Re: Admin roles in Debian Edu
Hi,
Petter Reinholdtsen wrote:
[Christian Kuelker]
Petter Reinholdtsen wrote:
What kind of admin roles should we provide out of the box in Debian
Edu/Squeeze?
I suggest:
admin or admins
jradmin or jradmins
teacher or teachers
student* or students*
When I wrote admin roles, I meant different sets of privileges that
could be assigned to users. Which privilege differences would
jradmin, teacher and student have?
As a demand from schools:
* objects of the role teachers should be able to change the
password of objects of the role students.
* some schools demand that teachers should only be able to set the
password of students of their class.
* jradmins should be able to assign object of the role
students to share groups (share = network folder, to be shared
among students)
My add ons:
* if teacher do not have the right to set the password of
students, it could be thought of that jadmins may have this right in
general.
I would expect students and teachers to have none privileges, and the
teachers in need of privileges to be added to a admin or jradmin
group.
yep, seems also one solution.
As for singular vs. plural, as we already have a user named admin, I
believe it is a good idea to make sure the group have a different name
and thus find it better to name it admins. :)
yep, I know there are some well thought traditions among DebianEdu.
I also suggest: stick to it! :)
additionally we could think of (lazy - omit plural):
professor
pupil*
assistant
tutor
lecturer
examinee
What privilege sets would these entitle? These sound like generic
groups, and not something that should give admin privileges. I would
yes more like generic groups that might be assigned a right.
expect a professor in need of admin rights could be added to the admin
or jradmin group to get the required privileges instead of giving some
privileges to a professor group.
Yes. That is always the solution. While I am reading this I have the
impression, that admin/jadmin are roles from a different quality
then teachers/students for you?
In some cases groups might not have more, the have less rights
(examinee). In other cases the would be used to distinguished
external. Example: pupil might have a different desktop then student
- no LDAP right involved.
Here are some suggestions for different rights:
professor|lecturer -> teacher
In case of a big hierarchy, professor might be able to assign
teacher object to other groups.
tutor: in one university this role is used as a jadmin for
professor. It can assign student object to groups (courses)
assistant: same as jadmin (OK, we can drop)
* This was used to maintain print quota attributes in LDAP.
So it better should called printadmin
examinee: as this user object is only created for a one time session
some constrains may assigned to that role:
* (one|all) teacher|professor|tutor might create a set of those
objects
* LDAP: no changeable password
* no writable home dir (for some kind of tests)
* restricted shell
Not related:
* and "work group manager role" might:
- change quota resources in LDAP
- assign file systems in LDAP to users
- reset the password of its members in LDAP
* In some institution users (students/pupils) should be allowed
to change the mail-address attribute. Because the have a high
self interest to do so, because quota warnings and account
prolonging will be send to there mail address.
* For other institutions a "selfmanage" role might of interest,
because those institutions use LDAP data in a self responsible
way. Example the LDAP address field will be published on a
personal web page automatically generated from some data
including LDAP. Therefore the user has to be able change his own
address.
[...]
Gosa reads LDAP objects for the roles and they are refered to in the
gosadepartment subtree top object stating which role have access to
the subtree.
Mm, I might need to read some GOSA tutorial.
[...]
Best regards
Christian
Reply to: