of MPI publications and a context of non-MPI publications. His publications he may always see (and accordingly to the workflow modify, submit or release) from PubMan MyItems workspace.
Used-by[edit]
- PubMan, FACES, VIRR
Moderator[edit]
- Role-ID: escidoc:role-moderator (of a context)
- Action/Condition:
- retrieve items with status (submitted, released, in-revision, withdrawn), including the components of these items
- retrieve containers he moderates with status (submitted, released, in-revision, withdrawn)
- update items in status "submitted", "released"
- update containers if these are not in status "withdrawn"
- add/remove members to containers in status "submitted", "released"
- submit items and containers he modified
- release items and containers
- revise items and containers (if submitted)
- withdraw items and containers (if released)
- Scope of assignment: - can be assigned to a user or a user group on following levels:
- Context - user or a member of a user group may perform the operations stated above in the context for which the role is granted.
Examples of application[edit]
A Librarian is moderator of a context. As such, she may modify and accept the publications created by depositor. As moderator of the context, she may also send back the publication for a rework. Moderated items are available via e.g. PubMan QA Workspace.
Used-by[edit]
- PubMan, FACES, VIRR
Privileged viewer[edit]
- Role-ID: escidoc:role-privileged-viewer
- Action/Condition:
- retrieve content of components (files) with any visibility (for items he may retrieve in accordance with other privileges)
- Scope of assignment:- can be assigned to a user or a user group for following resources:
- Context - user or a member of a user group may retrieve the content of the internally stored file for all items in the specified context, if he has a right to view the items.
Examples of application[edit]
- Publication has attached a fulltext with visibility set to "Restricted" or "Private". The user who has "Privileged viewer" role granted, may see all files (public, restricted or private) of all items he may access.
Used by[edit]
- PubMan, FACES