Forum .LRN Q&A: what is the privilege structure of dotLRN?

Collapse
1: what is the privilege structure of dotLRN?
Posted by Peter Marklund on 08/12/02 04:37 PM
Is there a document describing what the privilege differences are
between the user groups of dotLRN: External, Professor, Staff and
Student? Also, what do the Access full/limited and the Guest yes/no
settings do? Is it intentional that those settings for a certain user
cannot be toggled whereas the Site Wide Admin yes/no setting can?
Collapse
2: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Peter Alberer on 08/12/02 06:07 PM
In addition to the questions mentioned by Peter M. i would be interested to know if it is currently possible to create department-wide admins and how to accomplish that.
Collapse
3: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Deirdre Kane on 08/12/02 06:22 PM
I can answer some of these questions, but not all:

The User Type issues are unresolved (for Sloan) and I won't explain them here.  Besides, some of the issues are Sloan-specific, so our solution and needs may not be shared by other institutions.  The most important category to Sloan is actually "roles," so that regardless of type, any user can have different roles within different groups.

The Full/Limited/Guest stuff serves Sloan's needs to grant group admins a wide degree of freedom in managing their users at the group level; and also a way for us to work towards obeying the spirit and letter of the U.S. Buckley Amendment.  As for the toggling for one and not the other, that was an OpenForce design decision.

Full access users can join/drop any open classes and communities; these accounts are creating by self-registering or by the site wide admin.  Limited access users cannot join/drop, but have full access to all groups to which they belong (for Sloan, this is used for cross-registered students); these accounts are created by the group admin.  There are two types of guests, full access and limited.  Full access are created by the site wide and can join/drop any open group, but cannot see private information.  For example, this year's graduating class of alums chose to become Guests so that they woul dbe able to "browse" courses.  Limited access guests are created by the group admin, cannot join/drop and cannot see private information.  A Limited Access guest would be an outside speaker or industry partner who wanted to see class files, FAQs and news items, but they wouldn't see the member list, or forums, or surveys or receive bulk mails.

Hope this helps.

Collapse
4: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Peter Marklund on 08/12/02 07:36 PM
Thanks for the clarifications Deirdre! So to summarize, being a guest means you cannot view private class information and being a limited user means you cannot drop/join classes. Deirdre - what exactly do we mean by private information here? You mention member lists, forums, surveys and bulk mails - is that it?

What confuses me is that you can be guest *and* be a professor or staff at the university (or is the employment then at a different university?). What is the difference between guest and external - they sound like the same thing? I guess if Guest is relabled "Can View Private Class Info" then the structure starts to make sense to me. However with that interpretation, and with the definition of private information above, how does it make sense to be a professor and have "Can View Private Class Information" set to false if this has the consequense that you can't see member lists of your own class?

Are there any plans to build a dotLRN interface to customize the permissions of variuos user types and of the Access and Guest fields?

Collapse
5: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Don Baccus on 08/12/02 08:00 PM
I guess if Guest is relabled "Can View Private Class Info" then the structure starts to make sense to me.
The roots of the Guest role lie in the legislation Dee mentioned above, which defines privacy requirements for Universities at least (I don't know the full scope of the amendment). So you're on the right track with the above sentence.

As to "guest profs" and all the various combinations that are allowed , I'll leave that to Dee or OF folk to explain. :)

Collapse
6: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Deirdre Kane on 08/12/02 08:02 PM
Ay, there's the rub, I say.  What I mean is that Sloan is still working towards making this guest/limited access thing adhere to the spirit AND the letter of the law; right now, we are most often closer to the spirit.

By private information, I mean all student/member contributions to a class: name, email address, forum contributions, shared files, email exchanges.  We does this by restricting access at the portlet level so that Guests cannot see the Members, Survey, Forums, Member List page, or receive emails.  They can see FAQs, Documents, Calendar, News, Info and Custom Portlets, Syllabus and the Staff List - any portlet that displays group info only.

But there is a hole that you pointed out: it is possible to be a Guest and an Administrator in the same group, which has a sneaky presentation: the user is still restricted from the seeing the portlets, but has access to the Control Panel.  We know this is not pretty or desirable, but for Sloan, guest admins are a near rare occurence.  More often than not, the exception is a Limited Access admin, which does adhere to the letter and spirit as I currently understand it.  What we need to do is prevent Guests from being made admins.  And now that you have reminded me of all this, besides entering as ticket for it, there's not much preventing me from asking that it be done on SloanSpace V2 (besides the time to do it).

As for Guest and External, the difference is that one is a Role and one is a Type.  Again, Types are not completely defined/designed.  Putting any user in a particular Type does not prevent them from filling any Role.  This renders the Type category virtually useless right now, but in the future, we want it to be useful, and provide a way to define constituency groups (including alumni) as a group and as having specific access (alums need that defined differently than students, etc.).  However, I am speaking off the cuff and I will certainly not be the one who codes this nor may I be the non-technologist who decides how this will ultimately work.  I just know what I think Sloan needs it to do for Sloan.  Caroline Meeks, Don Baccus, Andrew Grumet and I and others have had many lengthy conversations about this, and we expect to revisit the idea more than once in the future.

"Are there any plans to build a dotLRN interface to customize the permissions of various user types and of the Access and Guest fields?"

This is not on our immediate horizon, though it is always lurking in the background, smirking at us and rubbing its hands with evil glee, waiting for us to try and figure it out once and for all...

Collapse
7: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Peter Marklund on 08/12/02 08:34 PM
Thanks Deirdre and Don. So Guest is really a strange name for "Can view Data Contributed by users and data about users (user data for short)". Interestingly you can be external and be allowed to join classes and then not be allowed to see contributions by other users. You can be a student and not be allowed to join/drop classes. You can be a student and be allowed to join classes but not see others contributions. All these combinations seem non-sensical to me.

These issues would go away if the Access and Guest settings were removed and they were fixed by the system at values that make sense for each of the user types.

It seems in this case flexibility has been gained only at the price of confusion and the risk of the admin making settings that cause the system to behave in unintented ways.

Collapse
8: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Deirdre Kane on 08/12/02 08:48 PM
I'll add a correction to what you wrote:

"So Guest is really a strange name for "Can view Data Contributed by users and data about users (user data for short)".

It's just the opposite.  Guest is a strange name for CANNOT view...

Though it does seem nonsensical and overly granular at face-value, we needed to err on the side of flexibility to satisfy users.  If someone makes a student a guest who can't see private data, they have made a mistake and I correct it for them.  We try to explain clearly what guest and limited access mean so that group admins use each appropriately, but occasionally, I do a little corrective intervention, which takes about 1 minute of my time.  However, we cannot have fixed types because there are two access levels for students, although I agree that there are ways to improve what we currently have.  As they are now, the Types are all the same for privileges (at least to me); the user does not see their "Type" and it is the user's access level that is important from a site wide perspective.

But yup, it's still more confusing than it ideally should be.

Collapse
9: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Peter Marklund on 08/12/02 09:56 PM
"If someone makes a student a guest who can't see private data, they have made a mistake and I correct it for them.  We try to explain clearly what guest and limited access mean so that group admins use each appropriately, but occasionally, I do a little corrective intervention, which takes about 1 minute of my time. "

As we mentioned above though this correction cannot be made in the web interface. Not all admins have direct access to the database. Two action points seem to emerge from this debate:

1) Catch disallowed settings of Access and Guest at user creation time

2) The Access and Guest fields need to be explained in the admin UI. I would simply change the labels to: "Can View User Data" and "Can Join/Drop Dlasses".

Collapse
10: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Michael Feldstein on 08/12/02 10:28 PM

This is actually a specific example of a more general usability problem for many complex apps--namely defining roles and assigning permissions to those roles. As we're seeing here, roles can vary pretty dramatically from one organization to the next, depending on staffing, laws, and other factors. You have the same problem, for example, with content management, where authors, editors, reviewers, publishers, multimedia creators, etc., can vary widely in their responsibilities from one organization to the next.

To solve this problem more generally, I think you need a couple of pieces:

  1. An intuitive interface that lets administrators define roles by assigning fairly granular permissions.
  2. One or more default role sets that organizations can use to start with and then edit as they get a clearer understanding of their needs.
  3. Some wizards to help administrators understand how their own situational needs translate into choices for role parameters.

dotLRN could be the prototypical application for OpenACS to work out these UI issues.

Collapse
11: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Deirdre Kane on 08/13/02 06:54 PM
Peter,

You stated that changing a user's access level cannot be done through an admin interface, but this is not the case.  I do not have access to the database; I make all my changes through the admin pages and like I said, we are ignoring Types for now.

Collapse
12: Response to what is the privilege structure of dotLRN? (response to 1)
Posted by Caroline Meeks on 08/19/02 11:08 PM
I agree with Micheal that a general solution with a good UI is important. However I think we are going to end up doing a Pind's Rule of 5 here at Sloan and hack it 5 times till we really understand what we need and how both our users and our lawyers understand the issues.

So we can work together as a community, I'm posting the use case I am programming to today.

Guest/read_private_data  use case:

Alumni Notes Community

In general we do not want to give alumni read_private_data privilege.
However in certain communities we (such as the alumni notes community) they need to be able to access forums so they do need read_private_data.
We do want alumni to be able to browse communities and classes so we can not make them Limited Access Users.

Proposed Short Term Solution:

Check read_private_data at the dotLRN level.  BUT let communities override it through a link on the control panel and give all members this privilege (probably by not checking it at all).

Do not let classes override. - Classes are covered by the Buckley amendment, Communities are not.  By default we give communities and classes the same protection, but we are not obligated to give communities this legal protection.

Collapse
13: Re: what is the privilege structure of dotLRN? (response to 1)
Posted by Lars Pind on 03/20/03 04:51 PM
Deidre,

I've fixed bug #214:

https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=214

so that the 'read_private_data' flag is now consistently a per-user flag, not per-user-per-community.

Can you please verify that this is the intended behavior for now?

There's still a bug that users can get to the private data through URL surgery, but I don't see any solution to that other than either a major hack or a major redesign.

https://openacs.org/bugtracker/openacs/bug?bug%5fnumber=375

/Lars