roles and permissions in dokeos - frederik...
TRANSCRIPT
General framework forGeneral framework forroles and permisionsroles and permisionsin Dokeosin Dokeos
Written by Frederik QuestierPresented by Frederik Questier @ Dokeos dev meeting 24/08/2005Input/ideas by Evie Embrechts, Isabel Deprez, Stijn Van Achter, Plone CMSCreative Commons License by-nc-sa
2
Principles / Key conceptsPrinciples / Key concepts
General framework, future proof, also for extensionsGeneral framework, future proof, also for extensions
Quite optional:Quite optional:
Freedom for admins who can delegate their freedomFreedom for admins who can delegate their freedom
RolesRoles
PermissionsPermissions
LocalizationLocalization
InheritanceInheritance
Work flowsWork flows
3
RolesRoles
Roles (and permissions)Roles (and permissions)
some should be predefined in Dokeossome should be predefined in Dokeos
can be changed by admincan be changed by admin
can be created by admincan be created by admin
can be assigned by admin (and teachers if admin wants that)can be assigned by admin (and teachers if admin wants that)
Role creation and changingRole creation and changing are just two of the permissions which are just two of the permissions which can be given to certain roles.can be given to certain roles.
4
RolesRoles
Some roles are global (G), some are local (L):Some roles are global (G), some are local (L):
G Visitor (anonymous)G Visitor (anonymous)
G AuthenticatedG Authenticated
L Guest Course MemberL Guest Course Member
L L OfficialOfficial Course Member (enrolled) Course Member (enrolled)
G StudentG Student
L Teaching AssistantL Teaching Assistant
G TeacherG Teacher
L L OfficialOfficial Course Teacher (titularis in dutch/latin) Course Teacher (titularis in dutch/latin)
L Owner (of objects)L Owner (of objects)
G AdminG Admin
5
RolesRoles
Each person can have Each person can have several rolesseveral roles (as in real life) (as in real life)
Global rolesGlobal roles and their permissions can be changed and assigned by and their permissions can be changed and assigned by the adminsthe admins
Local rolesLocal roles and their permissions can be changed and assigned by and their permissions can be changed and assigned by the teachers or whoever that has the 'change local roles permission'the teachers or whoever that has the 'change local roles permission'
Except maybe the (optional) Except maybe the (optional) 'Official' roles'Official' roles which could come from which could come from an external administrative database.an external administrative database.
6
PermissionsPermissions
ViewView
AddAdd
EditEdit
DeleteDelete
SortSort
SuggestSuggest
Review/PublishReview/Publish
Assign Local RolesAssign Local Roles
Create (Local) RolesCreate (Local) Roles
Change Permissions of Local RolesChange Permissions of Local Roles
Change access permissions (visible/unvisible or Change access permissions (visible/unvisible or world/institution/class/owner)world/institution/class/owner)
......
7
GeneralizationGeneralization
All these permissions can be very general, but context sensitive All these permissions can be very general, but context sensitive ((localizedlocalized))
e.g. 'Add' permission can meane.g. 'Add' permission can mean
AddAdd
coursecourse
groupsgroups
linkslinks
documentsdocuments
forum sectionsforum sections
forum topicsforum topics
......
All these permissions could be split up, but localization is the better All these permissions could be split up, but localization is the better way to do it.way to do it.
8
InheritanceInheritance
Consider Dokeos as an hierachical (folder) systemConsider Dokeos as an hierachical (folder) system
Local permission settings can be inherited from upper folders.Local permission settings can be inherited from upper folders.
inheritance flag on/offinheritance flag on/off
exampleexample
By default students have only View and Suggest permissions in (root) By default students have only View and Suggest permissions in (root) link folder/toollink folder/tool
Teacher can give students the Add/Publish permissions in the folder Teacher can give students the Add/Publish permissions in the folder 'studentlinks' (and therefore in its subfolders) 'studentlinks' (and therefore in its subfolders)
9
Assigning permissionsAssigning permissions
Permissions are assigned to rolesPermissions are assigned to roles
Permissions are Permissions are notnot assigned to users assigned to users
because one anyway needs roles (Dokeos has since long Student, Teacher because one anyway needs roles (Dokeos has since long Student, Teacher and admin roles)and admin roles)
because assigning and checking both user and role permissions is difficultbecause assigning and checking both user and role permissions is difficult
If teachers are assigned (by admin) 'Change permissions' and 'Change If teachers are assigned (by admin) 'Change permissions' and 'Change roles' permissions: roles' permissions:
Teachers can change the permissions for Teachers can change the permissions for all studentsall students by changing the by changing the permissions for their roles.permissions for their roles.
Teacher can change the permissions for Teacher can change the permissions for certain studentscertain students by assigning by assigning them an extra (existing or new) role.them an extra (existing or new) role.
There could be a few There could be a few predefined 'Powerfull student' rolespredefined 'Powerfull student' roles which which could be localy adapted by each teacher.could be localy adapted by each teacher.
10
Conflicting permissions?Conflicting permissions?
Conflicting permissions from different roles:Conflicting permissions from different roles:
positive permissions overrule !positive permissions overrule !
This works if local roles are used correctlyThis works if local roles are used correctly
examplesexamples
don't grant Add/Edit/... permissions to global 'Teacher' role (which don't grant Add/Edit/... permissions to global 'Teacher' role (which would be on each course), but to 'Official Course Teacher'would be on each course), but to 'Official Course Teacher'
don't grant View permission to 'Student' role (which would be on each don't grant View permission to 'Student' role (which would be on each course) but to 'Official Course Member (enrolled)'course) but to 'Official Course Member (enrolled)'
11
WorkflowsWorkflows
Example:Example:
Student Suggests something (e.g. link)Student Suggests something (e.g. link)
The student is Owner of the object and can still Edit it.The student is Owner of the object and can still Edit it.
Teacher (or anyone with local review permission) Teacher (or anyone with local review permission) oror Deletes Deletes oror Publishes Publishes the link (i.e. gives View permission to other roles)the link (i.e. gives View permission to other roles)
12
How to make it easy?How to make it easy?
VisualisationVisualisation
On every location (global, course, group?, tool, file, ...)On every location (global, course, group?, tool, file, ...)
User Permission Matrix or 'ACL' (Access Control List)User Permission Matrix or 'ACL' (Access Control List)
Roles page, where first a Role is chosen, and then users can be added.Roles page, where first a Role is chosen, and then users can be added.
Whenever roles and permissions are shown, it should have links to Whenever roles and permissions are shown, it should have links to definitions and Permission matrixdefinitions and Permission matrix
......
ImplementationImplementation
Default roles and permissions can be chosen according the current Dokeos Default roles and permissions can be chosen according the current Dokeos settingssettings
All tools should try to match the general permissionsAll tools should try to match the general permissions
......