Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Sakai Hierarchy Framework Changes Overview (not implemented)

166 views

Published on

Sakai Hierarchy Framework Changes Overview
Draft - 09-29-2005 (This was never implemented)

Published in: Education
  • Be the first to comment

  • Be the first to like this

Sakai Hierarchy Framework Changes Overview (not implemented)

  1. 1. Sakai Hierarchy Framework Changes Overview Draft - 09-29-2005 Charles Severance csev@umich.edu
  2. 2. Relating Sections and Hierarchy
  3. 3. Comparison • Sections are additional groups/rosters *within* a Sakai site • Hierarchy is the relationship between sites, and can be used to describe the relationship between other entities in the Sakai system (sites, files, folders)
  4. 4. Tool Impact on Hierarchy • Like Sections, tools can be written which are completely unaware of hierarchy - these tools simply operate in a “Site” and effectively ignore any parent, child, or other sites. – Content/Resources - Likely to be very aware and affected greatly by hierarchy – Chat tool will probably ignore hierarchy • Deciding how to use/present hierarchy is a decision left up to the the tool designer.
  5. 5. What is a “Site”? • It is “one tab” across the top of the Sakai GUI • It is a set of pages and tools which operate “together” in a context. • The concept of a site does not change across these framework improvements • However Sites become more capable and flexible as these new framework capabilities are added.
  6. 6. Sakai Site - 2.0 Site: EECS280 Roster Tool List Chat Info … The roster (realm) contains both membership and permission information. The roster can be fed externally or internally. Message Folder File File Annc
  7. 7. Sakai Site - 2.1 - Sections Site: EECS280 Roster Tool List Chat Info … We add sub-rosters or Sections. Some of the entities/objects/tools will be changed to set permissions and reflect sections as part of their security. Other entities will not be section aware in 2.1 and their security will be determined by the Roster/Realm for the whole site. Message Folder File File Sec A Sec B Annc
  8. 8. Sakai Site - Hierarchy Hierarchy allows sites to become “connected” in various parent and child relationships. Permission and inheritance can flow down the hierarchy depending on the configuration of the site’s relationship with its parent. Site: EECS280 Rr Tool Chat Info … Sec Sec Site: EECS220 Rr Tool Chat Info … Site: EECS240 Rr Tool Chat Info … Site: Computer Science Rr Tool Chat Info … Site: EECS240-LEC 1 Rr Tool Chat Info … Site: EECS240-LEC 2 Rr Tool Chat Info …
  9. 9. Possible Tool Changes • Each tool must be carefully designed as to how it will be affected by hierarchy • Several approaches for a tool – Ignore Hierarchy (Chat tool) – Roll - up or down objects below based on some configuration of the tool (Schedule) – Make tool fully aware of hierarchy - make hierarchy an implicit part of the tool (Resources)
  10. 10. Hierarchy in the Portal QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Sites EECS280 .. Up to Computer Science EECS280-LEC1 EEGS280-LEC2 EECS280-LEC1 EECS280-LEC2
  11. 11. Rolling up Hierarchy in a Tool QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Schedule EECS280 Include schedule items from sub-sites in schedule All sub-sites Depth EECS280-LEC1 EECS280-LEC2 Options 2
  12. 12. Implicit Hierarchy in a Tool QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture. Resources EECS280 Syllabus (folder) Properties | Add Item | Delete Images (folder) Properties | Add Item | Delete xyz.ppt Properties | Add Item | Delete EECS280-LEC1 (Sub Site) Properties | Add Item | Delete EECH280-LEC2 Properties | Add Item | Delete Other Sites Search Repositories EECS280-LEC1 EECS280-LEC2
  13. 13. Summary • SubSites (Hierarchy) and Sections (Groups) are complimentary notions • The Sakai framework Authorization, and Site APIs will support both hierarchy between sites and grouping within sites • Tool modifications will need to be designed to make ideal use of these capabilities from an end-user perspective. • It would probably be a good idea to make the framework changes for both hierarchy and sections and then redesign the tools once - considering both issues at the same time.
  14. 14. Framework Implementation Technical Details
  15. 15. Realm: 15 Site Manager Announcement Manager Calendar Manager S15 S16 A1 A2 C1 A3 C2 Thread Context:S15 S15 | S16 ANNC A1 A2 Sched csev access annc.read sched.read annc.read annc.write sched.read sched.write maintain dogle ggolden Realm: 16 josh access annc.read sched.read annc.read annc.write sched.read sched.write maintain oliver ray Sakai 2.0 ANNC Sched ANNC Home
  16. 16. Grant Capabilities in 2.0 S15ANNC Sched N20 A30 G40 A31 A33 A32 Student Student TA access annc.read sched.read annc.read annc.write sched.read sched.write maintain G50/TA G50/Learner annc.read annc.write sched.read sched.write maintain access annc.read sched.read contextNode A15 annc.write S15ANNC Sched A30 annc.read annc.write sched.read sched.write maintain Grant Capabilities in 2.1 A31 access annc.read sched.read
  17. 17. N1 N15 N16 N20 N17 N19 S15ANNC Sched G50 access G49 maintain access access G49 maintain N18 G50/TA G50/Learner maintain access Nodes and Grants in a Hierarchy G51 G52 G49 maintain G52/TA G52/Learner maintain access
  18. 18. N20 N17 G50 access G49 maintain G49 maintain G50/TA G50/Learner maintain access Flexible Inheritance N22 C91 C92 N23 C94 N21 C95 C93 N24 N26 G49maintain A007 A99 content.read content.write maintain G-Anon content.read
  19. 19. N20 N17 G50 access G49 maintain G49 G50/TA G50/Learner maintain access Non- Blockable (or admin) Grants N22 C91 C92 N23 C94 N21 C95 C93 N24 N26 G49 A007 A99 content.read content.write maintain G-Anon content.read G63maintain
  20. 20. N1 N15 N16 N20 N17 N19 S15ANNC Sched G50access G49 maintain access access N18 G50/TA G50/Learner maintain access “unBlockable in every way…” G51 G52 G52/TA G52/Learner maintain access G86 access G85 *.* G87 S11 ANNC Sched maintain
  21. 21. N15 N20 N17 Block-aware Transitive Closure N22 N23N29 C93A99 content.read
  22. 22. N15 N20 G50access G49 maintain access Can Agent A45 read Content Blob C93? G51 G86access N22 N29 C93A99 content.read A45
  23. 23. References • XACML Working Group – http://www.oasis-open.org/committees/tc_home.php? wg_abbrev=xacml • XACML 2.0 - Hierarchy and Roles – http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- rbac-profile1-spec-os.pdf • IMS Enterprise – http://www.imsglobal.org/enterprise/entv1p1/imsent_infov1p1.html • WEBDAV Access Control – http://www.ietf.org/rfc/rfc3744.txt – http://webdav.org/specs/rfc3744.pdf
  24. 24. Appendix S - SQL Layout
  25. 25. Inheritance Table N15 N20 N17 N22 N23N29 SAKAI_INHERIT Child Parent Block N20 N15 B N17 N20 B N17 N15 B N22 N20 N N22 N15 B N29 N22 N N29 N20 N N29 N15 B N23 N22 B N23 N20 B N23 N15 B
  26. 26. Grant Table N15 N20 N17 G50 access G49 maintain G50/TA maintain G86access N22 N23N29 C95 A99 content.read C93 C94 * The grants are slightly changed from earlier examples to show more detail SAKAI_GRANTS Grantee Function or F-Set Node or Entity Blockable A99 content. read C93 Yes G50/TA maintain N17 Yes G50 access N20 Yes G40 maintain N20 No G86 access N15 Yes CONTENT_ENTITY GUID Node C94 N17 C94 N22 C95 N29 C93 N23
  27. 27. Looking for C93 SAKAI_GRANTS Grantee Function or F-Set Node or Entity Blockable A99 content. read C93 Yes G50/TA maintain N17 Yes G50 access N20 Yes G40 maintain N20 No G86 access N15 Yes CONTENT_ENTITY GUID Node C94 N17 C94 N22 C95 N29 C93 N23 SAKAI_INHERIT Child Parent Block N20 N15 B N17 N20 B N17 N15 B N22 N20 N N22 N15 B N29 N22 N N29 N20 N N29 N15 B N23 N22 B N23 N20 B N23 N15 B
  28. 28. Looking for C94 SAKAI_GRANTS Grantee Function or F-Set Node or Entity Blockable A99 content. read C93 Yes G50/TA maintain N17 Yes G50 access N20 Yes G40 maintain N20 No G86 access N15 Yes CONTENT_ENTITY GUID Node C94 N17 C94 N22 C95 N29 C93 N23 SAKAI_INHERIT Child Parent Block N20 N15 B N17 N20 B N17 N15 B N22 N20 N N22 N15 B N29 N22 N N29 N20 N N29 N15 B N23 N22 B N23 N20 B N23 N15 B

×