Rights concepts

Revision as of 10:31, 20 November 2019 by Mlink-rodrigue (talk | contribs)

An introduction to rights management

More than 100 permissions are necessary to control the user access to all wiki functions and extensions.

Depending on the actions a user needs to take, many of these permissions are related and consequently need to be granted to a certain type of user. A user with read access, for example, needs to also be able to change the user profile and add pages to a watch list. For this reason, BlueSpice uses roles and groups to manage the rights of individual users.

The following entities are part of the rights management system:

  • Permission: Allows a specific action.
  • Role: A set of permissions (permissions can only be set by selecting roles).
  • User: Entity in the wiki instance database. Has a unique user name and user id.
  • User group: A collection of users. A user is assigned to one or more groups. There are system internal groups (cannot be removed or renamed) and custom groups. In many cases the group name consists of the role and a namespace name
  • Namespace: Permissions can be set on a namespace level. But not on a per-page-level.

Use case: Managing department information

inhaltsorganisation.drawio.png

Anna (HR Manager) and Phil (HR Specialist) are maintaining all content related to the Human Resources department on the company wiki.

Some content is visible to all employees. Other content has to be restricted and only be visible to upper management and to Lea, the company's legal advisor.

After reviewing the content and access requirements, the company decides to create HR content in two namespaces: All unrestricted content goes in the Main namespace of the wiki. Sensitive information is maintained in a custom namespace called "HR".


To reflect these specific HR requirements, the wiki adminstrator needs to complete the following steps:

  1. Create the namespace (HR:) on the page Special:NamespaceManager:
    Screenshot: Create namespace
    After adding the namespace, the new namespace is displayed after pressing the "f5" key.
  2. Create the necessary groups on the page Special:GroupManager:
    Screenshot: create group
    • HR_visitor: Users in this group have only view permissions to the (HR:) namespace
    • HR_editor: Users in this group can create and edit pages in the (HR:) namespace
    • HR_reviewer: Users in this group can, additionally, approve documents. For this to work, the function "FlaggedRevs" is activated for the namespace. These groups are initially "empty".
  3. Assign roles to each group on the page Special:PermissionManager. After this, each group has specific sets of permissions:
    1. The group HR_visitor:
      Screenshot: Setting user permissions

      The administrator selects the group "HR_visitor" and checks the Role "reader" only in the HR namespace. Since the reader role in the HR namespace is now assigned to the group "HR_visitor", all other groups no longer have any view permissions for this namespace:
      example-permission-blocked.png

    2. The group HR_editor: The administrator selects the role editor only in the namespace HR. Since the editor role does not inherit all permissions from the reader role, the administrator also has to check the reader permissions in addition:
      Screenshot: editor permissions

    3. The group HR_reviewer: The administrator selects the role of reviewer only for the namespace HR. Since the roles HR_visitor and HR_editor have been reserved for the groups HR_visitor and/or HR_editor before, the editor and reader permissions have to be granted as well:
      Screenshot: reviewer permissions
  4. Add users to the correct user groups: Since Anna needs to be able to edit and approve the documents both in the HR and in the Main namespace, she has to be added to both the "HR_reviewer" and the standard "reviewer" groups:
    Screenshot: adding a user to groups

The administrator also adds the other affected users to the correct groups. The result is the following permissions configuration:

user is in groups roles in namespace HR roles in namespace Main description
Anna (HR manager) HR_reviewer

reviewer

reviewer

reader

editor

reviewer

reader

editor

Anna can now read, edit and approve pages in both the HR and the Main namespaces.
Phil (HR specialist) HR_editor

editor

reader

editor

reader

editor

Phil can now read and edit pages in both the HR and the Main namespaces
Edith (CEO) HR_viewer

editor

reader editor Edith can now read pages in the HR namespace and edit pages in the Main namespace.
Lea (Legal advice) HR_viewer reader - Lea can only read pages in the HR namespace.
All employees reader - reader All employees can read pages in the Main namespace. They cannot read the pages in the HR namespace.


In addition, the administrator should ensure that Anna is not the only person who can approve content. Otherwise, there would be a problem when Anna is on vacation or has no time for reviewing page edits.

Related info

Attachments

Discussions