Project

General

Profile

feature request #3709

[E+M][Editor] sufficient rights management for E+M workflow

Added by Andreas Kohlbecker over 5 years ago. Updated 8 months ago.

Status:
In Progress
Priority:
Highest
Category:
taxeditor
Target version:
Start date:
09/09/2013
Due date:
% Done:

0%

Estimated time:
20.00 h
Severity:
critical

Description

Implement rights management and roles etc. which is needed for the E+M workflow:

Groups and Authorities

In ticket #4082 (implement default permission groups) the default PermissionGroups habe been implemented for Eumed ( and hopefully also for other databases). These default permission groups have to be combined and others have to be created manually in order to create the effective user groups for euro + med, which are:

  1. das Editorial Board, das Lese- und Schreibrechte auf sämtlichen Daten hat (ROLE_PUBLISH + group ProjectManager + group Editor + group Euro+Med Plantbase")

  2. die einzelnen Autoren, die Lese-und Schreibrechte für ihre jeweilige taxonomische Gruppe (Familie, Gattung etc. mit allen darin enthaltenen Taxa) haben, aber zum Beispiel keine neuen bibliographischen Referenzen (etwa für geographische Angaben) editiern, hinzufügen oder löschen dürfen - nomenklatorische Referenzen dürfen sie hinzufügen, aber bestehende Referenzen nicht ändern oder löschen.

Im CDM sollen Autoren aber grundsätzlich Referenzen anlegen dürfen. Sie müssen dann eben prüfen, ob die Referenz schon existiert! (group Editor + group __"))

  1. Eine dritte Ebene betrifft die Eingabe von Common Names - diese Nutzer dürfen an der Taxonomie und den Namen nichts ändern, sondern lediglich Informationen (factual data) mit entsprechenden bibl. Referenzen hinzufügen.

Additional Groups:

Group Euro+Med Plantbase:

TAXONNODE.[CREATE,READ,UPDATE,DELETE]

Group **:

TAXONNODE.[CREATE,READ,UPDATE,DELETE]{$uuid}

see also milestone Taxeditor-security

Requirements

  • protect cdm types with CdmAuthorities:

    • Taxon - OK
    • TaxonNode - OK
    • Terms - TODO: Group Editor = TERMBASE[[CREATEREAD]|new Group Project_Admin = ROLE_PROJECT_MANAGER, TERMBASE[CREATE,READ,UPDATE;DELETE]]
    • References - TODO Group Editor = REFERENCE[[CREATEREAD]|new Group Project_Admin = ROLE_PROJECT_MANAGER, REFERENCE[CREATE,READ,UPDATE;DELETE]]
    • Names - TODO Group Editor = TAXONNAMEBASE[[CREATEREAD]|new Group Project_Admin = ROLE_PROJECT_MANAGER, TAXONNAMEBASE[CREATE,READ,UPDATE;DELETE]]
  • Restrict permission to edit, create, remove taxa can be restricted to one or multiple taxonomic groups - seems to be working -but the editor displays aggressive and technical error dialogues in case a user dares to execute a prohibited operation-. Three actions need be taken to improve this situation:

  1. #4056 (taxeditor responds with nicer dialogue in case a user executes a prohibited operation)

  2. #3781 (Protect new and delete TaxonNode commands [DISCUSS])

  3. #4055 (operations offered by editor adapt to the users granted authorities) - UNDER REVIEW

  4. #4111 (behaviour of TaxonEditor for users with limited grants [DISCUSS])

  5. a bug: #4115 ('editor' users cannot create new references via the reference select list)

  • Publish flag: A person allowed to edit a taxonomic group should not at the same time be allowed to publish this taxon. Therefore a special PUBLISH role is needed, which can be global or bound to a classification:

    • publish flag in cdmlib: #1780 (Publish bit instead of marker)
    • #4101 (publish bit must not set by default for new taxa)
    • permission management: #3980 (Implement PUBLISH role into cdmlib security)
    • editor: #3739 (Allow editing of publish bit for Taxon and SpecimenOrObservationBase), #3951 (Allow editing of publish bit for SpecimenOrObservationBase), #4011 (disallow changing publish flag for users with unsuffcient rights)
    • #4132 (automatic setting of the publish flag after editing an entity [[DISCUSS])|* #4133 (publish flag inheritance for new taxa [DISCUSS]])
  • Users, Groups and Granted authorities can be more or less easily managed:

    • #2282 (Implement User and Group Management facilities in the Taxonomic Editor)
    • #2414 (Group updating doesn't work)
    • #3782 (Security Context is not updated after editing GrantedAuthorities of a Group)
    • #4082 (implement default permission groups)
    • lower priority tickets:
    • #4013 (GrantedAuthority: Humane label of TaxonNode authorities)
    • #4014 (user friendly way to assign Authotity Roles to users or to Groups)
    • #4052 (disentangle Group, Role, CdmAuthority, GrantedAuthorityImpl, ...)
    • #4054 (Taxeditor, Group Bulkeditor cannot delete Group)

Related issues

Related to Edit - feature request #4101: Default value for publish bit of new taxa must be configurable via DB preferences Closed 03/07/2014
Related to Edit - feature request #4133: publish flag inheritance for new taxa [DISCUSS] Duplicate 08/18/2014
Related to Edit - feature request #4014: user friendly way to assign Authority Roles to users or to Groups New 08/18/2014
Related to Edit - feature request #6162: Implement "Forgot your password?" button in the Taxeditor connect dialog New 10/26/2016 10/26/2016
Related to Edit - task #3560: Withheld unpublished taxa from webservice used in E+M dataportal Resolved 09/27/2013
Related to Edit - feature request #4305: newly created entities must stay editable even if a user only has the permission to create them In Progress 08/06/2014

History

#1 Updated by Andreas Müller over 5 years ago

  • Assignee changed from Andreas Müller to Andreas Kohlbecker

#2 Updated by Andreas Kohlbecker over 5 years ago

from email

Hallo Andreas und alle anderen,

(sorry Cherian for this Email completely in German)

hier die PermissionGroups die für Eumed und alle anderen Datenbanken gebraucht werden um die Rechte von Nutzern auf einzelne taxonomische Gruppen einschränken zu können.

Group "Editor" (wird immer gebraucht):

DESCRIPTIONELEMENTBASE.[[CREATEUPDATEDELETEREAD]|DESCRIPTIONBASE.[CREATE,UPDATE,DELETE,READ]]

TAXONBASE.[CREATE,UPDATE,DELETE,READ]

Pro Taxonomische Gruppe dann eine spezielle Gruppe, z.b

Compositae

TAXONNODE.READ, UPDATE, DELETE{820604dc-00ac-4ffb-95d7-a6bcc012900f}

(keine Ahnung ob diese UUID stimmt ;-) ist nur ein Beispiel)

Ein User bekommt dann immer die Gruppe "Editor" plus eine spezielle TaxonNode bezogene Gruppe, und los geht's mit dem Editieren mit eingeschränkten Rechten

viele Grüße

Andreas

#3 Updated by Andreas Kohlbecker over 5 years ago

  • Status changed from New to In Progress

#4 Updated by Andreas Kohlbecker over 4 years ago

  • Keywords set to Euro+Med,Migration

#11 Updated by Andreas Kohlbecker over 1 year ago

  • Related to feature request #4101: Default value for publish bit of new taxa must be configurable via DB preferences added

#17 Updated by Andreas Kohlbecker over 1 year ago

#22 Updated by Andreas Kohlbecker over 1 year ago

  • Related to feature request #4014: user friendly way to assign Authority Roles to users or to Groups added

#25 Updated by Andreas Kohlbecker over 1 year ago

  • Description updated (diff)
  • Private changed from Yes to No

#27 Updated by Andreas Kohlbecker over 1 year ago

  • Related to feature request #6162: Implement "Forgot your password?" button in the Taxeditor connect dialog added

#28 Updated by Andreas Kohlbecker over 1 year ago

  • Related to task #3560: Withheld unpublished taxa from webservice used in E+M dataportal added

#31 Updated by Andreas Kohlbecker over 1 year ago

  • Related to feature request #4305: newly created entities must stay editable even if a user only has the permission to create them added

#34 Updated by Andreas Müller 8 months ago

  • Estimated time set to 20.00 h

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)