Hey folks,
The ability to delegate administrative functions of our portal continues to increase in importance here at Johns Hopkins as we prepare to launch several department-specific fragments for release to prime-time. Our ultimate end goal is to pass off the drudgeries of simple content and layout management to non-technical "content owners" of each sub-section within our portal. In support of this effort, we are obviously reliant on the new Fragment Administration portlets (UP-2118 <http://www.ja-sig.org/issues/browse/UP-2118> ) that Drew Wills developed for us. Additionally, however, we also need to grant these individuals access to the Channel Manager so that they may create and manage their own channels (mainly simple Web Proxy Portlet instances which consume content from our actual SiteExecutive CMS). Unfortunately, there does not currently appear to be any way of limiting access to channel management activities via permissions. Essentially, granting access to the Channel Manager grants full access to modify all existing channels, which is obviously not desirable. I'd like to propose the addition of a new "MANAGE" permission in order to achieve this goal. I have prepared a JIRA ticket (UP-2186 <http://www.ja-sig.org/issues/browse/UP-2186> ) and attached my initial proposed patch, which I have successfully tested on our development instance. Using a set of specific channel MANAGE permissions in chorus with a set of standard Groups Manager VIEW/SELECT permissions rules has allowed us to limit the publishing and administration of department-specific channels to a specific Channel Category. The end result is that the Channel Manager displays ONLY the channels which the principal has access to manage. *** PLEASE NOTE: I have not yet modified the associated Cernunnos import/export scripts to cleanly accommodate this new MANAGE permission! Obviously, it will be useful for the import/export scripts to handle the translation of the target literal values. So, for example, we could use the translated name "SAIS Channels" instead of providing the literal "local.70" value in the example below, and so forth... *** There are two ways to configure permissions using the permission as I have proposed: 1) By Channel Examples: a) GRANT MANAGE permission of ALL channels to "Portal Administrators": <permission script="classpath://org/jasig/portal/io/import-permission_v2-6.crn"> <owner>UP_FRAMEWORK</owner> <principal-type>org.jasig.portal.groups.IEntityGroup</principal-type> <principal> <group>Portal Administrators</group> </principal> <activity>MANAGE</activity> <target> <literal>CHAN_ID.*</literal> </target> <permission-type>GRANT</permission-type> </permission> b) GRANT MANAGE permission of a SPECIFIC channel to "Portal Administrators": *** ("CHAN_ID.7" = "bmore-weather" in our instance, see above NOTE) *** <permission script="classpath://org/jasig/portal/io/import-permission_v2-6.crn"> <owner>UP_FRAMEWORK</owner> <principal-type>org.jasig.portal.groups.IEntityGroup</principal-type> <principal> <group>Portal Administrators</group> </principal> <activity>MANAGE</activity> <target> <literal>CHAN_ID.7</literal> </target> <permission-type>GRANT</permission-type> </permission> 2) By Channel Category Example: GRANT MANAGE permission of all channels beneath the "SAIS Channels" category to members of the "SAIS Fragment Administrators" group: *** ("local.70" = "SAIS Fragment Administrators" in our instance, see above NOTE) *** <permission script="classpath://org/jasig/portal/io/import-permission_v2-6.crn"> <owner>UP_FRAMEWORK</owner> <principal-type>org.jasig.portal.groups.IEntityGroup</principal-type> <principal> <group>SAIS Fragment Administrators</group> </principal> <activity>MANAGE</activity> <target> <literal>local.70</literal> </target> <permission-type>GRANT</permission-type> </permission> We are moving forward with this functionality to address an immediate need here, but would love to contribute this work (or at least the concept) back to the community for hopeful inclusion into the project. Please take a look and provide any relevant feedback. Thanks, --Chris -- [ c h r i s d o y l e ] Johns Hopkins University Sr. System Software Engineer, [EMAIL PROTECTED] "Eleven. Exactly. One louder." -- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
