Darren.duncan: Add details on which LDAP groups have SDS screen privileges and which don't.

2024-06-10T08:13:15Z

Add details on which LDAP groups have SDS screen privileges and which don't.

Darren.duncan: Add new document part Users and Privileges which describes kinds of users and lists the LDAP groups.

2024-06-09T01:58:19Z

Add new document part Users and Privileges which describes kinds of users and lists the LDAP groups.

New page

__FORCETOC__

This document consists of multiple parts; for a directory to all of the
parts, see [[SDSM:Index]].

== Description ==

This part of the '''SDS Modernization (SDSM)''' document provides
details on the kinds of '''SDS''' users and their privileges.

[[#top|RETURN]]

== Kinds of Users ==

A ''user'' is an individual human that interacts with '''SDS'''.

An ''account'' is an entity that represents a single ''user''' in '''SDS'''
and is the means by which a ''user'' interacts with the app while they are
authenticated to it.

'''SDS''' is fundamentally a private system and has no significant
functionality available to any user while the latter is not authenticated
or logged in to the app.

The most significant '''SDS''' screens that a non-authenticated user can
interact with are the ''Public Home'' app landing screen welcoming them to
the app, and the ''Login'' screen for authenticating to their account.

Note that any references in this '''SDSM''' document to a ''user'', except
when explicitly qualified otherwise, specifically means a non-anonymous
user who has an ''account'' and is currently authenticated to it.

An ''internal user'' is a user that currently works for or is a student at
'''SMUS'''; they have a Microsoft Active Directory account with the school
which is the source of truth for their identity that they use to
authenticate with both '''SDS''' accounts and many other school systems
such as PCs and '''SMUS''' email accounts.

(Note that some individuals who work for '''SMUS''', typically by way of
companies contracted to the school, do not have school Microsoft Active
Directory accounts because they don't need school email accounts, and so
they also are not '''SDS''' users.)

An ''external user'' is a user that currently neither works for nor is a
student at '''SMUS'''; they do ''not'' have a Microsoft Active Directory
account with the school, and the source of truth for their identity that
they use to authenticate with '''SDS''' accounts (and nothing else) is
a different exclusive school LDAP server.

Parents of current students are typically external users, except for those
such parents who are instead internal users for other reasons, such as
because they also currently work for the school.

Alumni of the school are a gray area that might still have Microsoft Active
Directory school accounts in order to support maintaining a school email
address, but they are not '''SDS''' users, unless for other reasons, such
as because they also currently work for the school or are parents of
current students.

Note that any references in this '''SDSM''' document to
''school LDAP server'' typically refer to a Microsoft Active Directory
server, as LDAP is the protocol '''SDS''' uses to talk with it.

[[#top|RETURN]]

== Roles and Privileges of Users ==

Each '''SDS''' user account is granted a set of privileges which determine
what app functionality that user may employ. A typical privilege
corresponds to a single app screen and confers usage of that screen to that
user, though other kinds of privileges may also exist.

A user is typically granted a privilege indirectly by way of that user
being assigned membership to a user group that is in turn granted that
privilege. A user less often is granted a privilege directly.

A school LDAP server is the source of truth for what user groups exist,
expressed as LDAP groups, and for what user accounts are members of those
groups. There are currently 187 such LDAP groups defined.

The '''SDS''' database table <code>group_permissions</code> is the source
of truth for what LDAP groups have been granted privileges to access
specific ''SDS Gavintech'' screens, and the table <code>group_pages</code>
does that for specific ''SDS Laravel'' screens.

The '''SDS''' database table <code>person_permissions</code> is the source
of truth for what user accounts have individually been granted privileges
to access specific ''SDS Gavintech'' screens, and no corresponding
mechanism is yet implemented for ''SDS Laravel'' screens.

Each '''SDS''' user account is also defined in the '''SDS''' database to
possess one or more roles, each of which is explicitly and specifically
recognized in the '''SDS''' application logic, and affects how that user
account is treated, both with respect to what that account's user is
allowed to do in the app, and with respect to what kind of records and
activities are associated with that user in the database. This logic may be
arbitrarily complex and is distinct from the effect of granting generic
yes/no screen access privileges.

Examples of those explicit roles are:

* The user currently is a student at the school.
* The user is a parent/guardian of a current student.
* The user currently works as a teacher for the school.
* The user currently works as administrative staff for the school.

The '''SDS''' screens are broadly divided into 3 mutually exclusive screen
groups, for students, parents, and teachers/staff respectively.

Current students see this '''SDS''' main menu:

* Student Menu

Parents of current students see these '''SDS''' main menus:

* Academics
* Administration
* Forms
* School Information
* Tuition & Payment

Teachers and administrative staff see these '''SDS''' main menus:

* Admin Menu
* Staff Menu

In addition, teachers with their own courses see this '''SDS''' main menu:

* My Courses

A user who is both a teacher/staff and a parent may see nearly all main menus.

As a special case, a user who works as a developer/debugger of SDS for the
school might see all of the menus even if a normal user wouldn't.

[[#top|RETURN]]

== List of LDAP Groups ==

There are 187 LDAP groups that each user might have membership in:

* _General - Personalization Team
* _Senior - LRC Students
* accountingshare
* AdminStaff
* admissionsshare
* admitdbusers
* AdobeUsers
* advancementshare
* Alumni
* AMTMembers
* AMTWriters
* archiveshare
* Arduino Signing Certs
* AssetDisposalusr
* athleticshareusers
* AwardAdmin
* BarnacleHouseStaff
* barnacleshare
* Boarding Non-House
* BoardingAdministrators
* BoardingHouseStaff
* boardingshare
* BoardingWikiEdit
* BoardingWikiRead
* BoltonHouseStaff
* Budget Web
* BusAdmin
* CampusShopShare
* CampusShopUsers
* ClickViewManagers
* Coaches
* Columbia Users
* Contractors
* digitalartusers
* DirectAccess Computers
* edext summer
* EdExtension
* edextshare
* edextsummershare
* edextteachershare
* edextyearbook
* Enable Offline Files
* EnablePrivateStore
* ETtestGroup
* examtestadministrators
* Extended Leave Permissions
* financeusers
* FortiClient Users
* FR100
* GPO-LocalMyDocuments
* Grade 10 Board
* Grade 10 Board NW
* Grade 10 Day
* Grade 10 Day NW
* Grade 11 Board
* Grade 11 Board NW
* Grade 11 Day
* Grade 11 Day NW
* Grade 12 Board
* Grade 12 Board NW
* Grade 12 Day
* Grade 12 Day NW
* Grade 6
* Grade 6 NW
* Grade 7
* Grade 7 NW
* Grade 8 Board
* Grade 8 Board NW
* Grade 8 Day
* Grade 8 Day NW
* Grade 9 Board
* Grade 9 Board NW
* Grade 9 Day
* Grade 9 Day NW
* GTProUsers
* HarveyHouseStaff
* health
* HowardCafe
* hpshare
* HRConfidential
* HRShare
* infirmaryshare
* Inspiration Machines
* Ivy Users
* JuniorFaculty
* juniorlibraryshare
* LanguagesKeyboardsChinese
* LanguagesKeyboardsJapanese
* LanSchool Teachers
* linux-sdsdev-allowed-users
* Management Team
* marketingshare
* MarketResearchGroup
* MetaViewer Administrators
* MetaViewer Power Users
* Metaviewer Service Clients
* MetaViewer Support
* Metaviewer Users
* Middle One to One Users
* MiddleFaculty
* middlefrenchshare
* MiddleHumanitiesShare
* middlelibraryshare
* MiddlePrintManagers
* MiddleYearbookUsers
* midmathshare
* midscienceshare
* midshareusers
* MIS
* No Daily Restart
* Non H Drive Users
* Non Roaming Profile Users
* Non-staff StaffNT Access
* office2007share
* Office365AlumniList
* Office365ExtraUsers
* Office365Staff
* Office365Students
* outdoorshare
* parent web
* parentnt
* passwordtest
* Payrollshare
* pdrive
* PESched
* photclubusers
* pptpres
* ProjManShare
* PublicWikiEdit
* radius_guest_access
* radius_staff_wireless_access
* radius_unified_wireless_access
* radius_wireless_access
* RDS Desktop Brokers
* receptionshare
* RedFlags
* Remote Desktop Users - MechanicalDesktop
* ReregUsers
* Retirees
* riskmgmtshare
* SageDocumentWriters
* SageExporters
* SageReportWriters
* SCCMServers
* SDS_Admin
* SDS_Admissions
* SDS_Interviews
* SDS_LearningResources
* SDS_ParentImpersonate
* SDS_Print
* SDS_TimeAdmin
* SDS-Debug
* SDS-HODS
* securityshare
* SeniorFaculty
* seniorlibraryshare
* SeniorPrintManagers
* smusonlineshare
* Software Center Admin
* Sony Soloist Computers
* Staffhome
* Staffnt
* StaffTestAccounts
* Student Mid
* Student Sen
* StudentHDriveAccess
* StudentHDriveAccessLightroom
* studentservices
* Studentsnt
* StudentTeachers
* SymonsHouseStaff
* test group for policy
* TimmisHouseStaff
* TransShare
* Trevlac
* TripAdmin
* tuckshopusers
* ucshare
* VideoClub
* w7testing
* Wacom Signing Certs
* WebUsers
* WikiTest
* WinslowHouseStaff
* winslowshare
* WorkExpDB
* Yearbook Users

[[#top|RETURN]]

SDSM:Users and Privileges - Revision history

Darren.duncan: Add details on which LDAP groups have SDS screen privileges and which don't.

Darren.duncan: Add new document part Users and Privileges which describes kinds of users and lists the LDAP groups.