Design how RM should be configurable w.r.t. institutions
Opened this issue · 2 comments
blcham commented
Scenarios:
- [AVA OPERATOR] We want to have only one institution, and the user should be added to the institution by default
- UI will not have pages to edit assignments of users to an institution (it should be only read-only)
- [AO/ONLINE]
- Publish could work as follows:
-
- The user logs in through AVA-keycloak and writes email to AVA admin
-
- AVA admin assign him to its organization (automate this?)
-
- AVA admin adds appropriate rights to the user (we do not want to make this automatic)
-
- Publish could work as follows:
- [AO/OFFLINE]
- Operator user sends email/bring USB key with new records to AVA admin
- AVA admin creates the user in AVA-keycloak and assign him to proper organization
- AVA admin impersonate the user
- AVA admin imports the records
- [OPTIONAL] AVA admin can send credentials ton the user so he would be possible to do it any time later
- [AVA ADVANCED OPERATOR] We want to have only the operator's institution + admin institution, and user should be added to the operator's institution by default
- [AVA SUPPLIER] - We do not want to allow users not being assigned to an institution
- list of users would visualize those users that are invalid, i.e. does not have institution assigned (e.g. mark them red)
- [NON-ANONYMOUS QUESTIONARE] - We want to users without institution being able to create/edit records.
blcham commented
Open questions:
- [1] How to handle user not being assigned to an institution [AVA SUPPLIER]
- we should have .env variable to ensure all users belong to an organization REQUIRED_INSTITION_ASSIGNMENT=true
- alternatives:
- make it automatic so admin cannot forget
- (requires [2.1]) have GraphDB rule to assign every "native" user to AVA institution (by extending [3] and having institution "flagged" as being default, we might not even need variable AUTOMATIC_ASSIGNMENT_OF_INSTITUTION). In this case we need to differentiate !!safely!! that it is native user -- existence of "IDP id" is dangerous.
- have automatic assignement of operator's institution (i.e. [2])
- show appropriate error to the user that he does not have institution assigned
- if REQUIRED_INSTITION_ASSIGNMENT=true, then user should see only dashboard showing red message "No actions to do as you are not assigned to any institution. Contact administrator."
- the user would not be able to sign in if does not belong to an institution, but appropriate error would be shown to him
- if REQUIRED_INSTITION_ASSIGNMENT=true, show same message as above
- make it automatic so admin cannot forget
- [2] How to automate assignement of operator's institution at AVA supplier [AVA OPERATOR]
- configuration within IDP should give id from which institution is the operator
- alternative:
- [2.1] implement keycloak plugin to save provider id (=institution id) + GRAPHDB rule
- implement in record manager (use provider id) to assign user to the institution
- [3] How to implement default institution [AVA OPERATOR] ?
- we would have .env variable AUTOMATIC_ASSIGNMENT_OF_INSTITUTION=true
- alternatives:
- GraphDB inference rule that would find the institution in the repository and assign it to every user
- implementation in keycloak plugin where we configure using .env to add any concrete triple: ?user ?p ?o .