General framework forGeneral framework forroles and permisionsroles and permisionsin Dokeosin Dokeos

Written by Frederik QuestierPresented by Frederik Questier @ Dokeos dev meeting 24/08/2005Input/ideas by Evie Embrechts, Isabel Deprez, Stijn Van Achter, Plone CMSCreative Commons License by-nc-sa

2

Principles / Key conceptsPrinciples / Key concepts

General framework, future proof, also for extensionsGeneral framework, future proof, also for extensions

Quite optional:Quite optional:

Freedom for admins who can delegate their freedomFreedom for admins who can delegate their freedom

RolesRoles

PermissionsPermissions

LocalizationLocalization

InheritanceInheritance

Work flowsWork flows

3

RolesRoles

Roles (and permissions)Roles (and permissions)

some should be predefined in Dokeossome should be predefined in Dokeos

can be changed by admincan be changed by admin

can be created by admincan be created by admin

can be assigned by admin (and teachers if admin wants that)can be assigned by admin (and teachers if admin wants that)

Role creation and changingRole creation and changing are just two of the permissions which are just two of the permissions which can be given to certain roles.can be given to certain roles.

4

RolesRoles

Some roles are global (G), some are local (L):Some roles are global (G), some are local (L):

G Visitor (anonymous)G Visitor (anonymous)

G AuthenticatedG Authenticated

L Guest Course MemberL Guest Course Member

L L OfficialOfficial Course Member (enrolled) Course Member (enrolled)

G StudentG Student

L Teaching AssistantL Teaching Assistant

G TeacherG Teacher

L L OfficialOfficial Course Teacher (titularis in dutch/latin) Course Teacher (titularis in dutch/latin)

L Owner (of objects)L Owner (of objects)

G AdminG Admin

5

RolesRoles

Each person can have Each person can have several rolesseveral roles (as in real life) (as in real life)

Global rolesGlobal roles and their permissions can be changed and assigned by and their permissions can be changed and assigned by the adminsthe admins

Local rolesLocal roles and their permissions can be changed and assigned by and their permissions can be changed and assigned by the teachers or whoever that has the 'change local roles permission'the teachers or whoever that has the 'change local roles permission'

Except maybe the (optional) Except maybe the (optional) 'Official' roles'Official' roles which could come from which could come from an external administrative database.an external administrative database.

6

PermissionsPermissions

ViewView

AddAdd

EditEdit

DeleteDelete

SortSort

SuggestSuggest

Review/PublishReview/Publish

Assign Local RolesAssign Local Roles

Create (Local) RolesCreate (Local) Roles

Change Permissions of Local RolesChange Permissions of Local Roles

Change access permissions (visible/unvisible or Change access permissions (visible/unvisible or world/institution/class/owner)world/institution/class/owner)

......

7

GeneralizationGeneralization

All these permissions can be very general, but context sensitive All these permissions can be very general, but context sensitive ((localizedlocalized))

e.g. 'Add' permission can meane.g. 'Add' permission can mean

AddAdd

coursecourse

groupsgroups

linkslinks

documentsdocuments

forum sectionsforum sections

forum topicsforum topics

......

All these permissions could be split up, but localization is the better All these permissions could be split up, but localization is the better way to do it.way to do it.

8

InheritanceInheritance

Consider Dokeos as an hierachical (folder) systemConsider Dokeos as an hierachical (folder) system

Local permission settings can be inherited from upper folders.Local permission settings can be inherited from upper folders.

inheritance flag on/offinheritance flag on/off

exampleexample

By default students have only View and Suggest permissions in (root) By default students have only View and Suggest permissions in (root) link folder/toollink folder/tool

Teacher can give students the Add/Publish permissions in the folder Teacher can give students the Add/Publish permissions in the folder 'studentlinks' (and therefore in its subfolders) 'studentlinks' (and therefore in its subfolders)

9

Assigning permissionsAssigning permissions

Permissions are assigned to rolesPermissions are assigned to roles

Permissions are Permissions are notnot assigned to users assigned to users

because one anyway needs roles (Dokeos has since long Student, Teacher because one anyway needs roles (Dokeos has since long Student, Teacher and admin roles)and admin roles)

because assigning and checking both user and role permissions is difficultbecause assigning and checking both user and role permissions is difficult

If teachers are assigned (by admin) 'Change permissions' and 'Change If teachers are assigned (by admin) 'Change permissions' and 'Change roles' permissions: roles' permissions:

Teachers can change the permissions for Teachers can change the permissions for all studentsall students by changing the by changing the permissions for their roles.permissions for their roles.

Teacher can change the permissions for Teacher can change the permissions for certain studentscertain students by assigning by assigning them an extra (existing or new) role.them an extra (existing or new) role.

There could be a few There could be a few predefined 'Powerfull student' rolespredefined 'Powerfull student' roles which which could be localy adapted by each teacher.could be localy adapted by each teacher.

10

Conflicting permissions?Conflicting permissions?

Conflicting permissions from different roles:Conflicting permissions from different roles:

positive permissions overrule !positive permissions overrule !

This works if local roles are used correctlyThis works if local roles are used correctly

examplesexamples

don't grant Add/Edit/... permissions to global 'Teacher' role (which don't grant Add/Edit/... permissions to global 'Teacher' role (which would be on each course), but to 'Official Course Teacher'would be on each course), but to 'Official Course Teacher'

don't grant View permission to 'Student' role (which would be on each don't grant View permission to 'Student' role (which would be on each course) but to 'Official Course Member (enrolled)'course) but to 'Official Course Member (enrolled)'

11

WorkflowsWorkflows

Example:Example:

Student Suggests something (e.g. link)Student Suggests something (e.g. link)

The student is Owner of the object and can still Edit it.The student is Owner of the object and can still Edit it.

Teacher (or anyone with local review permission) Teacher (or anyone with local review permission) oror Deletes Deletes oror Publishes Publishes the link (i.e. gives View permission to other roles)the link (i.e. gives View permission to other roles)

12

How to make it easy?How to make it easy?

VisualisationVisualisation

On every location (global, course, group?, tool, file, ...)On every location (global, course, group?, tool, file, ...)

User Permission Matrix or 'ACL' (Access Control List)User Permission Matrix or 'ACL' (Access Control List)

Roles page, where first a Role is chosen, and then users can be added.Roles page, where first a Role is chosen, and then users can be added.

Whenever roles and permissions are shown, it should have links to Whenever roles and permissions are shown, it should have links to definitions and Permission matrixdefinitions and Permission matrix

......

ImplementationImplementation

Default roles and permissions can be chosen according the current Dokeos Default roles and permissions can be chosen according the current Dokeos settingssettings

All tools should try to match the general permissionsAll tools should try to match the general permissions

......

13