[Building Sakai] How to create and define tools custom roles

Tiago Gaspar tiagocgaspar at gmail.com
Sun Oct 25 06:42:58 PDT 2009 

Hi Steve,

I've found a solution that I wanted. Instead of manually creating
specific roles and setting the required permissions in Realms, I'm
using AuthzGroupService to make all those steps transparent to the
Sakai administrator.

The tool automatic creates all the necessary roles and set all the
permissions. Here's some of the code:

     //creates a role
     AuthzGroup ag = authzGroupService.getAuthzGroup(groupId);
     ag.addRole(roleId, roleModel);
     authzGroupService.save(ag);

     //assings a permission
     Role role = ag.getRole(roleId);
     role.allowFunction(permissionId);
     authzGroupService.save(ag);

** the code has been simplified...

The AuthzGroup.addRole (role, roleModel) already creates a role
copying the permissions from another, so I didn't use your webservice.

Here are some useful references:
http://steve-on-sakai.blogspot.com/2009/05/roles-in-sakai-sites.html
http://confluence.sakaiproject.org/display/BOOT/Using+the+AuthzGroup+Service
http://source.sakaiproject.org/release/2.2.1/javadoc/org/sakaiproject/authz/api/AuthzGroup.html

Thanks again for the tips,

Tiago Gaspar.


On Thu, Oct 22, 2009 at 11:46 PM, Steve Swinsburg
<steve.swinsburg at gmail.com> wrote:
> Hi Tiago,
>
> Once your tool's service comes up, and it's functions are registered, then
> they are available to the whole system. This happens when Tomcat starts your
> service, not when the tool is added. So, you can then backfill this new
> permission into every role in every site you want once Sakai is up.
>
> So lets say you need the permission 'mytool.view' in a certain role in your
> site (say 'access') for your tool to display something. Once Tomcat is up,
> you could go into the Realm for a site that doesn't even have the tool
> installed, and you'll still be able to set the permissions for various
> roles.
>
> Being a fan of the web services, I wrote an additional method to add to
> SakaiScript.jws called copyRole(). If you set the permissions in the roles
> in your !site.template.xxx realm, you can then iterate over every site you
> want and sync up the roles from the template site to add this new permission
> in.
>
> Some more info about this is here:
> http://steve-on-sakai.blogspot.com/2009/05/roles-in-sakai-sites.html
> under the heading 'Populating new/updated roles to existing sites'.
>
> If you haven't got your web services enabled, see here for how to do it,
> including how to secure them:
> http://steve-on-sakai.blogspot.com/2009/05/enabling-web-services-in-sakai-and.html
>
> cheers,
> Steve
>
>
> On 23/10/2009, at 2:05 AM, Tiago Gaspar wrote:
>
>> Hi Steve,
>>
>> Thanks for the response! I liked your suggestion to use Sakai Realms,
>> it would make permissions much more flexible. But it would require a
>> manual configuration of roles and permissions every time the tools is
>> installed. Is there a way a tool itself can do that configuration
>> through some API, or some config file, in order to make that process
>> transparent to the sakai admin ?
>>
>>
>> Thanks again,
>>
>> Tiago.
>>
>>
>>
>> On Wed, Oct 21, 2009 at 11:27 PM, Steve Swinsburg
>> <steve.swinsburg at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> Your tool can define its own permissions and then a user in a site with
>>> those permissions can be granted access to certain functions of your
>>> tool.
>>> The roles aren't system wide, they are site-wide, so this should sort you
>>> out. The only thing that is system wide are user types, but once in a
>>> site,
>>> a user is assigned a role.
>>>
>>> For your tool to register it's own permissions, check out
>>> authz.api.FunctionManager.
>>>
>>> Then, if you go to the Admin Realms tool, find a site then find the roles
>>> in
>>> that site you can set the permissions for the roles. You'd then add these
>>> updated permissions to the realm templates for new sites (and backfill
>>> them
>>> to existing sites, but thats a separate issue).
>>>
>>> You can also see here for some more info about roles in sites:
>>> http://steve-on-sakai.blogspot.com/2009/05/roles-in-sakai-sites.html
>>>
>>> cheers,
>>> Steve
>>>
>>> On 22/10/2009, at 11:36 AM, Tiago Gaspar wrote:
>>>
>>>> Hi Guys,
>>>>
>>>> I'm working on a tool for Sakai that requires specific roles. Not
>>>> system-wide roles, but specific tool roles. I couldn't find any
>>>> documentation regarding that. I could implement my own solution to the
>>>> problem, but I would like to follow the Sakai way of doing it. Is
>>>> there a Sakai for doing it? :-)
>>>>
>>>> Appreciate,
>>>> Tiago.
>>>> _______________________________________________
>>>> sakai-dev mailing list
>>>> sakai-dev at collab.sakaiproject.org
>>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>>>
>>>> TO UNSUBSCRIBE: send email to
>>>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>>>> "unsubscribe"
>>>
>>>
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>>
>> TO UNSUBSCRIBE: send email to
>> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> "unsubscribe"
>
>

More information about the sakai-dev mailing list