Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(WIP) Curator's Role #70

Open
mb-wali opened this issue Aug 17, 2021 · 2 comments
Open

(WIP) Curator's Role #70

mb-wali opened this issue Aug 17, 2021 · 2 comments

Comments

@mb-wali
Copy link
Collaborator

mb-wali commented Aug 17, 2021
edited
Loading

Intro:

invenio-records-marc21 is planned to provide a data model for different systems such as PURE, ALMA, DIGLIB and CMSCampus online, and there are modules for each of the above-mentioned systems in order to fetch & push data via cronjobs of celery.

  • invenio-alma
  • invenio-campus-online
  • invenio-pure
  • invenio-diglib

And each of the modules defines an account that will be used as the owned_by field to add his id.
e.g.

Name Email Id (owned_by)
alma_account [email protected] 500
pure_account [email protected] 600
diglib_account [email protected] 700
cms_account [email protected] 800

keep in mind that the ids and emails are not a valid value, just an example.

Defining multiple roles:

consider defining a role for each of the systems in our repository data.

  • curator_alma can view/edit records that were created by the alma_account.
  • curator_pure can view/edit records that were created by the pure_account.
  • curator_diglib can view/edit records that were created by the diglib_account.
  • curator_cms can view/edit records that were created by the cms_account.
@mb-wali
Copy link
Collaborator Author

mb-wali commented Aug 18, 2021
edited
Loading

Questions:

  • Are these created records public for other users except the roles given?
    • Yes, this should happen at cronjobs while mapping.
    • And even admin should not be allowed to access the records, unless permission given - This should happen at the marc21Permissionpolicy level.
  • Is there anything in invenio already - saying that it's restricted to only the owner?
    • Yes, it's called restricted.

known resources:

@rekt-hard rekt-hard mentioned this issue Aug 31, 2021
Closed
@rekt-hard
Copy link
Contributor

rekt-hard commented Sep 1, 2021
edited
Loading

Account Actions
The accounts fetching external records (e.g. 'pure_account') should only be allowed to create new records and edit their own unpublished records.

Other accounts with the associated role should be able to edit and publish these records (e.g. an account with role 'curator_pure' can edit and publish all records created by 'pure_account').

Role Management
Following commands can be used for role management.
To create a new role: invenio roles create curator_pure
To add a role to a user: invenio roles add [email protected] curator_pure
To remove a role from a user: invenio roles remove [email protected] curator_pure

Permission Policy
As invenio-records-marc21 will have its own permission policy (and not inherit from RDMRecordPermissionPolicy), it is necessary to define the policy in this module as well. The generators for the curators can be imported from invenio-config-tugraz. This will make sure, that no module relies on invenio-rdm-records

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mb-wali @rekt-hard