[GeoNetwork-devel] Privileges

Hi Folks,
Seems I’m going to have to be on this dev list for a few days to discuss a few issues raised in my tickets.

Relating to this comment/ticket - http://trac.osgeo.org/geonetwork/ticket/316#comment:2 - can you tell me what user-account type (editor/admin etc) apart from Admin canalter the privileges to post metadata to the “all” group? Because I can’t figure out why someone with “Editor” permissions isn’t allowed to post there.

Regards,
Jonathan

This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

Hi Jonathan

AFAIK (it is the case in the geocat.ch-Sandbox), the reviewer (or is it called content-reviewer) is the one to publish metadata. The reviewer is a sort of admin for the group who has the control over the publishing workflow. It’s the “two-person integrity” principle, and allows to have the editing work done by other people without “losing control”. In our application we have also given the user admin the right to publish for “all”.

But you are right, in some cases it would be nice to have an additional role which is editor with the right to publish his own metadata.
A little brainstorming:
Perhaps it would be worth to think of a re-organisation of the users in general. Something like, not to have pre-defined users but really the roles, like:

  • view
  • edit
  • publish all metadata within the group for the group
  • publish own metadata for the group
  • publish all metadata within the group for all
  • publish own metadata for all
  • publish all for all (admin)
  • create new users within the group
  • create group (admin)
  • create new user for all groups (admin)
    -…?

So you (as admin) could create individual users and give them the rights you want to.

cheers,
Annina

On Sep 23, 2010, at 1:33 PM, jonathanmoules@anonymised.com5… wrote:

Hi Folks,
Seems I’m going to have to be on this dev list for a few days to discuss a few issues raised in my tickets.

Relating to this comment/ticket - [http://trac.osgeo.org/geonetwork/ticket/316#comment:2](http://trac.osgeo.org/geonetwork/ticket/316#comment:2) - can you tell me what user-account type (editor/admin etc) apart from Admin canalter the privileges to post metadata to the “all” group? Because I can’t figure out why someone with “Editor” permissions isn’t allowed to post there.

Regards,
Jonathan

This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev_______________________________________________
GeoNetwork-devel mailing list
GeoNetwork-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geonetwork-devel
GeoNetwork OpenSource is maintained at http://sourceforge.net/projects/geonetwork

Hi Aninna,
Ok, The two-person integrity system makes some sense, but for our use-case I think just one person will probably be sufficient (though thinking about it, the two-person system may be good, I’ll have to have it looked into).
I do like the idea of a finer degree of control over user-permissions. At present everyone has to be shoe-horned into the pre-defined roles. On top of that, it’s not entirely clear what the current roles roles do either.

My suggestions for possible permissions. Read the () [pair of round brackets] as a checkbox/radio button.

Metadata permissions:

  • View: () All; ()Own group
  • Create / edit / delete: ()All; () Own Group
  • Publish to: () own group - () all

User management:
() Create/delete groups
() Create/delete users
() Create/delete categories

I think that covers most of them doesn’t it?

Jonathan

This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

If you are building your own Geonetwork install, you can re-organise the permissions hierarchy yourself.

Take a look at WEB-INF/user-profiles.xml.

Justin.


From: jonathanmoules@anonymised.com [mailto:jonathanmoules@anonymised.com]
Sent: 23 September 2010 13:46
To: Annina Hirschi Wyss
Cc: geonetwork-devel@lists.sourceforge.net
Subject: Re: [GeoNetwork-devel] Privileges

Hi Aninna,
Ok, The two-person integrity system makes some sense, but for our use-case I think just one person will probably be sufficient (though thinking about it, the two-person system may be good, I’ll have to have it looked into).
I do like the idea of a finer degree of control over user-permissions. At present everyone has to be shoe-horned into the pre-defined roles. On top of that, it’s not entirely clear what the current roles roles do either.

My suggestions for possible permissions. Read the () [pair of round brackets] as a checkbox/radio button.

Metadata permissions:

  • View: () All; ()Own group
  • Create / edit / delete: ()All; () Own Group
  • Publish to: () own group - () all

User management:
() Create/delete groups
() Create/delete users
() Create/delete categories

I think that covers most of them doesn’t it?

Jonathan

This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.

This email is only intended for the person to whom it is addressed and may contain confidential information. If you have received this email in error, please notify the sender and delete this email which must not be copied, distributed or disclosed to any other person.

Unless stated otherwise, the contents of this email are personal to the writer and do not represent the official view of Ordnance Survey. Nor can any contract be formed on Ordnance Survey's behalf via email. We reserve the right to monitor emails and attachments without prior notice.

Thank you for your cooperation.

Ordnance Survey
Romsey Road
Southampton SO16 4GU
Tel: 08456 050505
http://www.ordnancesurvey.co.uk

Ok, taking a look at it it makes sense. But each extends the last which I don’t think allows for two roles having disparate permissions (i.e., if you want a “higher” level to not have a permission that a lower one has).

Also, it looks like the “Reviewer” is identical to “Editor” unless it has certain permission hard-coded somewhere:

Jonathan

This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.