Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
Documentation
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
2
Issues
2
List
Board
Labels
Milestones
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
snac
Documentation
Commits
0f5a27e9
Commit
0f5a27e9
authored
Mar 28, 2016
by
Tom Laudeman
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Align prose in DBUser and User management
parent
f0386ed2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
33 additions
and
42 deletions
+33
-42
DBUser API.md
Requirements/DBUser API.md
+6
-7
User Management.md
Requirements/User Management.md
+27
-35
No files found.
Requirements/DBUser API.md
View file @
0f5a27e9
...
...
@@ -52,8 +52,6 @@ TBD set of basic privileges including: search history, certain researcher report
to use SNAC. Members of the public are mostly identical to Researchers. The primary feature gained by having
an account is a persistent dashboard.
(sync this prose with "user management.md")
| Role | Role Description |
|------------------------------+------------------------------------------------------------------------|
...
...
@@ -75,12 +73,13 @@ an account is a persistent dashboard.
| Web administrator | (duplicate? historical?) May perform admin tasks via the web interface |
| Database administrator | Create and maintain the SQL database |
| Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Institutional reporter | May run own
institutional reports |
| Institutional reporter | May run own
-
institutional reports |
| Super reporter | May run any report |
| User type | Role(s) | User Description |
|----------------------------+--------------------------------------------------+-------------------------------------------------------------
-
|
|----------------------------+--------------------------------------------------+-------------------------------------------------------------|
| Sysadmin | System administrator | Maintain server, backups, etc. |
| Database Administrator | DBA | Schema maintenance, data dumps, etc. |
| Software engineer | Developer + DBA | Coding, testing, QA, release management, data loading, etc. |
...
...
@@ -94,11 +93,11 @@ an account is a persistent dashboard.
| Researcher | Researcher | Use the discovery interface and history dashboard |
| Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Name authority manager | Name authority | (superceded by Editor-NACO?) |
| Institutional admins | Institutional reporter | May run
institutional reports
|
| Institutional admins | Institutional reporter | May run
own-institutional reports
|
| Public | Public | No SNAC account, single session dashboard |
| Contributor | Create/edit + Ontology propose | Creates/edit constellations, propose ontology headings |
| Author | Create/edit
+Publish+Propose Del/Emb+Propose NACO | A contributor, with additional privileges
|
| Editor | Create/edit
+Publish+Delete/embargo+NACO | Review constellations, approve and publish
|
| Author | Create/edit
+ Publish + Propose Del/Emb+Propose NACO | A contributor, with additional privileges
|
| Editor | Create/edit
+ Publish + Delete/embargo + NACO | Review constellations, approve and publish
|
| Author-NACO | Create provisional NACO | Creates NACO entries, sends to editor for submission |
| Administrator | Author + editor + enroll + assign | Everything, only own institution |
| Administrator-super | Administrator + any institution | Admin plus assign roles for any user of any institution |
...
...
Requirements/User Management.md
View file @
0f5a27e9
# User Management
Authentication is validating user logins to the system. Authorization is the related aspect of controlling
which parts of the system users may access (or even which parts they may know exist).
### Introduction
We can use OpenID for authentication, but we will need a user profile for SNAC roles and authorization. There
a
re examples of PHP code to implement OpenID at stackexchange:
Authentication is: "validating user logins to the system." Authorization is: "privileges
a
llowing user access to system features."
http://stackoverflow.com/questions/4459509/how-to-use-open-id-as-login-system
We are using OpenID for authentication, but we need a user profile for SNAC roles and authorization.
OpenID seems to constantly be changing, and sites using change frequently. Google has (apparently) deprecated
OpenID 2.0 in favor of Open Connect. Facebook is using something else, but apparently FB still works with
OpenID. Stackexchange supports several authentication schemes. If they can do it, so can we. Or we can support
one scheme for starters and add others as necessary. The SE code is not open source, so we can't see how much
work it was to support the various OpenID partners.
OpenID seems to constantly be changing, and sites using it change frequently. Google has (apparently)
deprecated OpenID 2.0 in favor of Open Connect. Facebook is using something else, but apparently FB still
works with OpenID. Stackexchange supports several authentication schemes. If they can do it, so can we. Or we
can support one scheme for starters and add others as necessary. The SE code is not open source, so we can't
see how much work it was to support the various OpenID partners.
### Authorization
Authorization involves controlling what users can do once they are in the system. That function is sort of
more solved by OAuth or OpenID by sharing the user profile. However, SNAC has specific requirements,
...
...
@@ -26,12 +27,16 @@ authorization system is involved in every transaction with the server to the ext
server is checked for authorization before being passed to the code doing the real work. (Every request is
also checked for authentication as well, naturally.)
### Roles analagouse to groups
The Linux model of three privilege types "user", "group", and "other" works well for authorization permissions
and we should use this model, albeit somewhat simplfied. "User" is an authenticated user. "Group" is a set of
users, and a user may belong to several groups. In SNAC and the non-Linux world "group" is known as "role", so
SNAC will call them "roles". "Other" privileges apply to SNAC as public, non-authenticated users, although we
don't really have "other", and the "researcher" role applies to public users.
### Roles and privileged application features
Each feature has a list of one or more authorized roles which may access that feature.
Users can have several roles, and will have all the privileges (access to features) of all their roles. Role
...
...
@@ -56,35 +61,22 @@ session related discovery tools requires an account. It is technically possible
dashboard. Although that has not been mentioned as a requirement and is probably a low priority, it might be
almost trivial to implement.
### Tables of roles and user types
Every account will be in the "Researcher" role which has the same privileges as the general public, but with a
TBD set of basic privileges including: search history, certain researcher reports.
| User type | Role | Description |
|----------------------------+---------------------+-----------------------------------------------------------------------|
| Sysadmin | Server admin | Maintain server, backups, etc. |
| Database Administrator | DBA | Schema maintenance, data dumps, etc. |
| Software engineer | Developer | Coding, testing, QA, release management, data loading, etc. |
| Manager | Web admin | Web accounts: create, manage, assign roles, run reports |
| Peer vetting | Vetting | Approve moderators, reviewers, content experts |
| Moderator | Moderator | Approve maintenance changes, posting those changes |
| Reviewer/editor | Maintenance | Maintainer privileges, interacts with moderators |
| Content expert | Maintenance | Domain expert, may have zero institutional roles |
| Documentary editor | Maintenance | Distinguished by? |
| Maintenance | Maintenance | Distinguished by? |
| Researcher | Researcher | Use the discovery interface and history dashboard |
| Archival description donor | Block upload | Bulk uploads of CPF or finding aids |
| Name authority manager | Name authority | Donates name authority data perhaps via bulk upload |
| Institutional admins | Institutional admin | Instutional role admin dashboard, institutional reports |
| Public | Researcher | No account, researcher role, no dashboard or single session dashboard |
Remember: institutional affiliation roles aren't in the table above. There will be many of those roles, and
users may have zero, one, or several institutional roles that define which insitutions that user is a member
of.
It is possible for an institutional admin to be a member of more than one institution. Institutional Admins
have abilities:
See the two tables "Role" and "User type" in the "DBUser API" documentation:
[
Role in Database User API
](
Requirements/DBUser
API.md#roles)
Remember: institutional affiliation roles aren't in the tables. There will be many of those institutional
affiliation roles, and users may have zero, one, or several institutional roles that define insitutions
with which the user is affiliated.
It is possible for an institutional administrator to also be a member of more than one
institution. Institutional Admins have abilities:
-
view membership lists of their institution(s)
-
add or remove their instutional role for users.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment