georchestra icon indicating copy to clipboard operation
georchestra copied to clipboard

Published 20 hours ago verified publisher icon georchestra

geonetwork - leveraging group admins

Open fvanderbiest opened this issue 3 years ago • 7 comments

GeoNetwork has the native ability to define group admins: Capture du 2021-05-18 10-07-50

With geOrchestra's LDAP sync, this feature is impossible to reach, since:

  • GN_EDITOR maps to group editor
  • GN_REVIEWER maps to group reviewer
  • GN_ADMIN maps to geonetwork super admin

I'd like to change the meaning of GN_ADMIN for a next major release, so that it maps to geonetwork's group admin instead of geonetwork's super admin.

How would we define geonetwork super admins then ? Would the ADMINISTRATOR role fit for the purpose ?

fvanderbiest avatar May 18 '21 08:05 fvanderbiest

it would be logical wrt reviewer and editor profiles/roles.. iff you rename it to GN_USERADMIN :)

if i get it right, a user member of org ORG1 with GN_ADMIN role would have the UserAdmin role ? what privileges does this automatically grant to it (compared to Editor/Reviewer) ? How does the migration work (i know, tough question..)

reusing ADMINISTRATOR would work, except that iirc so far this was only for geoserver, and then we have SUPERUSER...

landryb avatar May 18 '21 08:05 landryb

it would be logical wrt reviewer and editor profiles/roles.. iff you rename it to GN_USERADMIN :)

Makes sense indeed !

fvanderbiest avatar May 18 '21 09:05 fvanderbiest

If I understand correctly, we're now mapping:

GN_ADMIN -> UserAdmin ADMINISTRATOR -> admin user flag set SUPERUSER-> admin user flag set

groldan avatar Oct 29 '21 12:10 groldan

I think it'd be better to introduce a new role GN_USERADMIN, and leave the current ones are they are, because people may be relying on their current meanings? is that what you meant @landryb ?

I have to admit I've no idea what extra provileges the GN UserAdmin profile grants, but I can certainly map georchestra's GN_USERADMIN profile to GN's UserAdmin profile on the user's group that's mapped from the user's georchestra org.

groldan avatar Oct 29 '21 13:10 groldan

i have to admit i dont remember what UserAdmin profile does either, doc says: UserAdmin is a user that has administrative privileges over the records and users on the group. and how it relates to the 'delegated admin' concept in georchestra ?

landryb avatar Oct 29 '21 14:10 landryb

if UserAdmin allows to remove users from a group, that's "dangerous" no ?

landryb avatar Oct 29 '21 14:10 landryb

if UserAdmin allows to remove users from a group, that's "dangerous" no ?

Hopefully the sync process would overwrite this.

I can certainly map georchestra's GN_USERADMIN profile to GN's UserAdmin profile on the user's group that's mapped from the user's georchestra org.

@groldan that would be awesome, yes. I agree that this role should indeed be named GN_USERADMIN rather than GN_ADMIN

fvanderbiest avatar Nov 30 '21 22:11 fvanderbiest