Feature Wiki
Tabs
Support for Positions in User Management
Page Overview
[Hide]1 Initial Problem
The feature Support of Positions in Courses, Groups and Exercises is to be extended to the user administration, too.
2 Conceptual Summary
We will implement the concept of Positions in Orgunits for the User Managment see Support of Positions in Courses, Groups and Exercises
Users with the RBAC Permissions "visible" and "read" and the Position Permission "Edit User Accounts" are allowed to:
- Edit/Manage user account of "their" OrgUnits. Other User Accounts will be filtered
- The Export of user accounts is filtered
- The "Letter Filter" wil be filtered
- It is not possible to change any role assignments
- The "Advanced User Search" will be disabled.
- Adding User Accounts or Importing User Accounts will be disabled
- The "User List" for the "Multi-Actions" "All Objects" are restricted to the user account which are allowed to be mangaged by OrgUnit-Permissions.
3 User Interface Modifications
3.1 List of Affected Views
User Accounts in "Administration -> User Management
Export in "Administration -> User Managment
Permissions in "Administration -> User Managment"
3.2 User Interface Details
No new User interface details.
3.3 New User Interface Concepts
{If the proposal introduces any completely new user interface elements, you might consult UI Kitchen Sink in order to find the necessary information to propose new UI-Concepts. Note that any maintainer might gladly assist you with this.}
4 Technical Information
No further technical information.
5 Contact
- Author of the Request: Meyer, Stefan [smeyer]
- Maintainer: Meyer, Stefan [smeyer]
- Implementation of the feature is done by: Meyer, Stefan [smeyer]
6 Funding
If you are interest in funding this feature, please add your name and institution to this list.
7 Discussion
Meyer, Stefan [smeyer]: I support this request.
Klees, Richard [rklees], 20 MAY 2019: I would also appreciate support of the positions in the user management. But I think this needs a little bit more attention to the details. Namely: Is it correct that, currently, users with "Read"-permissions on the User Management are allowed to see all users (and their data) in the system? If so, it would go against the grain of the permission system and the positions to filter that list for users with "Read" based on the positions. The permissions over users gained via a position imo need to be added to the permissions gained via RBAC. If that wasn't the case, we would loose the ability to have users that can view all users, because "read" would not suffice to do so. Alternatively we would introduce an odd situation, where a person with "read" and without permissions via position will in fact lose possibilities by gaining more permissions via a position.
It also might be the case, that my initial assumption about "Read" in the User Management is wrong, which would also feel odd to me, but would be another problem.
Meyer, Stefan [smeyer] @Richard please have a look on the permission screen in "Administration -> User Managment". The following permissions are currently available (used for user managment):
- Visible, Read: Shows the administration node
- Read Access to User Accounts: only if this permission is granted ALL global users are shown. Should not be given to OrgUnit-Users
- Edit Role Assignment: Allow the change global role assignments. Should not be given to OrgUnit-Users
- Create User: Allows to create (import) user accounts. Should not be given to OrgUnit-Users
JourFixe, ILIAS [jourfixe]: We highly appreciate this suggestion and schedule the feature for 6.0. We would like to clarify that this feature request does not include support of positions in the local administration.
8 Implementation
The following SOAP-methods checked the permission "Read Access" for the user folder, which is not correct and has been changed to "Read Access to User Accounts".
Users with only Positions Access on the user accounts will not be able to use these methods (SOAP-Error with "Access denied" is triggered).
- getUser
- lookupUser
- getUserForContainer
- getUSerForRole
- searchUsers
- getUserXML
The feature was implemented as described above with the exception of extended user search. This was also allowed and filtered for users with position permission, contrary to the description.
Test Cases
Test cases completed at 2019-10-24 by Tödt, Alexandra [atoedt]
- 18750: Globale Aktivierung der 'Positionen' für globale Benutzerverwaltung
- 31946: Orgunit-spezifische Rechte in der globalen Benutzerverwaltung
- 18751: Nach Positionen gefilterte Darstellung in der globalen Benutzerverwaltung
Approval
Approved at 2019-11-27 by Jackisch, Ingo [jackisch].
Last edited: 27. Nov 2019, 11:03, Jackisch, Ingo [jackisch]