Page Menu
Home
c4science
Search
Configure Global Search
Log In
Files
F65779428
guide.html.wml
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Thu, Jun 6, 04:16
Size
36 KB
Mime Type
text/x-c
Expires
Sat, Jun 8, 04:16 (2 d)
Engine
blob
Format
Raw Data
Handle
18126042
Attached To
R3600 invenio-infoscience
guide.html.wml
View Options
## $Id$
## This file is part of the CERN Document Server Software (CDSware).
## Copyright (C) 2002, 2003, 2004, 2005, 2006 CERN.
##
## The CDSware is free software; you can redistribute it and/or
## modify it under the terms of the GNU General Public License as
## published by the Free Software Foundation; either version 2 of the
## License, or (at your option) any later version.
##
## The CDSware is distributed in the hope that it will be useful, but
## WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
## General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with CDSware; if not, write to the Free Software Foundation, Inc.,
## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
#include "cdspage.wml" \
title="WebAccess Admin Guide" \
navtrail_previous_links="<a class=navtrail href=<WEBURL>/admin/>Admin Area</a> > <a class=navtrail href=<WEBURL>/admin/webaccess/>WebAccess Admin</a> " \
navbar_name="admin" \
navbar_select="webaccess-admin-guide"
<p>Version <: print generate_pretty_revision_date_string('$Id$'); :>
<h2>Contents</h2>
<strong>1. <a href="#1">Introduction, using roles</a></strong><br>
<strong>2. <a href="#2">WebAccess admin interface</a></strong><br>
<strong>3. <a href="#3">Example pages, illustrating snapshots</a></strong><br>
<strong>4. <a href="#4">Managing accounts / Access policy</a></strong><br>
<strong>5. <a href="#5">Managing login methods</a></strong><br>
<h2><a name="1">1. INTRODUCTION, USING ROLES</a></h2>
<pre>
WebAccess is a common RBAC, role based access control, for all of
CDSware. This means that users are connected to roles that cover
different areas of access. I.e <em>administrator of the photo
collection</em> or <em>system librarian</em>. Users can be active in
different areas and of course connected to as many roles as needed.
The roles are connected to actions. An action identifies a task you
can perform in CDSware. It can be defined to take any number of
arguments in order to more clearly describe what you are allowing
connected users to do.
For example the system librarian can be allowed to run bibwords on
the different indexes. To allow system librarians to run the
bibwords indexing on the field author we connect role <em>system
librarian</em> with action <em>runbibwords</em> using the argument
<em>index='author'</em>.
WebAccess is based on allowing users to perform actions. This means
that only allowed actions are stored in the access control engine's
database.
</pre>
<h2><a name="2">2. WEBACCESS ADMIN INTERFACE</a></h2>
<pre>
All the WebAccess Administration web pages have certain
features/design choices in common
- Divided into steps
The process of adding new authorizations/information is
stepwise. The subtitle contains information about wich step you are
on and what you are supposed to do.
- Restart from any wanted step
You can always start from an earlier step by simply clicking the
wanted button. This is not a way to undo changes! No information
about previous database is kept, so all changes are definite.
- Change or new entry must confirmed
On all the pages you will be asked to confirm the change, with
information about what kind of change you are about to perform.
- Links to other relevant admin areas on the right side
To make it easier to perform your administration tasks, we have
added a menu area on the right hand side of these pages. The menu
contain links to other relevant admin pages and change according to
the page you are on and the information you have selected.
</pre>
<h2><a name="3">3. EXAMPLE PAGES</a></h2>
<pre>
I. Role area
II. Example - connecting role and user
I. Role area</a>
Administration tasks starts in one of the administration areas. The
role area is the main area from where you can perform all your
managing tasks. The other admin areas are just other ways of
entering.
</pre>
<div class="snapshot">
<div>
<table border="0" cellspacing="0" cellpadding="0" class="navtrailbox" width="100%" summary="">
<tr>
<td class="navtrailboxbody">
<a class="navtrail" href="">Home</a> > <a class="navtrail" href="">Admin Area</a> > <a class="navtrail" href="">WebAccess Admin</a> >
<a class="navtrail" href="">Manage WebAccess</a> > Role Administration
</td>
</tr>
</table>
</div>
<div class="pagebody">
<table border="0" cellspacing="0" cellpadding="0" width="100%" summary="">
<tr valign="top">
<td class="pagebodystripemiddle" align="left">
<h1 class="headline">Role Administration</h1>
<table class="admin_wvar" width="100%" summary="">
<thead>
<tr>
<th class="adminheaderleft" colspan="2">administration with roles as access point</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align: top; margin-top: 5px; width: 75%;">
<dl>
<dt>Users:</dt>
<dd>add or remove users from the access to a role and its priviliges.</dd>
<dt>Authorizations/Actions:</dt>
<dd>these terms means almost the same, but an authorization is a <br>
connection between a role and an action (possibly) containing arguments.</dd>
<dt>Roles:</dt>
<dd>see all the information attached to a role and decide if you want to<br>delete it.</dd>
</dl>
<table class="admin_wvar_nomargin" summary="">
<tr>
<th class="adminheader">id</th>
<th class="adminheader">name</th>
<th class="adminheader">description</th>
<th class="adminheader">users</th>
<th class="adminheader">authorizations / actions</th>
<th class="adminheader">role</th>
<th class="adminheader"></th>
<th class="adminheader"></th>
</tr>
<tr>
<td class="admintdright">2</td>
<td class="admintdleft">photoadmin</td>
<td class="admintdleft">administrator of the photo col...</td>
<td class="admintdleft">
<a href="">add</a> /
<a href="">remove</a>
</td>
<td class="admintdleft">
<a href="">add</a> /
<a href="">modify</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">delete</a></td>
<td class="admintdleft"><a href="">show details</a></td>
<td rowspan="4" style="vertical-align: bottom">
</td>
</tr>
<tr>
<td class="admintdright">9</td>
<td class="admintdleft">submitter</td>
<td class="admintdleft"></td>
<td class="admintdleft">
<a href="">add</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">add</a> /
<a href="">modify</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">delete</a></td>
<td class="admintdleft"><a href="">show details</a></td>
</tr>
<tr>
<td class="admintdright">1</td>
<td class="admintdleft">superadmin</td>
<td class="admintdleft">all rights</td>
<td class="admintdleft"><a href="">add</a> / <a href="">remove</a></td>
<td class="admintdleft"><a href="">add</a> /
<a href="">modify</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">delete</a></td>
<td class="admintdleft"><a href="">show details</a></td>
</tr>
<tr>
<td class="admintdright">4</td>
<td class="admintdleft">systemlibrarian</td>
<td class="admintdleft">system librarian</td>
<td class="admintdleft">
<a href="">add</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">add</a> /
<a href="">modify</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">delete</a></td>
<td class="admintdleft"><a href="">show details</a></td>
</tr>
<tr>
<td class="admintdright">3</td>
<td class="admintdleft">webaccessadmin</td>
<td class="admintdleft">access to web administrator in...</td>
<td class="admintdleft">
<a href="">add</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">add</a> /
<a href="">modify</a> /
<a href="">remove</a>
</td>
<td class="admintdleft"><a href="">delete</a></td>
<td class="admintdleft"><a href="">show details</a></td>
</tr>
</table>
</td>
<td style="vertical-align: top; margin-top: 5px; width: 25%;">
<dl>
<dt><a href="">Create new role</a></dt>
<dd>go here to add a new role.</dd>
<dt><a href="">Create new action</a></dt>
<dd>go here to add a new action.</dd>
</dl>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</table>
</div>
</div>
<pre>
II. Example - connecting role and user</a>
One of the important tasks that can be handled via the WebAccess Admin Web Interface
is the delegation of access rights to users. This is done by connecting them to the
different roles offered.
The task is divided into 5 simple and comprehensive steps. Below follows the pages from
the different steps with comments on the ongoing procedure.
- step 1 - select a role
You must first select the role you want to connect users to. All the available roles are
listed alfabetically in a select box. Just find the wanted role and select it. Then click on
the button saying "select role".
If you start from the Role Area, this step is already done, and you start directly on step 2.
</pre>
<div class="snapshot">
<table border="0" cellspacing="0" cellpadding="0" class="navtrailbox" width="100%" summary="">
<tr>
<td class="navtrailboxbody">
<a class="navtrail" href="">Home</a> > <a class="navtrail" href="">Admin Area</a> > <a class="navtrail" href="">WebAccess Admin</a> >
<a class="navtrail" href="">Manage WebAccess</a> > <a class="navtrail" href="">Role Administration</a> > Connect user to role
</td>
</tr>
</table>
<div class="pagebody">
<table border="0" cellspacing="0" cellpadding="0" width="100%" summary="">
<tr valign="top">
<td class="pagebodystripemiddle" align="left">
<h1 class="headline">Connect user to role </h1>
<table class="admin_wvar" width="100%" summary="">
<thead>
<tr>
<th class="adminheaderleft" colspan="2">step 1 - select a role</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align: top; margin-top: 5px; width: 75%;">
<form action="" method="POST">
<span class="adminlabel">1. select role</span>
<select name="id_role" class="admin_w200">
<option value="0">*** select role ***</option>
<option value="2">photoadmin</option>
<option value="9">submitter</option>
<option value="1">superadmin</option>
<option value="4">systemlibrarian</option>
<option value="3">webaccessadmin</option>
</select>
<input class="adminbutton" type="submit" value="select role">
</form>
</td>
<td style="vertical-align: top; margin-top: 5px; width: 25%;">
<dl>
<dt><a href="">Create new role</a></dt>
<dd>go here to add a new role.</dd>
</dl>
</td>
</tr>
</tbody>
</table>
</td>
<td class="pagebodystriperight" width="120" align="right" valign="top">
</td>
</tr>
</table>
</div>
</div>
<pre>
- step 2 - search for users
As you can see, the subtitle of the page has now changed. The subtitle always tells you
which step you are on and what your current task is.
There can be possibly thousands of users using your online library, therefore it is important
to make it easier to identify the user you are looking for. Give part of, or the entire search
string and all users with partly matching e-mails will be listed on the next step.
You can also see that the right hand menu has changed. This area is always updated with links
to related admin areas.
</pre>
<div class="snapshot">
<table border="0" cellspacing="0" cellpadding="0" class="navtrailbox" width="100%" summary="">
<tr>
<td class="navtrailboxbody">
<a class="navtrail" href="">Home</a> > <a class="navtrail" href="">Admin Area</a> > <a class="navtrail" href="">WebAccess Admin</a> >
<a class="navtrail" href="">Manage WebAccess</a> > <a class="navtrail" href="">Role Administration</a> > Connect user to role
</td>
</tr>
</table>
<div class="pagebody">
<table border="0" cellspacing="0" cellpadding="0" width="100%" summary="">
<tr valign="top">
<td class="pagebodystripemiddle" align="left">
<h1 class="headline">Connect user to role </h1>
<table class="admin_wvar" width="100%" summary="">
<thead>
<tr>
<th class="adminheaderleft" colspan="2">step 2 - search for users</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align: top; margin-top: 5px; width: 75%;">
<form action="" method="POST">
<span class="adminlabel">1. select role</span>
<select name="id_role" class="admin_w200">
<option value="0">*** select role ***</option>
<option value="2">photoadmin</option>
<option value="9">submitter</option>
<option value="1" selected="selected">superadmin</option>
<option value="4">systemlibrarian</option>
<option value="3">webaccessadmin</option>
</select>
<input class="adminbutton" type="submit" value="select role">
</form>
<form action="" method="POST">
<table summary="">
<tr>
<td>
<span class="adminlabel">2. search pattern </span>
<input class="admin_wvar" type="text" name="email_user_pattern" value="">
<input type="hidden" name="id_role" value="1">
</td>
<td style="vertical-align: bottom">
<input class="adminbutton" type="submit" value="search for users">
</td>
</tr>
</table>
</form>
</td>
<td style="vertical-align: top; margin-top: 5px; width: 25%;">
<dl>
<dt><a href="">Create new role</a></dt>
<dd>go here to add a new role.</dd>
</dl>
<dl>
<dt><a href="">Remove users</a></dt>
<dd>remove users from role superadmin.</dd>
<dt><a href="">Connected users</a></dt>
<dd>show all users connected to role superadmin.</dd>
</dl>
<dl>
<dt><a href="">Add authorization</a></dt>
<dd>start adding new authorizations to role superadmin.</dd>
</dl>
</td>
</tr>
</tbody>
</table>
</td>
<td class="pagebodystriperight" width="120" align="right" valign="top">
</td>
</tr>
</table>
</div>
</div>
<pre>
- step 3 - select a user.
The select box contains all users with partly matching e-mail adresses. Select the one
you want to connect to the role and continue.
Notice the navigation trail that tells you were on the Administrator pages you are currently
working.
</pre>
<div class="snapshot">
<table border="0" cellspacing="0" cellpadding="0" class="navtrailbox" width="100%" summary="">
<tr>
<td class="navtrailboxbody">
<a class="navtrail" href="">Home</a> > <a class="navtrail" href="">Admin Area</a> > <a class="navtrail" href="">WebAccess Admin</a> >
<a class="navtrail" href="">Manage WebAccess</a> > <a class="navtrail" href="">Role Administration</a> > Connect user to role
</td>
</tr>
</table>
<div class="pagebody">
<table border="0" cellspacing="0" cellpadding="0" width="100%" summary="">
<tr valign="top">
<td class="pagebodystripemiddle" align="left">
<h1 class="headline">Connect user to role </h1>
<table class="admin_wvar" width="100%" summary="">
<thead>
<tr>
<th class="adminheaderleft" colspan="2">step 3 - select a user</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align: top; margin-top: 5px; width: 75%;">
<form action="" method="POST">
<span class="adminlabel">1. select role</span>
<select name="id_role" class="admin_w200">
<option value="0">*** select role ***</option>
<option value="2">photoadmin</option>
<option value="9">submitter</option>
<option value="1" selected="selected">superadmin</option>
<option value="4">systemlibrarian</option>
<option value="3">webaccessadmin</option>
</select>
<input class="adminbutton" type="submit" value="select role">
</form>
<form action="" method="POST">
<table summary="">
<tr>
<td>
<span class="adminlabel">2. search pattern </span>
<input class="admin_wvar" type="text" name="email_user_pattern" value="k">
<input type="hidden" name="id_role" value="1">
</td>
<td style="vertical-align: bottom">
<input class="adminbutton" type="submit" value="search for users">
</td>
</tr>
</table>
</form>
<form action="" method="POST">
<span class="adminlabel">3. select user</span>
<select name="id_user" class="admin_w200">
<option value="0">*** select user ***</option>
<option value="136">franck.black@cern.ch</option>
<option value="134">kurt.cobain@cern.ch</option>
<option value="100" selected="selected">mikael.vik@cern.ch</option>
<option value="-6">tibor.simko@cern.ch (connected)</option>
</select>
<input type="hidden" name="id_role" value="1">
<input type="hidden" name="email_user_pattern" value="k">
<input class="adminbutton" type="submit" value="add this user">
</form>
</td>
<td style="vertical-align: top; margin-top: 5px; width: 25%;">
<dl>
<dt><a href="">Create new role</a></dt>
<dd>go here to add a new role.</dd>
</dl>
<dl>
<dt><a href="">Remove users</a></dt>
<dd>remove users from role superadmin.</dd>
<dt><a href="">Connected users</a></dt>
<dd>show all users connected to role superadmin.</dd>
</dl>
<dl>
<dt><a href="">Add authorization</a></dt>
<dd>start adding new authorizations to role superadmin.</dd>
</dl>
</td>
</tr>
</tbody>
</table>
</td>
<td class="pagebodystriperight" width="120" align="right" valign="top">
</td>
</tr>
</table>
</div>
</div>
<pre>
- step 4 - confirm to add user
All WebAccess Administrator web pages display the action you are about to peform, this
means explaining what kind of addition, change or update will be done to your access control
data.
If you are happy with your decision, simply confirm it.
</pre>
<div class="snapshot">
<table border="0" cellspacing="0" cellpadding="0" class="navtrailbox" width="100%" summary="">
<tr>
<td class="navtrailboxbody">
<a class="navtrail" href="">Home</a> > <a class="navtrail" href="">Admin Area</a> > <a class="navtrail" href="">WebAccess Admin</a> >
<a class="navtrail" href="">Manage WebAccess</a> > <a class="navtrail" href="">Role Administration</a> > Connect user to role
</td>
</tr>
</table>
<div class="pagebody">
<table border="0" cellspacing="0" cellpadding="0" width="100%" summary="">
<tr valign="top">
<td class="pagebodystripemiddle" align="left">
<h1 class="headline">Connect user to role </h1>
<table class="admin_wvar" width="100%" summary="">
<thead>
<tr>
<th class="adminheaderleft" colspan="2">step 4 - confirm to add user</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align: top; margin-top: 5px; width: 75%;">
<form action="" method="POST">
<span class="adminlabel">1. select role</span>
<select name="id_role" class="admin_w200">
<option value="0">*** select role ***</option>
<option value="2">photoadmin</option>
<option value="9">submitter</option>
<option value="1" selected="selected">superadmin</option>
<option value="4">systemlibrarian</option>
<option value="3">webaccessadmin</option>
</select>
<input class="adminbutton" type="submit" value="select role">
</form>
<form action="" method="POST">
<table summary="">
<tr>
<td>
<span class="adminlabel">2. search pattern </span>
<input class="admin_wvar" type="text" name="email_user_pattern" value="k">
<input type="hidden" name="id_role" value="1">
</td>
<td style="vertical-align: bottom">
<input class="adminbutton" type="submit" value="search for users">
</td>
</tr>
</table>
</form>
<form action="" method="POST">
<span class="adminlabel">3. select user</span>
<select name="id_user" class="admin_w200">
<option value="0">*** select user ***</option>
<option value="136">franck.black@cern.ch</option>
<option value="134">kurt.cobain@cern.ch</option>
<option value="100" selected="selected">mikael.vik@cern.ch</option>
<option value="-6">tibor.simko@cern.ch (connected)</option>
</select>
<input type="hidden" name="id_role" value="1">
<input type="hidden" name="email_user_pattern" value="k">
<input class="adminbutton" type="submit" value="add this user">
</form>
<form action="" method="POST">
<table summary="">
<tr>
<td>add user <strong>mikael.vik@cern.ch</strong> to role <strong>superadmin</strong>?
<input type="hidden" name="confirm" value="1">
<input type="hidden" name="id_user" value="100">
<input type="hidden" name="id_role" value="1">
<input type="hidden" name="email_user_pattern" value="k">
</td>
<td style="vertical-align: bottom">
<input class="adminbutton" type="submit" value="confirm">
</td>
</tr>
</table>
</form>
</td>
<td style="vertical-align: top; margin-top: 5px; width: 25%;">
<dl>
<dt><a href="">Create new role</a></dt>
<dd>go here to add a new role.</dd>
</dl>
<dl>
<dt><a href="">Remove users</a></dt>
<dd>remove users from role superadmin.</dd>
<dt><a href="">Connected users</a></dt>
<dd>show all users connected to role superadmin.</dd>
</dl>
<dl>
<dt><a href="">Add authorization</a></dt>
<dd>start adding new authorizations to role superadmin.</dd>
</dl>
</td>
</tr>
</tbody>
</table>
</td>
<td class="pagebodystriperight" width="120" align="right" valign="top">
</td>
</tr>
</table>
</div>
</div>
<pre>
- step 5 - confirm user added.
The user has now been added to this role. You can easily continue adding more users to this
role be restarting from step 2 or 3. You can also go directly to another area and keep working
on the same role.
</pre>
<div class="snapshot">
<table border="0" cellspacing="0" cellpadding="0" class="navtrailbox" width="100%" summary="">
<tr>
<td class="navtrailboxbody">
<a class="navtrail" href="">Home</a> > <a class="navtrail" href="">Admin Area</a> > <a class="navtrail" href="">WebAccess Admin</a> >
<a class="navtrail" href="">Manage WebAccess</a> > <a class="navtrail" href="">Role Administration</a> > Connect user to role
</td>
</tr>
</table>
<div class="pagebody">
<table border="0" cellspacing="0" cellpadding="0" width="100%" summary="">
<tr valign="top">
<td class="pagebodystripemiddle" align="left">
<h1 class="headline">Connect user to role </h1>
<table class="admin_wvar" width="100%" summary="">
<thead>
<tr>
<th class="adminheaderleft" colspan="2">step 5 - confirm user added</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align: top; margin-top: 5px; width: 75%;">
<form action="" method="POST">
<span class="adminlabel">1. select role</span>
<select name="id_role" class="admin_w200">
<option value="0">*** select role ***</option>
<option value="2">photoadmin</option>
<option value="9">submitter</option>
<option value="1" selected="selected">superadmin</option>
<option value="4">systemlibrarian</option>
<option value="3">webaccessadmin</option>
</select>
<input class="adminbutton" type="submit" value="select role">
</form>
<form action="" method="POST">
<table summary="">
<tr>
<td>
<span class="adminlabel">2. search pattern </span>
<input class="admin_wvar" type="text" name="email_user_pattern" value="k">
<input type="hidden" name="id_role" value="1">
</td>
<td style="vertical-align: bottom">
<input class="adminbutton" type="submit" value="search for users">
</td>
</tr>
</table>
</form>
<form action="" method="POST">
<span class="adminlabel">3. select user</span>
<select name="id_user" class="admin_w200">
<option value="0">*** select user ***</option>
<option value="136">franck.black@cern.ch</option>
<option value="134">kurt.cobain@cern.ch</option>
<option value="100" selected="selected">mikael.vik@cern.ch</option>
<option value="-6">tibor.simko@cern.ch (connected)</option>
</select>
<input type="hidden" name="id_role" value="1">
<input type="hidden" name="email_user_pattern" value="k">
<input class="adminbutton" type="submit" value="add this user">
</form>
<form action="" method="POST">
<table summary="">
<tr>
<td>add user <strong>mikael.vik@cern.ch</strong> to role <strong>superadmin</strong>?
<input type="hidden" name="confirm" value="1">
<input type="hidden" name="id_user" value="100">
<input type="hidden" name="id_role" value="1">
<input type="hidden" name="email_user_pattern" value="k">
</td>
<td style="vertical-align: bottom">
<input class="adminbutton" type="submit" value="confirm">
</td>
</tr>
</table>
</form>
<p>confirm: user <strong>mikael.vik@cern.ch</strong> added to role <strong>superadmin</strong>.</p>
</td>
<td style="vertical-align: top; margin-top: 5px; width: 25%;">
<dl>
<dt><a href="">Create new role</a></dt>
<dd>go here to add a new role.</dd>
</dl>
<dl>
<dt><a href="">Remove users</a></dt>
<dd>remove users from role superadmin.</dd>
<dt><a href="">Connected users</a></dt>
<dd>show all users connected to role superadmin.</dd>
</dl>
<dl>
<dt><a href="">Add authorization</a></dt>
<dd>start adding new authorizations to role superadmin.</dd>
</dl>
</td>
</tr>
</tbody>
</table>
</td>
<td class="pagebodystriperight" width="120" align="right" valign="top">
</td>
</tr>
</table>
</div>
</div>
<pre>
- we are done
This example is very similar to all the other pages where you administrate WebAccess. The pages
are an easy gateway to maintaing access control rights and share a lot of features.
- divided into steps
- restart from any wanted step (not undo)
- changes must be confirmed
- link to other relevant areas
- prevent unwanted input
As an administrator with access to these pages you are free to manage the rights any way you want.
</pre>
<h2><a name="4">IV. Managing accounts and access policy</a></h2>
<pre>
Here you can administrate the accounts and the access policy for your CDSware installation.
- Access policy:
To change the access policy, the general config file (or
access_control_config.py) must be edited manually in a text
editor. The site can there be defined as opened or closed, you can
edit the access policy level for guest accounts, registered
accounts and decide when to warn the owner of the account when
something happens with it, either when it is created, deleted or
approved. The Apache server must be restarted after modifying
these settings.
The two levels for guest account, are:
0 - Allow guest accounts
1 - Do not allow guest accounts
The five levels for normal accounts, are:
0 - Allow user to create account, automatically activate new accounts
1 - Allow user to create account, administrator must activate account
2 - Only administrators can create account. User cannot edit the email address.
3 - Users cannot register or update account information (email/password)
4 - User cannot change default login method
You can configure CDSware to send an email:
1. To an admin email-address when an account is created
2. To the owner of an account when it is created
3. To the owner of an account when it is activated
4. To the owner of an account when it is deleted
Define how open the site is:
0 = normal operation of the site
1 = read-only site, all write operations temporarily closed
2 = site fully closed
CFG_ACCESS_CONTROL_LEVEL_SITE = 0
Access policy for guests:
0 = Allow guests to search,
1 = Guests cannot search (all users must login)
CFG_ACCESS_CONTROL_LEVEL_GUESTS = 0
Access policy for accounts:
0 = Users can register, automatically acticate accounts
1 = Users can register, but admin must activate the accounts
2 = Users cannot register or change email address, only admin can register accounts.
3 = Users cannot register or update email address or password, only admin can register accounts.
4 = Same as 3, but user cannot change login method.
CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS = 0
Limit email addresses available to use when register a new account (example: cern.ch):
CFG_ACCESS_CONTROL_LIMIT_REGISTRATION_TO_DOMAIN = ""
Send an email when a new account is created by an user:
CFG_ACCESS_CONTROL_NOTIFY_ADMIN_ABOUT_NEW_ACCOUNTS = 0
Send an email to the user notifying when the account is created:
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_NEW_ACCOUNT = 0
Send an email to the user notifying when the account is activated:
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_ACTIVATION = 0
Send an email to the user notifying when the account is deleted/rejected:
CFG_ACCESS_CONTROL_NOTIFY_USER_ABOUT_DELETION = 0
- Account overview:
Here you find an overview of the number of guest accounts, registered accounts and accounts
awaiting activation, with a link to the activation page.
- Create account:
For creating new accounts, the email address must be unique. If configured to do so, an email
will be sent to the given address when an account is created.
- Edit accounts:
For activating or rejecting accounts in addition to modifying them. An activated account can be
inactivated for a short period of time, but this will not warn the account owner. To find accounts
enter a part of the email address of the account and then search. This may take some time. If there
are more than the selected number of accounts per page, you can use the next/prev links to switch
pages. The accounts to search in can also be limited to only activated or not activated accounts.
- Edit account:
When editing one account, you can change the email address, password, delete the account, or modify
the baskets or alerts belonging to one account. Which login method should be the default for this
account can also be selected. To modify baskets or alerts, you need to login as the user, and
modify the desired data as a normal user. Remember to log out as the user when you are finished
editing.
</pre>
<h2><a name="5">V. Managing login methods</a></h2>
<pre>
CDSware supports using external login systems to authenticate users.
When a user wants to login, the username and password given by the user is checked against the selected
system, if the user is authenticated by the external system, a valid email-address is returned to
CDSware and used to recognize the user within CDSware.
If a new user is trying to login without having an account, using an external login system, an account
is automatically created in CDSware to recognize and store the users settings. The password for the
local account is randomly generated.
If you want the user to be unable to change login method and account username / password, forcing use
of certain external systems, set CFG_ACCESS_CONTROL_LEVEL_ACCOUNTS to 4 as mentioned in the last paragraph.
If a user is changing login method from an external one to the internal, he also need to either change the
password before logging out, or ask to get the password sent by email, since the password is randomly
generated for the local account when using an external login method.
If a external login system is used, you may want to protect the users username / password using HTTPS.
To add new system, two changes must be made:
- The name of the method, if it is default or not, and the classname must be added to the variable
CFG_EXTERNAL_AUTHENTICATION in access_control_config.py. Atleast one method must be marked as the
default one. The internal login method should be given with None as classname.
Example:
CFG_EXTERNAL_AUTHENTICATION = {"%s (internal)" % cdsname: (None, True), "CERN NICE (external)":
(external_auth_nice(), False)}
- A class must be added in the file external_authentication.py. This class must include the
function auth_user. This function returns a valid email-address in CDSware if the user
is authenticated, not necessarily the same entered by the user as username. If the user
is not authenticated, return None.
Example template:
class external_auth_template:
def __init__(self):
pass
def auth_user(self, username, password):
return email
return None
- end of file -
</pre>
Event Timeline
Log In to Comment