Re: Admin roles in Debian Edu
[Christian Kuelker]
> Petter Reinholdtsen wrote:
> >What kind of admin roles should we provide out of the box in Debian
> >Edu/Squeeze?
>
> I suggest:
> admin or admins
> jradmin or jradmins
> teacher or teachers
> student* or students*
When I wrote admin roles, I meant different sets of privileges that
could be assigned to users. Which privilege differences would
jradmin, teacher and student have?
I would expect students and teachers to have none privileges, and the
teachers in need of privileges to be added to a admin or jradmin
group.
As for singular vs. plural, as we already have a user named admin, I
believe it is a good idea to make sure the group have a different name
and thus find it better to name it admins. :)
> additionally we could think of (lazy - omit plural):
>
> professor
> pupil*
> assistant
> tutor
> lecturer
> examinee
What privilege sets would these entitle? These sound like generic
groups, and not something that should give admin privileges. I would
expect a professor in need of admin rights could be added to the admin
or jradmin group to get the required privileges instead of giving some
privileges to a professor group.
> So this is the same as super-admin LDAP user?
Not quite sure.
> No subtree for Admins?
Nope. Admins could be stored in the root.
> Why two different kind of role assignment methods?
not sure.
> > Gosa jradmin role
> >
> > Entities with this role can modify some attributes of user and
> > group objects.
>
> How is this implemented?
Gosa reads LDAP objects for the roles and they are refered to in the
gosadepartment subtree top object stating which role have access to
the subtree.
> I do not now the actual implementation with GOSA, please correct me
> if my following guesses are wrong.
Do not know Gosa enough to say, so I leave that to someone who
understand it better.
Happy hacking,
--
Petter Reinholdtsen
Reply to: