Commit 0f5a27e9 by Tom Laudeman

Align prose in DBUser and User management

parent f0386ed2
...@@ -52,8 +52,6 @@ TBD set of basic privileges including: search history, certain researcher report ...@@ -52,8 +52,6 @@ TBD set of basic privileges including: search history, certain researcher report
to use SNAC. Members of the public are mostly identical to Researchers. The primary feature gained by having to use SNAC. Members of the public are mostly identical to Researchers. The primary feature gained by having
an account is a persistent dashboard. an account is a persistent dashboard.
(sync this prose with "user management.md")
| Role | Role Description | | Role | Role Description |
|------------------------------+------------------------------------------------------------------------| |------------------------------+------------------------------------------------------------------------|
...@@ -75,33 +73,34 @@ an account is a persistent dashboard. ...@@ -75,33 +73,34 @@ an account is a persistent dashboard.
| Web administrator | (duplicate? historical?) May perform admin tasks via the web interface | | Web administrator | (duplicate? historical?) May perform admin tasks via the web interface |
| Database administrator | Create and maintain the SQL database | | Database administrator | Create and maintain the SQL database |
| Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. | | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Institutional reporter | May run own institutional reports | | Institutional reporter | May run own-institutional reports |
| Super reporter | May run any report | | Super reporter | May run any report |
| User type | Role(s) | User Description |
|----------------------------+--------------------------------------------------+--------------------------------------------------------------| | User type | Role(s) | User Description |
| Sysadmin | System administrator | Maintain server, backups, etc. | |----------------------------+--------------------------------------------------+-------------------------------------------------------------|
| Database Administrator | DBA | Schema maintenance, data dumps, etc. | | Sysadmin | System administrator | Maintain server, backups, etc. |
| Software engineer | Developer + DBA | Coding, testing, QA, release management, data loading, etc. | | Database Administrator | DBA | Schema maintenance, data dumps, etc. |
| Manager | Enroll + Role assign + Inst. Reporter | SNAC accounts: create, manage, assign roles, run reports | | Software engineer | Developer + DBA | Coding, testing, QA, release management, data loading, etc. |
| Peer vetting | Enroll | Approve moderators, reviewers, content experts | | Manager | Enroll + Role assign + Inst. Reporter | SNAC accounts: create, manage, assign roles, run reports |
| Moderator | Editor-publish | Approve maintenance changes, posting those changes | | Peer vetting | Enroll | Approve moderators, reviewers, content experts |
| Reviewer/editor | Contributor + Editor-publish | Maintainer privileges, interacts with moderators | | Moderator | Editor-publish | Approve maintenance changes, posting those changes |
| Content expert | Contributor | Domain expert, may have zero institutional roles | | Reviewer/editor | Contributor + Editor-publish | Maintainer privileges, interacts with moderators |
| Documentary editor | Contributor | (Any distinguishing roles?) | | Content expert | Contributor | Domain expert, may have zero institutional roles |
| Maintenance | Contributor, constellation | May be older terminology for "contributor" | | Documentary editor | Contributor | (Any distinguishing roles?) |
| Researcher | Researcher | Use the discovery interface and history dashboard | | Maintenance | Contributor, constellation | May be older terminology for "contributor" |
| Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. | | Researcher | Researcher | Use the discovery interface and history dashboard |
| Name authority manager | Name authority | (superceded by Editor-NACO?) | | Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Institutional admins | Institutional reporter | May run institutional reports | | Name authority manager | Name authority | (superceded by Editor-NACO?) |
| Public | Public | No SNAC account, single session dashboard | | Institutional admins | Institutional reporter | May run own-institutional reports |
| Contributor | Create/edit + Ontology propose | Creates/edit constellations, propose ontology headings | | Public | Public | No SNAC account, single session dashboard |
| Author | Create/edit+Publish+Propose Del/Emb+Propose NACO | A contributor, with additional privileges | | Contributor | Create/edit + Ontology propose | Creates/edit constellations, propose ontology headings |
| Editor | Create/edit+Publish+Delete/embargo+NACO | Review constellations, approve and publish | | Author | Create/edit + Publish + Propose Del/Emb+Propose NACO | A contributor, with additional privileges |
| Author-NACO | Create provisional NACO | Creates NACO entries, sends to editor for submission | | Editor | Create/edit + Publish + Delete/embargo + NACO | Review constellations, approve and publish |
| Administrator | Author + editor + enroll + assign | Everything, only own institution | | Author-NACO | Create provisional NACO | Creates NACO entries, sends to editor for submission |
| Administrator-super | Administrator + any institution | Admin plus assign roles for any user of any institution | | Administrator | Author + editor + enroll + assign | Everything, only own institution |
| Administrator-super | Administrator + any institution | Admin plus assign roles for any user of any institution |
### What data has to be stored for the user ### What data has to be stored for the user
......
# User Management # User Management
Authentication is validating user logins to the system. Authorization is the related aspect of controlling ### Introduction
which parts of the system users may access (or even which parts they may know exist).
We can use OpenID for authentication, but we will need a user profile for SNAC roles and authorization. There Authentication is: "validating user logins to the system." Authorization is: "privileges
are examples of PHP code to implement OpenID at stackexchange: allowing user access to system features."
http://stackoverflow.com/questions/4459509/how-to-use-open-id-as-login-system We are using OpenID for authentication, but we need a user profile for SNAC roles and authorization.
OpenID seems to constantly be changing, and sites using change frequently. Google has (apparently) deprecated OpenID seems to constantly be changing, and sites using it change frequently. Google has (apparently)
OpenID 2.0 in favor of Open Connect. Facebook is using something else, but apparently FB still works with deprecated OpenID 2.0 in favor of Open Connect. Facebook is using something else, but apparently FB still
OpenID. Stackexchange supports several authentication schemes. If they can do it, so can we. Or we can support works with OpenID. Stackexchange supports several authentication schemes. If they can do it, so can we. Or we
one scheme for starters and add others as necessary. The SE code is not open source, so we can't see how much can support one scheme for starters and add others as necessary. The SE code is not open source, so we can't
work it was to support the various OpenID partners. see how much work it was to support the various OpenID partners.
### Authorization
Authorization involves controlling what users can do once they are in the system. That function is sort of Authorization involves controlling what users can do once they are in the system. That function is sort of
more solved by OAuth or OpenID by sharing the user profile. However, SNAC has specific requirements, more solved by OAuth or OpenID by sharing the user profile. However, SNAC has specific requirements,
...@@ -26,12 +27,16 @@ authorization system is involved in every transaction with the server to the ext ...@@ -26,12 +27,16 @@ authorization system is involved in every transaction with the server to the ext
server is checked for authorization before being passed to the code doing the real work. (Every request is server is checked for authorization before being passed to the code doing the real work. (Every request is
also checked for authentication as well, naturally.) also checked for authentication as well, naturally.)
### Roles analagouse to groups
The Linux model of three privilege types "user", "group", and "other" works well for authorization permissions The Linux model of three privilege types "user", "group", and "other" works well for authorization permissions
and we should use this model, albeit somewhat simplfied. "User" is an authenticated user. "Group" is a set of and we should use this model, albeit somewhat simplfied. "User" is an authenticated user. "Group" is a set of
users, and a user may belong to several groups. In SNAC and the non-Linux world "group" is known as "role", so users, and a user may belong to several groups. In SNAC and the non-Linux world "group" is known as "role", so
SNAC will call them "roles". "Other" privileges apply to SNAC as public, non-authenticated users, although we SNAC will call them "roles". "Other" privileges apply to SNAC as public, non-authenticated users, although we
don't really have "other", and the "researcher" role applies to public users. don't really have "other", and the "researcher" role applies to public users.
### Roles and privileged application features
Each feature has a list of one or more authorized roles which may access that feature. Each feature has a list of one or more authorized roles which may access that feature.
Users can have several roles, and will have all the privileges (access to features) of all their roles. Role Users can have several roles, and will have all the privileges (access to features) of all their roles. Role
...@@ -56,35 +61,22 @@ session related discovery tools requires an account. It is technically possible ...@@ -56,35 +61,22 @@ session related discovery tools requires an account. It is technically possible
dashboard. Although that has not been mentioned as a requirement and is probably a low priority, it might be dashboard. Although that has not been mentioned as a requirement and is probably a low priority, it might be
almost trivial to implement. almost trivial to implement.
### Tables of roles and user types
Every account will be in the "Researcher" role which has the same privileges as the general public, but with a Every account will be in the "Researcher" role which has the same privileges as the general public, but with a
TBD set of basic privileges including: search history, certain researcher reports. TBD set of basic privileges including: search history, certain researcher reports.
| User type | Role | Description | See the two tables "Role" and "User type" in the "DBUser API" documentation:
|----------------------------+---------------------+-----------------------------------------------------------------------|
| Sysadmin | Server admin | Maintain server, backups, etc. | [Role in Database User API](Requirements/DBUser API.md#roles)
| Database Administrator | DBA | Schema maintenance, data dumps, etc. |
| Software engineer | Developer | Coding, testing, QA, release management, data loading, etc. | Remember: institutional affiliation roles aren't in the tables. There will be many of those institutional
| Manager | Web admin | Web accounts: create, manage, assign roles, run reports | affiliation roles, and users may have zero, one, or several institutional roles that define insitutions
| Peer vetting | Vetting | Approve moderators, reviewers, content experts | with which the user is affiliated.
| Moderator | Moderator | Approve maintenance changes, posting those changes |
| Reviewer/editor | Maintenance | Maintainer privileges, interacts with moderators | It is possible for an institutional administrator to also be a member of more than one
| Content expert | Maintenance | Domain expert, may have zero institutional roles | institution. Institutional Admins have abilities:
| Documentary editor | Maintenance | Distinguished by? |
| Maintenance | Maintenance | Distinguished by? |
| Researcher | Researcher | Use the discovery interface and history dashboard |
| Archival description donor | Block upload | Bulk uploads of CPF or finding aids |
| Name authority manager | Name authority | Donates name authority data perhaps via bulk upload |
| Institutional admins | Institutional admin | Instutional role admin dashboard, institutional reports |
| Public | Researcher | No account, researcher role, no dashboard or single session dashboard |
Remember: institutional affiliation roles aren't in the table above. There will be many of those roles, and
users may have zero, one, or several institutional roles that define which insitutions that user is a member
of.
It is possible for an institutional admin to be a member of more than one institution. Institutional Admins
have abilities:
- view membership lists of their institution(s) - view membership lists of their institution(s)
- add or remove their instutional role for users. - add or remove their instutional role for users.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment