Feature Wiki

Information about planned and released features

Tabs

Support for Positions in User Management

Page Overview

[Hide]

1 Initial Problem
2 Conceptual Summary
3 User Interface Modifications
- 3.1 List of Affected Views
- 3.2 User Interface Details
- 3.3 New User Interface Concepts
4 Technical Information
5 Contact
6 Funding
7 Discussion
8 Implementation

1 Initial Problem

The feature Support of Positions in Courses, Groups and Exercises is to be extended to the user administration, too.

2 Conceptual Summary

We will implement the concept of Positions in Orgunits for the User Managment see Support of Positions in Courses, Groups and Exercises

Users with the RBAC Permissions "visible" and "read" and the Position Permission "Edit User Accounts" are allowed to:

Edit/Manage user account of "their" OrgUnits. Other User Accounts will be filtered
The Export of user accounts is filtered
The "Letter Filter" wil be filtered

The following features will be resticted or disabled:

It is not possible to change any role assignments
The "Advanced User Search" will be disabled.
Adding User Accounts or Importing User Accounts will be disabled
The "User List" for the "Multi-Actions" "All Objects" are restricted to the user account which are allowed to be mangaged by OrgUnit-Permissions.

3 User Interface Modifications

3.1 List of Affected Views

User Accounts in "Administration -> User Management
Export in "Administration -> User Managment
Permissions in "Administration -> User Managment"

3.2 User Interface Details

No new User interface details.

3.3 New User Interface Concepts

{If the proposal introduces any completely new user interface elements, you might consult UI Kitchen Sink in order to find the necessary information to propose new UI-Concepts. Note that any maintainer might gladly assist you with this.}

4 Technical Information

No further technical information.

5 Contact

Author of the Request: Meyer, Stefan [smeyer]
Maintainer: Meyer, Stefan [smeyer]
Implementation of the feature is done by: Meyer, Stefan [smeyer]

6 Funding

If you are interest in funding this feature, please add your name and institution to this list.

DHBW

7 Discussion

Meyer, Stefan [smeyer]: I support this request.

Klees, Richard [rklees], 20 MAY 2019: I would also appreciate support of the positions in the user management. But I think this needs a little bit more attention to the details. Namely: Is it correct that, currently, users with "Read"-permissions on the User Management are allowed to see all users (and their data) in the system? If so, it would go against the grain of the permission system and the positions to filter that list for users with "Read" based on the positions. The permissions over users gained via a position imo need to be added to the permissions gained via RBAC. If that wasn't the case, we would loose the ability to have users that can view all users, because "read" would not suffice to do so. Alternatively we would introduce an odd situation, where a person with "read" and without permissions via position will in fact lose possibilities by gaining more permissions via a position.

It also might be the case, that my initial assumption about "Read" in the User Management is wrong, which would also feel odd to me, but would be another problem.

Meyer, Stefan [smeyer] @Richard please have a look on the permission screen in "Administration -> User Managment". The following permissions are currently available (used for user managment):

Visible, Read: Shows the administration node
Read Access to User Accounts: only if this permission is granted ALL global users are shown. Should not be given to OrgUnit-Users
Edit Role Assignment: Allow the change global role assignments. Should not be given to OrgUnit-Users
Create User: Allows to create (import) user accounts. Should not be given to OrgUnit-Users

JourFixe, ILIAS [jourfixe]: We highly appreciate this suggestion and schedule the feature for 6.0. We would like to clarify that this feature request does not include support of positions in the local administration.

8 Implementation

The following SOAP-methods checked the permission "Read Access" for the user folder, which is not correct and has been changed to "Read Access to User Accounts".
Users with only Positions Access on the user accounts will not be able to use these methods (SOAP-Error with "Access denied" is triggered).

getUser
lookupUser
getUserForContainer
getUSerForRole
searchUsers
getUserXML

The feature was implemented as described above with the exception of extended user search. This was also allowed and filtered for users with position permission, contrary to the description.

Test Cases

Test cases completed at 2019-10-24 by Tödt, Alexandra [atoedt]

18750: Globale Aktivierung der 'Positionen' für globale Benutzerverwaltung
31946: Orgunit-spezifische Rechte in der globalen Benutzerverwaltung
18751: Nach Positionen gefilterte Darstellung in der globalen Benutzerverwaltung

Approval

Approved at 2019-11-27 by Jackisch, Ingo [jackisch].

Last edited: 27. Nov 2019, 11:03, Jackisch, Ingo [jackisch]