Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Documentation
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Rachael Hu
Documentation
Commits
3872124b
Commit
3872124b
authored
Mar 31, 2016
by
Tom Laudeman
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Fix spelling
parent
7b9b0700
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
19 additions
and
19 deletions
+19
-19
DBUser API.md
Requirements/DBUser API.md
+19
-19
No files found.
Requirements/DBUser API.md
View file @
3872124b
...
@@ -12,12 +12,12 @@ For background about users, please see:
...
@@ -12,12 +12,12 @@ For background about users, please see:
### What data and features must be provided
### What data and features must be provided
-
user must have a unique id
-
user must have a unique id
-
user must be able to authenticate (login)
-
user must be able to authenticate (log
in)
-
user m
su
t be authorized for specific system features
-
user m
us
t be authorized for specific system features
User
id must be unique for all time, and thus, userids may not be reused. A unique user
id internal to the
User
id must be unique for all time, and thus, user ids may not be reused. A unique user
id internal to the
system may be a good idea. The textual user id such as "mst3k" or "mst3k@example.com" should probably also be
system may be a good idea. The textual user id such as "mst3k" or "mst3k@example.com" should probably also be
unique for all time, but (in theory) could be reused wit
n a new, unique system use
rid.
unique for all time, but (in theory) could be reused wit
h a new, unique system use
rid.
Accounts need an active flag. Deleted accounts might be kept inactive, as an easy way to prevent accidentally
Accounts need an active flag. Deleted accounts might be kept inactive, as an easy way to prevent accidentally
creating an account with the same name at some future time.
creating an account with the same name at some future time.
...
@@ -45,7 +45,7 @@ could be multiple simultaneous sessions per user, and each session needs its own
...
@@ -45,7 +45,7 @@ could be multiple simultaneous sessions per user, and each session needs its own
Current session data includes:
Current session data includes:
-
access token from the authentication (OAuth?)
-
access token from the authentication (OAuth?)
-
expiration timestamp when the session will expire
-
expiration time
stamp when the session will expire
The REST API requires the same session data. REST API users will have the same Au/Az constraints
The REST API requires the same session data. REST API users will have the same Au/Az constraints
...
@@ -55,7 +55,7 @@ The system has roles conceptually, extensively integrated throughout. Each user
...
@@ -55,7 +55,7 @@ The system has roles conceptually, extensively integrated throughout. Each user
The SNAC permission system is based entirely on roles (groups). SNAC is authorizing uses to run various
The SNAC permission system is based entirely on roles (groups). SNAC is authorizing uses to run various
functions. Ownership is a non-concept, but essentially the system (sort of "root") owns all functions. When
functions. Ownership is a non-concept, but essentially the system (sort of "root") owns all functions. When
there is only one owner, it has no use designing authorization partions. That leaves SNAC with a
there is only one owner, it has no use designing authorization parti
ti
ons. That leaves SNAC with a
role-only system.
role-only system.
In a global sense, the cumulative users and roles is complex. On a per-user or per-role basis, things are very
In a global sense, the cumulative users and roles is complex. On a per-user or per-role basis, things are very
...
@@ -65,15 +65,15 @@ manageable. When managing the system, imagine asking these fairly constrained (m
...
@@ -65,15 +65,15 @@ manageable. When managing the system, imagine asking these fairly constrained (m
-
List all user affiliated with UC Irvine.
-
List all user affiliated with UC Irvine.
-
List all users who can enrol
e
new users.
-
List all users who can enrol
l
new users.
-
List all users who can publish constellations.
-
List all users who can publish constellations.
-
List all users who may run reports for their own affiliation.
-
List all users who may run reports for their own affiliation.
Below is an example. Anyone who can login can get a dashboard, so there are no specific dashboard permissions
Below is an example. Anyone who can log
in can get a dashboard, so there are no specific dashboard permissions
(yet). The userid public and the role "researcher" may not any sense. Everyone has it, so there's no reason to
(yet). The user
id public and the role "researcher" may not any sense. Everyone has it, so there's no reason to
mention/restrict/authorize it. This table initially had a userid "public" with role "Public HRT", and every
mention/restrict/authorize it. This table initially had a user
id "public" with role "Public HRT", and every
user also had the role "Public HRT", but that is simply redundant. When it comes to implementation, the
user also had the role "Public HRT", but that is simply redundant. When it comes to implementation, the
authorization system will actually use some convention for testing role. The feature "Public HRT" can call a
authorization system will actually use some convention for testing role. The feature "Public HRT" can call a
role test that always returns true.
role test that always returns true.
...
@@ -81,7 +81,7 @@ role test that always returns true.
...
@@ -81,7 +81,7 @@ role test that always returns true.
The roles below are real, but do not imply any actual policy or any relation to persons living or dead.
The roles below are real, but do not imply any actual policy or any relation to persons living or dead.
Pulling some random details, and wording them in English, the table below says that Casey at CDL can approve
Pulling some random details, and wording them in English, the table below says that Casey at CDL can approve
NACO submissions (NACO approve). Jess
y
at NYPL is limited to assigning roles only for NYPL (affiliation-nypl
NACO submissions (NACO approve). Jess
ie
at NYPL is limited to assigning roles only for NYPL (affiliation-nypl
and role-assign-own).
and role-assign-own).
...
@@ -108,11 +108,11 @@ Roles have a number of traits:
...
@@ -108,11 +108,11 @@ Roles have a number of traits:
-
Created and maintained by admins with role-granting privileges
-
Created and maintained by admins with role-granting privileges
-
There is (ideally) a single privilege per role
-
There is (ideally) a single privilege per role
-
Roles and privileges must be coordinated with workflows and application features
-
Roles and privileges must be coordinated with work
flows and application features
-
At least one role exists per institutional affiliation
-
At least one role exists per institutional affiliation
-
Every user has the implied role Public HRT
-
Every user has the implied role Public HRT
-
Potentially we can have roles for ad
-
hoc groups (sub-institution, department, professional orgs, etc.)
-
Potentially we can have roles for ad
hoc groups (sub-institution, department, professional orgs, etc.)
-
Roles can be deprecated, but it repurposing roles is inadvisable from a security standpoint
-
Roles can be deprecated, but it re
-
purposing roles is inadvisable from a security standpoint
-
Need explicit, on-going policy guidance
-
Need explicit, on-going policy guidance
...
@@ -129,7 +129,7 @@ an account is a persistent dashboard.
...
@@ -129,7 +129,7 @@ an account is a persistent dashboard.
| Contribute | Create and edit constellations but cannot publish (contributor) |
| Contribute | Create and edit constellations but cannot publish (contributor) |
| Publish | Approve constellation publication (editor) |
| Publish | Approve constellation publication (editor) |
| Change status any | Change status, removing locks, and so on, any affiliation |
| Change status any | Change status, removing locks, and so on, any affiliation |
| Change owner any | Change constellation user, changing which user has a lock, any affilation |
| Change owner any | Change constellation user, changing which user has a lock, any affil
i
ation |
| Change status own | Change status, removing locks, and so on, own affiliation only |
| Change status own | Change status, removing locks, and so on, own affiliation only |
| Change owner own | Change constellation user, changing user lock, own affiliation only |
| Change owner own | Change constellation user, changing user lock, own affiliation only |
| Delete/embargo | Delete or embargo constellations (editor) |
| Delete/embargo | Delete or embargo constellations (editor) |
...
@@ -137,7 +137,7 @@ an account is a persistent dashboard.
...
@@ -137,7 +137,7 @@ an account is a persistent dashboard.
| Ontology propose | Propose headings in ontologies, but cannot approve headings |
| Ontology propose | Propose headings in ontologies, but cannot approve headings |
| Ontology approve | Approve ontology headings (editor) |
| Ontology approve | Approve ontology headings (editor) |
| Propose NACO | Create(?) NACO contributions, but not push(?) to NACO |
| Propose NACO | Create(?) NACO contributions, but not push(?) to NACO |
| NACO approve/finalize/submit | App
p
rove NACO contributions (editor) |
| NACO approve/finalize/submit | Approve NACO contributions (editor) |
| Enroll | Enroll new SNAC participants, create new users |
| Enroll | Enroll new SNAC participants, create new users |
| Role assign own institution | Assign new roles for own-institution users |
| Role assign own institution | Assign new roles for own-institution users |
| Role assign any institution | Assign new roles for any institution users |
| Role assign any institution | Assign new roles for any institution users |
...
@@ -148,8 +148,8 @@ an account is a persistent dashboard.
...
@@ -148,8 +148,8 @@ an account is a persistent dashboard.
| Block upload | Do bulk uploads of EAC-CPF, finding aids, etc. |
| Block upload | Do bulk uploads of EAC-CPF, finding aids, etc. |
| Institutional reporter | Run own-institutional reports |
| Institutional reporter | Run own-institutional reports |
| Super reporter | Run any report |
| Super reporter | Run any report |
| Instutional affiliation X | Affiliated with institution X. |
| Inst
it
utional affiliation X | Affiliated with institution X. |
| Inst
utional affiliation super | Affiliated with all instutions
, a super role (discuss?) |
| Inst
itutional affiliation super | Affiliated with all institution
, a super role (discuss?) |
More example user types, with their role(s) and description.
More example user types, with their role(s) and description.
...
@@ -169,7 +169,7 @@ More example user types, with their role(s) and description.
...
@@ -169,7 +169,7 @@ More example user types, with their role(s) and description.
| Maintenance | Contributor, constellation | May be older terminology for "contributor" |
| Maintenance | Contributor, constellation | May be older terminology for "contributor" |
| Researcher | Researcher | Use the discovery interface and history dashboard |
| Researcher | Researcher | Use the discovery interface and history dashboard |
| Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Name authority manager | Name authority | (super
c
eded by Editor-NACO?) |
| Name authority manager | Name authority | (super
s
eded by Editor-NACO?) |
| Institutional admins | Institutional reporter | May run own-institutional reports |
| Institutional admins | Institutional reporter | May run own-institutional reports |
| Public | Public | No SNAC account, single session dashboard |
| Public | Public | No SNAC account, single session dashboard |
| Contributor | Contribute + Ontology propose | Creates/edit constellations, propose ontology headings |
| Contributor | Contribute + Ontology propose | Creates/edit constellations, propose ontology headings |
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment