[Building Sakai] Sakai 10 and Adminlite
Matthew Jones
matthew at longsight.com
Tue Jul 8 07:40:41 PDT 2014
Yeah, I think the biggest issue would be that Sakai has a special check
that was built into the design called
isSuperUser()
Basically if the user is allowed site.upd in the /site/!admin site they are
a super user, so if they are in that site they'll succeed in that check.
if (authzGroupService().isAllowed(userId,
SiteService.SECURE_UPDATE_SITE, "/site/!admin"))
This call is used all over the code for permission checks as well as
performance bypasses since you don't need to check if an admin user can
access 10000 specific sites or resources, they can just because they are
admin. So it seems like there's going to be some things that someone in the
admin workspace gets access to above and beyond from this check in some
tools
On Tue, Jul 8, 2014 at 10:35 AM, Bryan Holladay <holladay at longsight.com>
wrote:
> I've actually never tried adding the admin workspace to the hierarchy and
> assigning non admins to it. I would assume it works fine. I would be
> worried about special tools that don't check for permissions and assume
> that it's an admin tool since it's in the admin workspace. You don't need
> to worry about the "Become User" tool anymore since there are new checks in
> Sakai 10x to make sure the user is an actual admin user and not a DA user.
> DA user's can be granted access to use the Become User tool only for users
> within their hierarchy access. What are you wanting the user to have
> access to?
>
> -Bryan
>
>
> On Tue, Jul 8, 2014 at 10:08 AM, Kurosch Petzold <
> kurosch.petzold at fu-berlin.de> wrote:
>
>> Does this include the admin workspace?
>>
>> Best regards,
>> Kurosch
>> >>We would like a Support role that basically is an admin with view
>> > permission only.
>> >
>> > This is what the Delegated Access tool was designed for. Since you
>> have a
>> > specific use case in mind, you should create a new realm and turn on the
>> > view only permissions and turn off the edit/remove permissions. Then
>> you
>> > can choose users who will get these permissions in any set or subset of
>> > sites (including all sites).
>> >
>> > -Bryan
>> >
>> >
>> > On Tue, Jul 8, 2014 at 9:48 AM, Kurosch Petzold <
>> > kurosch.petzold at fu-berlin.de> wrote:
>> >
>> >> Hey Neal,
>> >>
>> >> We would like a Support role that basically is an admin with view
>> >> permission only. By the way are there any plans to change the
>> >> administration setup from centralized security officers to
>> decentralized
>> >> role-based access control, i.e. implementing ARBAC[0];[1];
>> >>
>> >>
>> >> [0]
>> >>
>> >>
>> http://www.computer.org/cms/Computer.org/dl/mags/co/1996/02/figures/r20384.gif
>> >> [1]http://www.computer.org/csdl/mags/co/1996/02/r2038.html
>> >>
>> >> Best regards,
>> >> Kurosch Petzold
>> >> > Which functionality do you need that is not in Delegated Access?
>> >> >
>> >> > -- Neal
>> >> >
>> >> >
>> >> >> Kurosch Petzold <mailto:kurosch.petzold at fu-berlin.de>
>> >> >> July 8, 2014 at 9:31 AM
>> >> >> Hi Neal,
>> >> >>
>> >> >>> Have you looked at the Delegated Access tool, to see if that will
>> >> meet
>> >> >>> your needs?
>> >> >>>
>> >> >>>
>> https://confluence.sakaiproject.org/display/DAC/Delegated+Access+Tool
>> >> >>>
>> >> >>> I know it is not quite the same thing, but maybe enough of an
>> >> overlap?
>> >> >>>
>> >> >>
>> >> >> we checked the Delegated Access tool and we will be using it.
>> However
>> >> >> the
>> >> >> missing functionality would be appreciated by our administration for
>> >> >> management and permission reasons.
>> >> >>
>> >> >>
>> >> >>>> Matthew Jones<mailto:matthew at longsight.com>
>> >> >>>> July 8, 2014 at 9:06 AM
>> >> >>>> That link didn't work for me? Was it this link?
>> >> >>>>
>> >> >>>> https://confluence.sakaiproject.org/display/ADMX/Home
>> >> >>>>
>> >> >>>> There is a note there that says it's unsupported since 2.8, but
>> >> should
>> >> >>>> work as the webservices haven't significantly changed, just
>> nothing
>> >> >>>> added/fixed. In Sakai 11, we plan to remove all the existing axis
>> >> >>>> webservices in favor of CXF so that would break this tool. The CXF
>> >> >>>> services are already available in Sakai 10 so they would be
>> >> preferred.
>> >> >> I was looking for adminlite support not adminX ;)
>> >> >> We do not want to use adminX because it is deprecated.
>> >> >>
>> >> >>
>> >> >> Best regards,
>> >> >> Kurosch
>> >> >>
>> >> >>
>> >> >> Neal Caidin <mailto:neal.caidin at apereo.org>
>> >> >> July 8, 2014 at 9:09 AM
>> >> >> Hi Kurosch,
>> >> >>
>> >> >> Have you looked at the Delegated Access tool, to see if that will
>> >> meet
>> >> >> your needs?
>> >> >>
>> >> >>
>> https://confluence.sakaiproject.org/display/DAC/Delegated+Access+Tool
>> >> >>
>> >> >> I know it is not quite the same thing, but maybe enough of an
>> >> overlap?
>> >> >>
>> >> >> Cheers,
>> >> >> Neal
>> >> >>
>> >> >>
>> >> >> Matthew Jones <mailto:matthew at longsight.com>
>> >> >> July 8, 2014 at 9:06 AM
>> >> >> That link didn't work for me? Was it this link?
>> >> >>
>> >> >> https://confluence.sakaiproject.org/display/ADMX/Home
>> >> >>
>> >> >> There is a note there that says it's unsupported since 2.8, but
>> >> should
>> >> >> work as the webservices haven't significantly changed, just nothing
>> >> >> added/fixed. In Sakai 11, we plan to remove all the existing axis
>> >> >> webservices in favor of CXF so that would break this tool. The CXF
>> >> >> services are already available in Sakai 10 so they would be
>> >> preferred.
>> >> >>
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> sakai-dev mailing list
>> >> >> sakai-dev at collab.sakaiproject.org
>> >> >> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> >> >>
>> >> >> TO UNSUBSCRIBE: send email to
>> >> >> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> >> >> "unsubscribe"
>> >> >> Kurosch Petzold <mailto:kurosch.petzold at fu-berlin.de>
>> >> >> July 8, 2014 at 6:50 AM
>> >> >> Hey guys,
>> >> >>
>> >> >> just a question does the adminlite tool[1] by any chance be updated
>> >> to
>> >> >> support Sakai 10 in the near future?
>> >> >> Or is this tool dead?
>> >> >>
>> >> >> Best regards,
>> >> >> Kurosch Petzold
>> >> >>
>> >> >>
>> >> >> [1] jira.sakaiproject.org/ADMX
>> >> >>
>> >> >>
>> >> >> _______________________________________________
>> >> >> sakai-dev mailing list
>> >> >> sakai-dev at collab.sakaiproject.org
>> >> >> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> >> >>
>> >> >> TO UNSUBSCRIBE: send email to
>> >> >> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> >> >> "unsubscribe"
>> >> >
>> >>
>> >>
>> >> --
>> >> Best regards,
>> >> Kurosch Petzold
>> >>
>> >> _______________________________________________
>> >> sakai-dev mailing list
>> >> sakai-dev at collab.sakaiproject.org
>> >> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> >>
>> >> TO UNSUBSCRIBE: send email to
>> >> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
>> >> "unsubscribe"
>> >>
>> >
>>
>>
>> --
>> Best regards,
>> Kurosch Petzold
>>
>>
>
> _______________________________________________
> sakai-dev mailing list
> sakai-dev at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>
> TO UNSUBSCRIBE: send email to
> sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of
> "unsubscribe"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-dev/attachments/20140708/a1bb8e1a/attachment.html
More information about the sakai-dev
mailing list