Forum OpenACS Development: Idea: Give every package_id an application group

Collapse
1: Idea: Give every package_id an application group
Posted by Dave Bauer on 12/07/07 05:36 PM
To encourage better use of the group and permissions model, would it be a good idea to create an application group for each package when its created?

This would lead the way to more consistent application of permissions for each package. That is, we could offer a consistent user interface to add an administrator to a package.

That is, when the package is created we create a new application group, create the admins and members relational segements, then grant default permissions (ie: grant admin over the package_id to the admin relational segment).

Does this sound like a good idea? It doesn't require using the application group, but should allow us to make it easier to use the existing permissions system in a consistent way. Right now every package would have to do this individually.

Collapse
2: Re: Idea: Give every package_id an application group (response to 1)
Posted by Tom Jackson on 12/07/07 07:45 PM
Instead of building this in to every package, if there was an admin page or, better a Tcl proc which could do this, then package maintainers could just add a callback for install, and current users could use the proc to provide the same consistency for older versions of a package.

Rel segments are great for finding who can do what using an explicit and simple query, but as a related question, how are admin permissions granted on package objects in the usual case? Is there a document that suggests usage of context_id, etc.?

Collapse
3: Re: Idea: Give every package_id an application group (response to 1)
Posted by Dave Bauer on 12/07/07 08:49 PM
Tom,

Good point. There are Tcl procs to do this already.

My goal was to make it simpler to accomplish a common goal, and to define a best practice. We have too many different ways to do things, and no clear path to accomplish common things.

Tom asked "... how are admin permissions granted on package objects in the usual case? Is there a document that suggests usage of context_id, etc.?"

As far as I can tell, there is no common way to do this.

I believe the common case is to grant admin manually over a subsite, or a package, or as a shortcut, many sites have one person who admins everything, so he is just site wide admin, reducing the need for specific permissions.

I have a case where I need folks to be admin over just this one package, and i need to also give the admins of this package permissions over a few other objects. The ability to take a subset of users and grant them permissions over a few random objects outside the package is the reason to use a relational segment. I can add users to the relationsl segment and I don't have to track down every random object they need admin over.

Collapse
4: Re: Idea: Give every package_id an application group (response to 3)
Posted by Malte Sussdorff on 12/08/07 09:00 AM
I thought the "common practice" was to give admin on the package_id if you want it on package level, or per subsite if you want to spawn across multiple packages.

Creating an application group per package by default seems to be a little bit overkill to me, though for your example it makes perfect sense. The question would be, how common is your example...

Collapse
5: Re: Idea: Give every package_id an application group (response to 1)
Posted by Dave Bauer on 12/08/07 04:15 PM
Common practice is to "give admin on the package_id" but what does that mean in practice?

It means someone knowledgable with OpenACS pokes around in the subsite administration pages.

The current packages that have some concept of "partial admin" privileges include

Assessment, Categories, Forums, LORSM.

The question isn't how many packages support this, but what would it take to make the handling of package administrators consistent across the toolkit.

The other question is, what if you have a large site, where there are users who don;t need site wide admin privileges, but only need to manage one package.

It also allows administrators to delgate tasks to other users without giving them permission over everything.

Once we do this, we still need a sane and usable interface to choose a user and add them to the group. That is a another proposal.

Collapse
6: Re: Idea: Give every package_id an application group (response to 1)
Posted by Dave Bauer on 12/08/07 04:17 PM
Anyway, if its not a good idea to build this by default, I'll make sure its as easy as possible, and document the technique.