[Using Sakai] Sakai Instructor Roles/Permissions

Sam Ottenhoff ottenhoff at longsight.com
Tue Aug 4 12:19:11 PDT 2009 

The jldap-beans.xml file controls the mapping between users and user 
types.  By default, the property userTypeMapper uses the 
EmptyStringUserTypeMapper.  As others have pointed out, this means all 
LDAP users will have permissions controlled by the "!user.template" realm.

To segment your LDAP users, you need to comment out the 
EmptyStringUserTypeMapper and use either the 
EntryAttributeToUserTypeMapper or the EntryContainerRdnToUserTypeMapper. 

If your local LDAP contains an attribute that will allow you to segment 
out faculty, you should use the EntryAttributeToUserTypeMapper.  For 
example, if your local LDAP contains an attribute called 
"groupMembership" that could be set to "Southwestern Faculty" for 
relevant users, you would then uncomment the 
attributeValueToSakaiUserTypeMap property and add a map entry:

    <entry key="Southwestern Faculty"><value>faculty</value></entry>

This means that all users who have this LDAP attribute present will have 
their permissions controlled by the "!user.template.faculty" realm.  You 
can then set the defaultSakaiUserType property to 
"<value>student</value>" and all other user permissions will be 
controlled by the "!user.template.student" realm.


The other option is parsing of the LDAP user's distinguished name.  For 
example, if the faculty DNs look like "CN=Joe User, OU=Faculty, 
dc=southwestern, dc=edu", then the EntryContainerRdnToUserTypeMapper 
will be your ticket to segmenting your LDAP users.  In this case, you 
would set the property rdnToSakaiUserTypeMap:

   <entry key="Faculty"><value>faculty</value></entry>

--Sam

Kara Stiles wrote:
> When we do LDAP integrations, we usually give all authenticated users a "registered" user account type and define the perms in the !user.template.registered realm.
>
> Occasionally we (and by "we" I mean developers here at rSmart) will map LDAP user attributes to user account types in Sakai, so that students become registered users (with NO permission to create new sites) and faculty members become maintain users (WITH permission to create new sites).
>
> I am mostly functional (not a dev), so maybe someone else can explain how to actually do this...
>
> Kara Stiles
> Senior Functional Consultant
> rSmart
> http://www.rsmart.com
> ICQ: 396517169
>
> ----- Original Message -----
> From: "John Leasia" <jleasia at umich.edu>
> To: "Laura McCord" <mccordl at southwestern.edu>
> Cc: "Kara Stiles" <kara.stiles at rsmart.com>, sakai-user at collab.sakaiproject.org
> Sent: Tuesday, August 4, 2009 11:36:42 AM GMT -07:00 U.S. Mountain Time (Arizona)
> Subject: Re: [Using Sakai] Sakai Instructor Roles/Permissions
>
> If the account type is empty, then the account should be checking the !user.template realm for determining whether they can create sites or not (via the site.add or site.add.course permission for the .auth role in that realm). If you put in some account type for the user, then it will pick up the permission from the !user.template.<accounttype> realm if there is one, otherwise it should check just !user.template. 
>
> What site.* permissions do you have set for the .auth role in the !user.template realm? 
>
> John 
>
> Laura McCord wrote: 
>
>
> No, that didn't work. I'm wondering if it is an LDAP issue like you 
> suggest. When I look under 'Account' while I'm logged in as a faculty 
> member I get an empty User Type. Should this be populated with 'faculty' 
> or 'Instructor'? How is this information populated?
>
> Thanks,
>  Laura
>
>
>
> Kara Stiles wrote: 
>
> site.add.course doesn't exist until 2.6.
>
> In 2.5 and other prior versions, all you need in order to create a course site is the site.add perm in your !user.template.xxxxx realm.
>
> If that doesn't work and you try the memory trick (step 5 below), it might be LDAP related.
>
> This config change may prove upsetting to some if your faculty members have the same user account type as the students.  :)
>
> Kara Stiles
> Senior Functional Consultant
> rSmart http://www.rsmart.com ICQ: 396517169
>
> ----- Original Message -----
> From: "Laura McCord" <mccordl at southwestern.edu> To: "Kara Stiles" <kara.stiles at rsmart.com> Sent: Tuesday, August 4, 2009 9:55:46 AM GMT -07:00 U.S. Mountain Time (Arizona)
> Subject: Re: [Using Sakai] Sakai Instructor Roles/Permissions
>
> Hi Kara,
>
> Yes, I remember you. You came down here with Kim, right? So glad to hear 
> from you.
>
> Thanks for the help. I did notice that I do not have a site.add.course 
> permission setting.  I only have the following permissions for site: Do 
> I need to create a permission? If so, how do I do that?
>
> site.add
>
> site.add.usersite
>
> site.del
>
> site.upd
>
> site.upd.grp.mbrshp
>
> site.upd.site.mbrshp
>
> site.viewRoster
>
> site.visit
>
> site.visit.unp
>
>
> -Laura
>
> Kara Stiles wrote: 
>
> Hi Laura,
>
> I remember meeting you long ago when I was a new staff member at Unicon.
>
> I'm at rSmart now.
>
> The user's ability to create new sites depends on the site.add and the site.add.course permission.
>
> 1. Go to the Realms tool in the admin workspace
> 2. Locate and select the !user.template.maintain realm (Alternatively, if your faculty members have the "registered" account type, you should select !user.template.registered instead)
> 3. Locate and select the .auth role
> 4. Click the site.add box and the site.add.course box and save your changes
> 5. You may need to go to the memory tool in the admin space and clear all caches for this to take immediate effect.
>
> Thanks,
> Kara
>
> Kara Stiles
> Senior Functional Consultant
> rSmart http://www.rsmart.com ICQ: 396517169
>
> ----- Original Message -----
> From: "Laura McCord" <mccordl at southwestern.edu> To: sakai-user at collab.sakaiproject.org Sent: Tuesday, August 4, 2009 9:17:37 AM GMT -07:00 U.S. Mountain Time (Arizona)
> Subject: [Using Sakai] Sakai Instructor Roles/Permissions
>
>
> Hi,
>
> I need assistance with how Instructor roles are defined. When a faculty 
> member logs in they are not given permission to add a new site. How do I 
> grant them access to this ability?
>
> Thanks,
> Laura
> _______________________________________________
> sakai-user mailing list sakai-user at collab.sakaiproject.org http://collab.sakaiproject.org/mailman/listinfo/sakai-user TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe" _______________________________________________
> sakai-user mailing list sakai-user at collab.sakaiproject.org http://collab.sakaiproject.org/mailman/listinfo/sakai-user TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe" 
> _______________________________________________
> sakai-user mailing list
> sakai-user at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/sakai-user
>
> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>

More information about the sakai-user mailing list