Jon Gorrono to Stephen Swinsburg
On Feb 3, 2008 2:34 PM, Stephen Swinsburg <sswinsb2@une.edu.au> wrote:
> > I haven't had much luck with the !site.helper realm before. I added a
> > role to it but that role wasn't visible to other sites (did I need to
> > restart?), but I'll give it a go.
> >
In the dropdown list in site info, you won't see any roles that are
exclusively defined in the !site.helper realm. But the security questions
are all asked within the context of that realm in addition to the
site-realm. For example, if you have a role in !site.helper called 'SIte
editor' which has site.upd in it. Then grant a normally lowly access-only
person that role (Site editor) in that realm (!site.helper), then
automagically, any site that that person is a member of will be editable by
she.
> > What I was hoping for was to have something like !site.helpdesk and have a
> > role in that called helpdesk, with the users added as that role, exactly the
> > same way as the !site.admin realm works - is that method possible? I've
> > already got all the code to support adding and removing users to the admin
> > realm.
> >
It's possible, but for it to work you'd have to get tools to ask the
security question: 'can user X do Y in realm Z?' (where Z=!site.helpdesk)
Right now, no tools would know to ask this question WRT a !site.helpdesk
realm. But, they will be asking it by default WRT the !site.helper (and
/site/!admin, too) everytime.
> >
> > Or this just occurred to me, adding a role to the admin realm called
> > helpdesk (rather than the existing role called admin) and adding the users
> > to the admin realm with the helpdesk role. Would that be possible?
> >
I can't parse 'admin realm called helpdesk'.... AFIAK, the /site/!admin
realm is special by-name. But things can change fast around here, and I am
slow. The current trunk version of the SakaiSecurityService impl confirms
that the OOTB Sakai still works that way.
At any rate, it takes a unique triplet to determine access: (can user) X
(do function) Y (to object) Z?.....and object=realm.....so, any security
functions granted to user X in role with the name 'Y' in realm 1 are treated
independently of any granted to user X in a role named 'Y' in realm 2.
John Leasia adds:
I think what you want are finer grained controls on what the admin role can do. You want helpdesk folks to have access to all sites like admins, but without as much power? I haven't found a way to accomplish that through other means. Adding a new role to the !admin site doesn't do it that I have found - anyone who is a member of the admin site regardless of role/permission there has ability to see and edit all other sites.
There is the ability to automatically add a set of users to course sites created with a certain 'provider id'. We use that here to add college support people to the sites created by their college. It depends on sakai.property definitions that list the users that get added to a particular list of course codes. It is sort of 'generic', but I don't know that anyone but UM is really using it. It is described in the sakai.properties doc - look for the 'affiliates' related sakai.properties.