DescriptionAdvanced role management
Typeadministration
Status
OwnerTIB
LanguageJava
Team
Locationtba
Licensee.g. BSD, MIT, LGPL


Goals

Description

Phase I: Discrete display / edit assertions to replace “and below” permissions for fields (tick)

We want to have discrete assertions for saying that a role is able to display and/or edit a field, rather than the current hiddenFromDisplayBelowRoleLevelAnnot / prohibitedFromUpdateBelowRoleLevelAnnot. This will also involve changing admin screens that provide a display level / update level to allow for a checkbox based assertion of multiple roles, rather than a drop-down / radio button.

In changing over the assertions, it will still support modelling the same restrictions, but rather than saying – for example -  “:hiddenFromDisplayBelowRoleLevelAnnot :EDITOR”, it would require “:displayFor :EDITOR”, “:displayFor :CURATOR”, “:displayFor :DB_ADMIN”, and “:displayFor :NOBODY”.

Phase II: Create an upgrade script to replace the existing “and below” permissions (tick)

In order to push these changes to existing triple stores, we will create a script process that will rewrite existing “DisplayBelow / UpdateBelow” assertions into the equivalent granting of rights to the existing roles. We will also update the default definitions in the home folder for creating a new Vitro / VIVO instance.

Phase III: Remove hardcoded references to role levels from the Java code (tick)

Now, there shouldn’t be anything left that assumes the inherited model of role authorisation. Once that is confirmed, we can externalise the role level definitions from the BaseResourceBean (and the PermissionSets uris?), and have the available roles defined entirely by configuration.

This would open up the possibility for defining more roles in the system (and giving them discrete permissions! – so one group of users might only edit publications, and another only grants). At this stage, new roles would be established in the configuration files, and become available on restart, although the field permissions could be updated within Vitro / VIVO.

Once the above is implemented, we would likely to be looking at making the changes available for Vitro (and the configuration for VIVO), subject to evaluation.  Further developments then possibly include:

Phase IV: Role-oriented control panel for enabling/disabling permissions (tick)

Simple control panel(s) for setting the permissions for roles across multiple fields, in addition to editing permissions on a field-by-field basis (a grid of checkboxes, fields on one axis, roles on the other.)

Phase V: Control panel for creating new roles

Ultimately, we may need to have a means for creating new roles within the application directly, not just establishing them in the configuration files to be reloaded on restarting VIVO, which would involve resolving issues around how PermissionSets are loaded.

Features (tbd.)

Documentation

Ticket:

Where do roles appear in VIVO?

User Account Management

image2017-10-26_16-36-59.png

Ontology editor (tick)

SiteAdmin

image2017-10-26_16-40-26.png

Page Management

Control the permission to display web pages. Menu similar to Ontology Editor integration.

image2017-12-1_10-31-24.png

Notes