SDSM:Users and Privileges: Difference between revisions

From SMUSwiki
Jump to navigation Jump to search
(Add new document part Users and Privileges which describes kinds of users and lists the LDAP groups.)
 
(Add details on which LDAP groups have SDS screen privileges and which don't.)
 
Line 83: Line 83:
specific ''SDS Gavintech'' screens, and the table <code>group_pages</code>
specific ''SDS Gavintech'' screens, and the table <code>group_pages</code>
does that for specific ''SDS Laravel'' screens.
does that for specific ''SDS Laravel'' screens.
Currently, 29 of the 187 LDAP groups have been granted privileges for 1 or
more ''SDS Gavintech'' screens each (the rest zero), out of which 6 have
been granted exactly 1 screen each, 9 have been granted between 2 and 9
screens each, and 11 have been granted between 11 and 67 each, and 3 have
been granted 100 or more each. (The database also has grants for 2
currently non-existent LDAP groups in addition to for the existing 29.)


The '''SDS''' database table <code>person_permissions</code> is the source
The '''SDS''' database table <code>person_permissions</code> is the source
Line 138: Line 145:
== List of LDAP Groups ==
== List of LDAP Groups ==


There are 187 LDAP groups that each user might have membership in:
There are 187 LDAP groups on the school LDAP server in total, each of which
a user might have membership in.
 
Of those, these 29 have been granted privileges for 1 or more
''SDS Gavintech'' screens (each screen count shown here):
 
* SDS-Debug - 559
* SDS_Admin - 197
* Staffnt - 100
* SeniorFaculty - 67
* SDS_Admissions - 57
* MiddleFaculty - 49
* JuniorFaculty - 43
* ucshare - 39
* SDS_LearningResources - 29
* Studentsnt - 19
* Student Sen - 14
* BoardingHouseStaff - 13
* AwardAdmin - 12
* SDS-HODS - 11
* MIS - 9
* Student Mid - 7
* Management Team - 5
* financeusers - 4
* health - 4
* SDS_Interviews - 3
* AdminStaff - 2
* advancementshare - 2
* infirmaryshare - 2
* admissionsshare - 1
* Alumni - 1
* marketingshare - 1
* MarketResearchGroup - 1
* Office365Staff - 1
* receptionshare - 1
 
The rest of the LDAP groups have no privileges for ''SDS Gavintech'' screens:


* _General - Personalization Team
* _General - Personalization Team
* _Senior - LRC Students
* _Senior - LRC Students
* accountingshare
* accountingshare
* AdminStaff
* admissionsshare
* admitdbusers
* admitdbusers
* AdobeUsers
* AdobeUsers
* advancementshare
* Alumni
* AMTMembers
* AMTMembers
* AMTWriters
* AMTWriters
Line 155: Line 194:
* AssetDisposalusr
* AssetDisposalusr
* athleticshareusers
* athleticshareusers
* AwardAdmin
* BarnacleHouseStaff
* BarnacleHouseStaff
* barnacleshare
* barnacleshare
* Boarding Non-House
* Boarding Non-House
* BoardingAdministrators
* BoardingAdministrators
* BoardingHouseStaff
* boardingshare
* boardingshare
* BoardingWikiEdit
* BoardingWikiEdit
Line 186: Line 223:
* examtestadministrators
* examtestadministrators
* Extended Leave Permissions
* Extended Leave Permissions
* financeusers
* FortiClient Users
* FortiClient Users
* FR100
* FR100
Line 216: Line 252:
* GTProUsers
* GTProUsers
* HarveyHouseStaff
* HarveyHouseStaff
* health
* HowardCafe
* HowardCafe
* hpshare
* hpshare
* HRConfidential
* HRConfidential
* HRShare
* HRShare
* infirmaryshare
* Inspiration Machines
* Inspiration Machines
* Ivy Users
* Ivy Users
* JuniorFaculty
* juniorlibraryshare
* juniorlibraryshare
* LanguagesKeyboardsChinese
* LanguagesKeyboardsChinese
Line 230: Line 263:
* LanSchool Teachers
* LanSchool Teachers
* linux-sdsdev-allowed-users
* linux-sdsdev-allowed-users
* Management Team
* marketingshare
* MarketResearchGroup
* MetaViewer Administrators
* MetaViewer Administrators
* MetaViewer Power Users
* MetaViewer Power Users
Line 239: Line 269:
* Metaviewer Users
* Metaviewer Users
* Middle One to One Users
* Middle One to One Users
* MiddleFaculty
* middlefrenchshare
* middlefrenchshare
* MiddleHumanitiesShare
* MiddleHumanitiesShare
Line 248: Line 277:
* midscienceshare
* midscienceshare
* midshareusers
* midshareusers
* MIS
* No Daily Restart
* No Daily Restart
* Non H Drive Users
* Non H Drive Users
Line 256: Line 284:
* Office365AlumniList
* Office365AlumniList
* Office365ExtraUsers
* Office365ExtraUsers
* Office365Staff
* Office365Students
* Office365Students
* outdoorshare
* outdoorshare
Line 274: Line 301:
* radius_wireless_access
* radius_wireless_access
* RDS Desktop Brokers
* RDS Desktop Brokers
* receptionshare
* RedFlags
* RedFlags
* Remote Desktop Users - MechanicalDesktop
* Remote Desktop Users - MechanicalDesktop
Line 284: Line 310:
* SageReportWriters
* SageReportWriters
* SCCMServers
* SCCMServers
* SDS_Admin
* SDS_Admissions
* SDS_Interviews
* SDS_LearningResources
* SDS_ParentImpersonate
* SDS_ParentImpersonate
* SDS_Print
* SDS_Print
* SDS_TimeAdmin
* SDS_TimeAdmin
* SDS-Debug
* SDS-HODS
* securityshare
* securityshare
* SeniorFaculty
* seniorlibraryshare
* seniorlibraryshare
* SeniorPrintManagers
* SeniorPrintManagers
Line 301: Line 320:
* Sony Soloist Computers
* Sony Soloist Computers
* Staffhome
* Staffhome
* Staffnt
* StaffTestAccounts
* StaffTestAccounts
* Student Mid
* Student Sen
* StudentHDriveAccess
* StudentHDriveAccess
* StudentHDriveAccessLightroom
* StudentHDriveAccessLightroom
* studentservices
* studentservices
* Studentsnt
* StudentTeachers
* StudentTeachers
* SymonsHouseStaff
* SymonsHouseStaff
Line 317: Line 332:
* TripAdmin
* TripAdmin
* tuckshopusers
* tuckshopusers
* ucshare
* VideoClub
* VideoClub
* w7testing
* w7testing
Line 327: Line 341:
* WorkExpDB
* WorkExpDB
* Yearbook Users
* Yearbook Users
The database also has screen privileges for 2 non-existent LDAP groups:
* sds_debug - 8
* sds_learningresource - 1


[[#top|RETURN]]
[[#top|RETURN]]

Latest revision as of 00:13, 10 June 2024


This document consists of multiple parts; for a directory to all of the parts, see SDSM:Index.

Description

This part of the SDS Modernization (SDSM) document provides details on the kinds of SDS users and their privileges.

RETURN

Kinds of Users

A user is an individual human that interacts with SDS.

An account is an entity that represents a single user' in SDS and is the means by which a user interacts with the app while they are authenticated to it.

SDS is fundamentally a private system and has no significant functionality available to any user while the latter is not authenticated or logged in to the app.

The most significant SDS screens that a non-authenticated user can interact with are the Public Home app landing screen welcoming them to the app, and the Login screen for authenticating to their account.

Note that any references in this SDSM document to a user, except when explicitly qualified otherwise, specifically means a non-anonymous user who has an account and is currently authenticated to it.

An internal user is a user that currently works for or is a student at SMUS; they have a Microsoft Active Directory account with the school which is the source of truth for their identity that they use to authenticate with both SDS accounts and many other school systems such as PCs and SMUS email accounts.

(Note that some individuals who work for SMUS, typically by way of companies contracted to the school, do not have school Microsoft Active Directory accounts because they don't need school email accounts, and so they also are not SDS users.)

An external user is a user that currently neither works for nor is a student at SMUS; they do not have a Microsoft Active Directory account with the school, and the source of truth for their identity that they use to authenticate with SDS accounts (and nothing else) is a different exclusive school LDAP server.

Parents of current students are typically external users, except for those such parents who are instead internal users for other reasons, such as because they also currently work for the school.

Alumni of the school are a gray area that might still have Microsoft Active Directory school accounts in order to support maintaining a school email address, but they are not SDS users, unless for other reasons, such as because they also currently work for the school or are parents of current students.

Note that any references in this SDSM document to school LDAP server typically refer to a Microsoft Active Directory server, as LDAP is the protocol SDS uses to talk with it.

RETURN

Roles and Privileges of Users

Each SDS user account is granted a set of privileges which determine what app functionality that user may employ. A typical privilege corresponds to a single app screen and confers usage of that screen to that user, though other kinds of privileges may also exist.

A user is typically granted a privilege indirectly by way of that user being assigned membership to a user group that is in turn granted that privilege. A user less often is granted a privilege directly.

A school LDAP server is the source of truth for what user groups exist, expressed as LDAP groups, and for what user accounts are members of those groups. There are currently 187 such LDAP groups defined.

The SDS database table group_permissions is the source of truth for what LDAP groups have been granted privileges to access specific SDS Gavintech screens, and the table group_pages does that for specific SDS Laravel screens.

Currently, 29 of the 187 LDAP groups have been granted privileges for 1 or more SDS Gavintech screens each (the rest zero), out of which 6 have been granted exactly 1 screen each, 9 have been granted between 2 and 9 screens each, and 11 have been granted between 11 and 67 each, and 3 have been granted 100 or more each. (The database also has grants for 2 currently non-existent LDAP groups in addition to for the existing 29.)

The SDS database table person_permissions is the source of truth for what user accounts have individually been granted privileges to access specific SDS Gavintech screens, and no corresponding mechanism is yet implemented for SDS Laravel screens.

Each SDS user account is also defined in the SDS database to possess one or more roles, each of which is explicitly and specifically recognized in the SDS application logic, and affects how that user account is treated, both with respect to what that account's user is allowed to do in the app, and with respect to what kind of records and activities are associated with that user in the database. This logic may be arbitrarily complex and is distinct from the effect of granting generic yes/no screen access privileges.

Examples of those explicit roles are:

  • The user currently is a student at the school.
  • The user is a parent/guardian of a current student.
  • The user currently works as a teacher for the school.
  • The user currently works as administrative staff for the school.

The SDS screens are broadly divided into 3 mutually exclusive screen groups, for students, parents, and teachers/staff respectively.

Current students see this SDS main menu:

  • Student Menu

Parents of current students see these SDS main menus:

  • Academics
  • Administration
  • Forms
  • School Information
  • Tuition & Payment

Teachers and administrative staff see these SDS main menus:

  • Admin Menu
  • Staff Menu

In addition, teachers with their own courses see this SDS main menu:

  • My Courses

A user who is both a teacher/staff and a parent may see nearly all main menus.

As a special case, a user who works as a developer/debugger of SDS for the school might see all of the menus even if a normal user wouldn't.

RETURN

List of LDAP Groups

There are 187 LDAP groups on the school LDAP server in total, each of which a user might have membership in.

Of those, these 29 have been granted privileges for 1 or more SDS Gavintech screens (each screen count shown here):

  • SDS-Debug - 559
  • SDS_Admin - 197
  • Staffnt - 100
  • SeniorFaculty - 67
  • SDS_Admissions - 57
  • MiddleFaculty - 49
  • JuniorFaculty - 43
  • ucshare - 39
  • SDS_LearningResources - 29
  • Studentsnt - 19
  • Student Sen - 14
  • BoardingHouseStaff - 13
  • AwardAdmin - 12
  • SDS-HODS - 11
  • MIS - 9
  • Student Mid - 7
  • Management Team - 5
  • financeusers - 4
  • health - 4
  • SDS_Interviews - 3
  • AdminStaff - 2
  • advancementshare - 2
  • infirmaryshare - 2
  • admissionsshare - 1
  • Alumni - 1
  • marketingshare - 1
  • MarketResearchGroup - 1
  • Office365Staff - 1
  • receptionshare - 1

The rest of the LDAP groups have no privileges for SDS Gavintech screens:

  • _General - Personalization Team
  • _Senior - LRC Students
  • accountingshare
  • admitdbusers
  • AdobeUsers
  • AMTMembers
  • AMTWriters
  • archiveshare
  • Arduino Signing Certs
  • AssetDisposalusr
  • athleticshareusers
  • BarnacleHouseStaff
  • barnacleshare
  • Boarding Non-House
  • BoardingAdministrators
  • boardingshare
  • BoardingWikiEdit
  • BoardingWikiRead
  • BoltonHouseStaff
  • Budget Web
  • BusAdmin
  • CampusShopShare
  • CampusShopUsers
  • ClickViewManagers
  • Coaches
  • Columbia Users
  • Contractors
  • digitalartusers
  • DirectAccess Computers
  • edext summer
  • EdExtension
  • edextshare
  • edextsummershare
  • edextteachershare
  • edextyearbook
  • Enable Offline Files
  • EnablePrivateStore
  • ETtestGroup
  • examtestadministrators
  • Extended Leave Permissions
  • FortiClient Users
  • FR100
  • GPO-LocalMyDocuments
  • Grade 10 Board
  • Grade 10 Board NW
  • Grade 10 Day
  • Grade 10 Day NW
  • Grade 11 Board
  • Grade 11 Board NW
  • Grade 11 Day
  • Grade 11 Day NW
  • Grade 12 Board
  • Grade 12 Board NW
  • Grade 12 Day
  • Grade 12 Day NW
  • Grade 6
  • Grade 6 NW
  • Grade 7
  • Grade 7 NW
  • Grade 8 Board
  • Grade 8 Board NW
  • Grade 8 Day
  • Grade 8 Day NW
  • Grade 9 Board
  • Grade 9 Board NW
  • Grade 9 Day
  • Grade 9 Day NW
  • GTProUsers
  • HarveyHouseStaff
  • HowardCafe
  • hpshare
  • HRConfidential
  • HRShare
  • Inspiration Machines
  • Ivy Users
  • juniorlibraryshare
  • LanguagesKeyboardsChinese
  • LanguagesKeyboardsJapanese
  • LanSchool Teachers
  • linux-sdsdev-allowed-users
  • MetaViewer Administrators
  • MetaViewer Power Users
  • Metaviewer Service Clients
  • MetaViewer Support
  • Metaviewer Users
  • Middle One to One Users
  • middlefrenchshare
  • MiddleHumanitiesShare
  • middlelibraryshare
  • MiddlePrintManagers
  • MiddleYearbookUsers
  • midmathshare
  • midscienceshare
  • midshareusers
  • No Daily Restart
  • Non H Drive Users
  • Non Roaming Profile Users
  • Non-staff StaffNT Access
  • office2007share
  • Office365AlumniList
  • Office365ExtraUsers
  • Office365Students
  • outdoorshare
  • parent web
  • parentnt
  • passwordtest
  • Payrollshare
  • pdrive
  • PESched
  • photclubusers
  • pptpres
  • ProjManShare
  • PublicWikiEdit
  • radius_guest_access
  • radius_staff_wireless_access
  • radius_unified_wireless_access
  • radius_wireless_access
  • RDS Desktop Brokers
  • RedFlags
  • Remote Desktop Users - MechanicalDesktop
  • ReregUsers
  • Retirees
  • riskmgmtshare
  • SageDocumentWriters
  • SageExporters
  • SageReportWriters
  • SCCMServers
  • SDS_ParentImpersonate
  • SDS_Print
  • SDS_TimeAdmin
  • securityshare
  • seniorlibraryshare
  • SeniorPrintManagers
  • smusonlineshare
  • Software Center Admin
  • Sony Soloist Computers
  • Staffhome
  • StaffTestAccounts
  • StudentHDriveAccess
  • StudentHDriveAccessLightroom
  • studentservices
  • StudentTeachers
  • SymonsHouseStaff
  • test group for policy
  • TimmisHouseStaff
  • TransShare
  • Trevlac
  • TripAdmin
  • tuckshopusers
  • VideoClub
  • w7testing
  • Wacom Signing Certs
  • WebUsers
  • WikiTest
  • WinslowHouseStaff
  • winslowshare
  • WorkExpDB
  • Yearbook Users

The database also has screen privileges for 2 non-existent LDAP groups:

  • sds_debug - 8
  • sds_learningresource - 1

RETURN