Commit 7d5bc522 by Tom Laudeman

Update privs and roles, link docs together

parent 4494b378
......@@ -175,12 +175,18 @@ embargo, enroll, assign. It seems like a nice idea to enshrine this as a convent
"administrator" to "administer", and we need to come up with a verbs for the remaining privileges, especially
"affiliation".)
Note that privileges are granualar, and each privilege must exist only once. Having one privilege does not
imply having another. The Roles (a bit further below) deal with combinations of privileges.
#### Privilege table
| Privilege | Privilege Description |
|----------------------------------+----------------------------------------------------------------------------|
| Research | Use discovery interface and dashboard, has an account |
| Contribute | Create and edit constellations but cannot publish (contributor) |
| Publish | Approve constellation publication, change status to "published" (editor) |
| Contribute (June 2016) | Simplfied create |
| Edit (June 2016) | Edit constellations |
| Suggest edits (June 2016) | Suggest edits, implies a mechanism to send suggestions to Edit |
| Publish (June 2016) | Review, approve, publish, change status to "published" |
| Change status any | Change any status, removing locks, and so on, any affiliation |
| Change owner any | Change constellation user, changing which user has a lock, any affiliation |
| Change status own | Change any status, removing locks, and so on, own affiliation only |
......@@ -224,30 +230,36 @@ Remember, the table below is only a guess or approximation of real world roles.
open to expanding the requirements to be as complete as possible. (Although not all requirements will
necessarily ever become features of SNAC.)
| Role | Privilege(s) | User Description |
|----------------------------+-----------------------------------------------------+--------------------------------------------------------|
| Sysadmin | System administrator | Maintain server, backups, etc. |
| Database Administrator | DBA | Schema maintenance, data dumps, etc. |
| Software engineer | Developer + DBA | Coding, testing, QA, release, data loading, etc. |
| Manager | Enroll + Privilege assign own + Report own | Create, manage, assign privileges, run reports |
| Peer vetting | Enroll | Approve moderators, reviewers, content experts |
| Moderator | Publish | Approve maintenance changes, posting those changes |
| Reviewer/editor | Contribute + publish | Maintainer privileges, interacts with moderators |
| Content expert | Contribute | Domain expert, may have zero institutional privileges |
| Documentary editor | Contribute | (Any distinguishing privileges?) |
| Maintenance | Contribute | Constellation edit, maintain constellations. |
| Research | Research | Use the discovery interface and history dashboard |
| Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Name authority manager | Name authority | (superseded by Editor-NACO?) |
| Institutional admins | Report own | May run own-institutional reports |
| Public | n/a | No SNAC account, single session dashboard |
| Contributor | Contribute + Ontology propose | Creates/edit constellations, propose ontology headings |
| Author | Contribute + Publish + Propose Del/Emb+Propose NACO | Contribute, with additional privileges |
| Editor | Contribute + Publish + Delete/embargo + NACO | Review constellations, approve and publish |
| Author-NACO | Propose NACO | Creates NACO entries, sends to editor for submission |
| Administrator | Contributor + Editor privileges + enroll + assign | Everything, only own institution |
| Administrator-super | Administrator + any institution | Admin+ assign privileges, any user, any institution |
#### Role table
| Role | Privilege(s) | User Description |
|--------------------------------+-----------------------------------------------------+--------------------------------------------------------|
| Sysadmin | System administrator | Maintain server, backups, etc. |
| Database Administrator | DBA | Schema maintenance, data dumps, etc. |
| Software engineer | Developer + DBA | Coding, testing, QA, release, data loading, etc. |
| Manager | Enroll + Privilege assign own + Report own | Create, manage, assign privileges, run reports |
| Peer vetting | Enroll | Approve moderators, reviewers, content experts |
| Editor (June 2016) | Contribute + Publish | Same privilges as Reviewer |
| Moderator | Publish | Approve maintenance changes, posting those changes |
| Reviewer/editor | Contribute + publish | Maintainer privileges, interacts with moderators |
| Editor in Training (June 2016) | Contribute | Editor, no publish, training to be Editor |
| Contributor (June 2016) | Simplified Create + Suggest Edits | Basic contributor, creator of constellations |
| Content expert | Contribute | Domain expert, may have zero institutional privileges |
| Documentary editor | Contribute | (Any distinguishing privileges?) |
| Maintenance | Contribute | Constellation edit, maintain constellations. |
| Research | Research | Use the discovery interface and history dashboard |
| Archival description donor | Block upload | May do bulk uploads of EAC-CPF, finding aids, etc. |
| Name authority manager | Name authority | (superseded by Editor-NACO?) |
| Institutional admins | Report own | May run own-institutional reports |
| Public | n/a | No SNAC account, single session dashboard |
| Contributor | Contribute + Ontology propose | Creates/edit constellations, propose ontology headings |
| Author | Contribute + Publish + Propose Del/Emb+Propose NACO | Contribute, with additional privileges |
| Editor | Contribute + Publish + Delete/embargo + NACO | Review constellations, approve and publish |
| Author-NACO | Propose NACO | Creates NACO entries, sends to editor for submission |
| Administrator | Contributor + Editor privileges + enroll + assign | Everything, only own institution |
| Administrator-super | Administrator + any institution | Admin+ assign privileges, any user, any institution |
| | | |
### API
......
......@@ -5,7 +5,8 @@
Authentication is: "validating user logins to the system." Authorization is: "privileges
allowing user access to system features."
We are using OpenID for authentication, but we need a user profile for SNAC roles and authorization.
We are using OpenID for authentication, but we need a user profile for SNAC privileges (authorization) and
roles (groups of privileges).
OpenID seems to constantly be changing, and sites using it change frequently. Google has (apparently)
deprecated OpenID 2.0 in favor of Open Connect. Facebook is using something else, but apparently FB still
......@@ -16,42 +17,41 @@ see how much work it was to support the various OpenID partners.
### Authorization
Authorization involves controlling what users can do once they are in the system. That function is sort of
more solved by OAuth or OpenID by sharing the user profile. However, SNAC has specific roles which will not be
found in any other system.
more solved by OAuth or OpenID by sharing the user profile. However, SNAC has specific privileges which will
not be found in any other system.
By default, the lowest privileged users can't do anything that isn't available to the non-authenticated public
users. Privileges are added and users are given roles from which they inherit privileges. The authorization
system is involved in every transaction with the server to the extent that every request to the server is
checked for authorization before being passed to the code doing the real work. (Every request is also checked
for authentication as well, naturally.)
users. Privileges are added to roles (groups) and users are given roles from which they inherit sets of
privileges. The authorization system is involved in every transaction with the server to the extent that every
request to the server is checked for authorization before being passed to the code doing the real work. (Every
request is also checked for authentication as well, naturally.)
### Roles analagous to groups
The Linux model of three privilege types "user", "group", and "other" works well for authorization permissions
and we should use this model, albeit somewhat simplfied. "User" is an authenticated user. "Group" is a set of
users, and a user may belong to several groups. In SNAC and the non-Linux world "group" is known as "role", so
SNAC will call them "roles". "Other" privileges don't apply to SNAC. Non-authenticated users have the
"researcher" role.
and we should use this model, albeit somewhat simplfied. "User" is an authenticated user. "Group" becomes
"Role" and is a set of users, and a user may belong to several groups. Privileges are carried by roles, and
users are members of one or more roles. In SNAC and the non-Linux world "group" is known as "role", so SNAC
will call them "roles". "Other" privileges don't apply to SNAC. Non-authenticated users have the "researcher"
role.
### Roles and privileged application features
Each feature has a list of one or more authorized roles which may access that feature.
Users can have several roles, and will have all the privileges (access to features) of all their roles. Role
membership is managed by an administrative user interfac (probably part of the dashboard, or there will be a
membership is managed by an administrative user interface (probably part of the dashboard, or there will be a
special admin dashboard) and related API code. Our system allows access to every feature associated with any
user role. (Just an aside: some high-security systems restrict access to the least privileged role; like
Linux, SNAC has a different model.) User information such as name, phone number, and even password can
user role. (Just an aside: some high-security systems restrict access to the least privileged role, like
Linux; SNAC has a different model.) User information such as name, phone number, and even password can
change. User ID values cannot be changed, and a user ID is never reused, even after account deletion.
We expect to create additional roles as necessary for application functions.
Roles include a large number "is instution member" roles. These should be roles like any other, but we may
want to flag these role records to make them easy to manage and easy to display in the UI. Any user can have
zero or more roles that define their instutional affiliation. This primarily effects reporting and admin. In
the case of reports, membership in an institution constrains the reporting. When setting up a report, users
may only choose from institutions of which they are members. Some reports may auto-detect the user's
membership.
Historically, there was a suggestion that users could be affiliated with multiple institutions. This is not
practical. Any user zero or one institutional affiliation. This primarily effects reporting and admin. In the
case of reports, membership in an institution constrains the some aspects of some reports. Certain reports may
auto-detect the user's institutional affiliation.
When we refer to "accounts" we mean web accounts managed by the Manager/Web admin. The general
public can use the discovery interface without an account, but saving search history, and other
......@@ -59,26 +59,28 @@ session related discovery tools requires an account. It is technically possible
dashboard. Although that has not been mentioned as a requirement and is probably a low priority, it might be
almost trivial to implement.
### Tables of roles and user types
### Tables of privileges and roles
Every account will be in the "Researcher" role which has the same privileges as the general public, but with a
TBD set of basic privileges including: search history, certain researcher reports.
See the two tables "Role" and "User type" in the "DBUser API" documentation:
See the two tables "Privilege" and "Role" in the "DBUser API" documentation:
[Role in Database User API](Requirements/DBUser API.md#roles)
[Privilege table](Requirements/DBUser API.md#privilege_table)
Remember: institutional affiliation roles aren't all listed in the tables. There will be one institutional
affiliation role per institution. Users may have zero, one, or several institutional roles that define
insitutions with which the user is affiliated.
[Role table](Requirements/DBUser API.md#role_table)
It is possible for an institutional administrator to also be a member of more than one
institution. Institutional Admins have abilities:
Remember: institutional affiliation roles listed. Users may have zero, or one role that define insitutions
with which the user is affiliated. Our current direction is not to support multiple institutional affiliations
because this creates many problems. User who have multiple affiliations need to have separate logins for each
affiliation.
Institutional Admins have abilities:
- view membership lists of their institution(s)
- add or remove their instutional role for users.
Roles which require one or more instutitutional roles (affiliation):
Privileges which require and instutitutional affiliation:
- Block upload
- Name authority
......
......@@ -187,31 +187,43 @@ When command-login2 is true, the resulting worker might better be split into sev
Here command-unlock is split into tests and workers: unlock-constellation, if-error, redirect-dashboard,
return-json. Alternatively, these 4 functions might all be inside a single worker.
| state | test | worker | next-state |
|--------+----------------------+------------------------------------------------------------+------------|
| start | empty-session | init-and-home | done |
| start | | non-empty-start-snac-session | do-cmd |
| do-cmd | command-login | destroy-session-and-redirect-home | done |
| do-cmd | command-login2 | login-start-snac-session-serialize-user-redirect-dashboard | done |
| do-cmd | command-logout | logout-destroy-session-and-redirect-index | done |
| do-cmd | command-edit | display-edit-page | done |
| do-cmd | command-new | display-new-edit-page | done |
| do-cmd | command-view | display-view-page | done |
| do-cmd | command-preview | display-preview-page | done |
| do-cmd | command-dashboard | display-dashboard | done |
| do-cmd | command-profile | display-profile | done |
| do-cmd | command-save | save-constellation-return-json | done |
| do-cmd | command-save-unlock | save-unlock-return-json | done |
| do-cmd | command-unlock | unlock-constellation | unlock |
| do-cmd | command-save-publish | save-publish-return-json | done |
| do-cmd | command-publish | publish-return-json | done |
| do-cmd | command-vocabulary | vocabulary-search-return-json | done |
| do-cmd | command-search | name-search-return-json | done |
| do-cmd | | display-landing-page | done |
| unlock | if-error | redirect-dashboard | done |
| unlock | | return-json | done |
| done | | exit | |
Looking at this table you must keep in mind that this is the webUI, and "return" is "send data to web browser"
or "send data to web template". Unlock is change status from "currently editing" to "locked editing".
Things to do: change command-save-unlock to save-constellation then go to state unlock. In other words, create
granular workers, and use them as building blocks. Workers here are based on what happens in run() in
WebUI.php.
| state | test | worker | next-state |
|-----------------+----------------------+------------------------------------------------------------+-----------------|
| start | empty-session | init-and-home | done |
| start | | non-empty-start-snac-session | do-cmd |
| do-cmd | command-login | destroy-session-and-redirect-home | done |
| do-cmd | command-login2 | login-start-snac-session-serialize-user-redirect-dashboard | done |
| do-cmd | command-logout | logout-destroy-session-and-redirect-index | done |
| do-cmd | command-edit | display-edit-page | done |
| do-cmd | command-new | display-new-edit-page | done |
| do-cmd | command-view | display-view-page | done |
| do-cmd | command-preview | display-preview-page | done |
| do-cmd | command-dashboard | | dashboard |
| do-cmd | command-profile | display-profile | done |
| do-cmd | command-save-profile | save-profile | done |
| do-cmd | command-save | save-constellation | done |
| do-cmd | command-save-unlock | save-unlock | done |
| do-cmd | command-unlock | unlock-constellation | unlock |
| do-cmd | command-save-publish | save-publish | done |
| do-cmd | command-save-review | save-constellation | review |
| do-cmd | command-publish | publish | dashboard |
| do-cmd | command-vocabulary | vocabulary-search | done |
| do-cmd | command-search | name-search | done |
| do-cmd | | display-landing-page | done |
| unlock | if-error | redirect-dashboard | done |
| unlock | | return-json | done |
| review | | relock-to-reviewer | notify-reviewer |
| notify-reviewer | | notify-reviewer | dashboard |
| dashboard | | display-dashboard | done |
| done | | exit | |
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment