[Building Sakai] How to create and define tools custom roles

Thu Oct 22 18:46:27 PDT 2009

Hi Tiago,

Once your tool's service comes up, and it's functions are registered,  
then they are available to the whole system. This happens when Tomcat  
starts your service, not when the tool is added. So, you can then  
backfill this new permission into every role in every site you want  
once Sakai is up.

So lets say you need the permission 'mytool.view' in a certain role in  
your site (say 'access') for your tool to display something. Once  
Tomcat is up, you could go into the Realm for a site that doesn't even  
have the tool installed, and you'll still be able to set the  
permissions for various roles.

Being a fan of the web services, I wrote an additional method to add  
to SakaiScript.jws called copyRole(). If you set the permissions in  
the roles in your !site.template.xxx realm, you can then iterate over  
every site you want and sync up the roles from the template site to  
add this new permission in.

Some more info about this is here:
http://steve-on-sakai.blogspot.com/2009/05/roles-in-sakai-sites.html
under the heading 'Populating new/updated roles to existing sites'.

If you haven't got your web services enabled, see here for how to do  
it, including how to secure them:
http://steve-on-sakai.blogspot.com/2009/05/enabling-web-services-in-sakai-and.html

cheers,
Steve

On 23/10/2009, at 2:05 AM, Tiago Gaspar wrote:

> Hi Steve,
>
> Thanks for the response! I liked your suggestion to use Sakai Realms,
> it would make permissions much more flexible. But it would require a
> manual configuration of roles and permissions every time the tools is
> installed. Is there a way a tool itself can do that configuration
> through some API, or some config file, in order to make that process
> transparent to the sakai admin ?
>
>
> Thanks again,
>
> Tiago.
>
>
>
> On Wed, Oct 21, 2009 at 11:27 PM, Steve Swinsburg
> <steve.swinsburg at gmail.com> wrote:
>> Hi,
>>
>> Your tool can define its own permissions and then a user in a site  
>> with
>> those permissions can be granted access to certain functions of  
>> your tool.
>> The roles aren't system wide, they are site-wide, so this should  
>> sort you
>> out. The only thing that is system wide are user types, but once in  
>> a site,
>> a user is assigned a role.
>>
>> For your tool to register it's own permissions, check out
>> authz.api.FunctionManager.
>>
>> Then, if you go to the Admin Realms tool, find a site then find the  
>> roles in
>> that site you can set the permissions for the roles. You'd then add  
>> these
>> updated permissions to the realm templates for new sites (and  
>> backfill them
>> to existing sites, but thats a separate issue).
>>
>> You can also see here for some more info about roles in sites:
>> http://steve-on-sakai.blogspot.com/2009/05/roles-in-sakai-sites.html
>>
>> cheers,
>> Steve
>>
>> On 22/10/2009, at 11:36 AM, Tiago Gaspar wrote:
>>
>>> Hi Guys,
>>>
>>> I'm working on a tool for Sakai that requires specific roles. Not
>>> system-wide roles, but specific tool roles. I couldn't find any
>>> documentation regarding that. I could implement my own solution to  
>>> the
>>> problem, but I would like to follow the Sakai way of doing it. Is
>>> there a Sakai for doing it? :-)
>>>
>>> Appreciate,
>>> Tiago.
>>> _______________________________________________
>>> sakai-dev mailing list
>>> sakai-dev at collab.sakaiproject.org
>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>
>>> TO UNSUBSCRIBE: send email to
>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>> "unsubscribe"
>>
>>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org 
>  with a subject of "unsubscribe"