#10878: Add "Site Administrator" role
----------------------------+-----------------------------------------------
Reporter: davisagli | Owner: davisagli
Type: PLIP | Status: closed
Priority: major | Milestone: 4.1
Component: Infrastructure | Resolution: fixed
Keywords: |
----------------------------+-----------------------------------------------
Old description:
> '''Proposer:''' David Glick[[BR]]
> '''Seconders:''' Jon Stahl, Karl Johan Kleist[[BR]]
>
> (This is a revised version of #9578.)
>
> == Motivation ==
> There is a class of user who should have full access to manage content
> and configuration in a Plone site, but who should be protected from
> access to places where they are more likely to cause harm than good (such
> as the ZMI). This use case has been identified by consulting firms such
> as my own employer, Groundwire, who have expressed a desire to be able to
> give someone almost full Manager access to a site, but remove certain
> permissions. None of Plone's existing roles fills this need.
>
> == Proposal & Implementation ==
>
> We propose adding a new role, SiteAdmin, which grants most but not all of
> the permissions of the Manager role.
>
> Persona: Jane - "Site Administrator". Jane is the "website responsible
> person" for a small/midsized Plone site. She's not a developer, or even
> an integrator, but coordinates with other people who play those roles.
> She is responsible for supervising the content creation and editing
> process. As such, she needs to be able to administer all of the content
> management aspects of her Plone site, but should not be able to do access
> things that assume system administration or Plone integrator/developer
> skills.
>
> Things Jane should be able to do:
>
> * Generally, do all things that a Manager can do, except...
>
> Things Jane should not be able to do:
>
> * Use the "Maintenance" control panel.
> * Get to the ZMI
> * Add/remove products
> * Change themes
> * Change cache configuration
>
> == Implementation & Deliverables ==
>
> Implementing this proposal will proceed roughly as follows:
>
> * Audit the current set of permissions to determine which should be
> enabled for the SiteAdmin role [done]
> * Audit items currently protected by the "Manage portal" permission to
> determine if some of these need to use a more specific permission to
> allow granting access to SiteAdmin without giving SiteAdmin "Manage
> portal". (For example, permission to view various control panels will
> need to be adjusted in this way.) I will also deprecate
> plone_control_panel.pt and implement the main control panel overview as a
> browser view, to aid in the permission change. [done]
> * Assign the list of desired permissions to the SiteAdmin role, either
> via rolemap.xml or by modifying import-time calls to setDefaultRoles in
> various packages (I'm not sure if this works for roles other than the
> default Zope ones). [done]
> * Update the default workflows to assign their managed permissions
> correctly to the SiteAdmin role. [done]
> * Make adjustments to the users and groups control panels to ensure that
> there's no risk of privilege escalation. [done]
> * Determine and document a best practice for how add-on products should
> make use of the SiteAdmin role, in regards to custom permissions' default
> roles and to custom workflows. [decided, but not yet documented]
> * Write upgrade steps to update the rolemap and workflows for pre-
> existing Plone sites. [done]
>
> = Risks & Assumptions =
>
> * Add-on products with custom permissions or workflows may need some
> updates to support the new role. I will try to ensure that non-updated
> products continue to work fine (with the exception of lacking support for
> use by SiteAdmins), and that updated products can continue to work fine
> in 4.0.x.
> * A reindex of the allowedUsersAndRoles index will be required when
> upgrading.
> * The proposed name of the role should be considered irrelevant until
> we're done discussing the meat of the proposal. We can easily change the
> name at any point during implementation; please save your bikeshedding
> for later. ;)
>
> == Participants ==
> David Glick
>
> == Progress ==
> Implementation submitted for review.
New description:
'''Proposer:''' David Glick[[BR]]
'''Seconders:''' Jon Stahl, Karl Johan Kleist[[BR]]
(This is a revised version of #9578.)
== Motivation ==
There is a class of user who should have full access to manage content and
configuration in a Plone site, but who should be protected from access to
places where they are more likely to cause harm than good (such as the
ZMI). This use case has been identified by consulting firms such as my own
employer, Groundwire, who have expressed a desire to be able to give
someone almost full Manager access to a site, but remove certain
permissions. None of Plone's existing roles fills this need.
== Proposal & Implementation ==
We propose adding a new role, Site Administrator, which grants most but
not all of the permissions of the Manager role.
Persona: Jane - "Site Administrator". Jane is the "website responsible
person" for a small/midsized Plone site. She's not a developer, or even an
integrator, but coordinates with other people who play those roles. She is
responsible for supervising the content creation and editing process. As
such, she needs to be able to administer all of the content management
aspects of her Plone site, but should not be able to do access things that
assume system administration or Plone integrator/developer skills.
Things Jane should be able to do:
* Generally, do all things that a Manager can do, except...
Things Jane should not be able to do:
* Use the "Maintenance" control panel.
* Get to the ZMI
* Add/remove products
* Change themes
* Change cache configuration
== Implementation & Deliverables ==
Implementing this proposal will proceed roughly as follows:
* Audit the current set of permissions to determine which should be
enabled for the Site Administrator role [done]
* Audit items currently protected by the "Manage portal" permission to
determine if some of these need to use a more specific permission to allow
granting access to Site Administrator without giving Site Administrator
"Manage portal". (For example, permission to view various control panels
will need to be adjusted in this way.) I will also deprecate
plone_control_panel.pt and implement the main control panel overview as a
browser view, to aid in the permission change. [done]
* Assign the list of desired permissions to the Site Administrator role,
either via rolemap.xml or by modifying import-time calls to
setDefaultRoles in various packages (I'm not sure if this works for roles
other than the default Zope ones). [done]
* Update the default workflows to assign their managed permissions
correctly to the Site Administrator role. [done]
* Make adjustments to the users and groups control panels to ensure that
there's no risk of privilege escalation. [done]
* Determine and document a best practice for how add-on products should
make use of the Site Administrator role, in regards to custom permissions'
default roles and to custom workflows. [decided, but not yet documented]
* Write upgrade steps to update the rolemap and workflows for pre-
existing Plone sites. [done]
= Risks & Assumptions =
* Add-on products with custom permissions or workflows may need some
updates to support the new role. I will try to ensure that non-updated
products continue to work fine (with the exception of lacking support for
use by Site Administrators), and that updated products can continue to
work fine in 4.0.x.
* A reindex of the allowedUsersAndRoles index will be required when
upgrading.
* The proposed name of the role should be considered irrelevant until
we're done discussing the meat of the proposal. We can easily change the
name at any point during implementation; please save your bikeshedding for
later. ;)
== Participants ==
David Glick
== Progress ==
Implementation submitted for review.
--
Comment(by davisagli):
Updated description to reflect the renamed role (now "Site Administrator"
instead of SiteAdmin)
--
Ticket URL: <http://dev.plone.org/plone/ticket/10878#comment:39>
Plone <http://plone.org>
Plone Content Management System
_______________________________________________
PLIP-Advisories mailing list
plip-advisor...@lists.plone.org
http://lists.plone.org/mailman/listinfo/plip-advisories
