OxCLIC MDID authorisation.
MDID has support for defining multiple groups and assigning various permissions.
OxCLIC MDID authorisation FAQ and notes
If there is say 4 potential types of group ( a person may be in "staff" and also in a department)
- students
- staff
- department x
- department y
Protecting a collection
We'd like to protect a collection so that only a named person can see it?
A.Just remove all permission entries for the collection, then select "Add User", pick the user, and give him/her all privileges. (If you mean any named person, use the "Authenticated Users" group, it contains everybody but the Guest user.)
A general note, since it is asked a lot: you usually do not have to deny any privileges, if they are not explicitly granted, they are denied anyway. I only deny privileges in rare cases, e.g. if a collection is available to everyone at JMU except for specific guest users in our system, which I put in a user group and deny access.
A.Do the same as above with "Add Group".
We'd like to protect a collection so that only staff can see it?
A.It's not possible to require membership in more than one group, so you will have to define a group that is specifically "Staff from Dept. X".
We'd like to protect a collection so that only "staff from department x" can see it. i.e. additive? Is that possible??
A.Creating slideshows is a system permission (Management>Settings>System permissions). Just make sure "Create Slideshow" is only granted to the Staff group.
Annotations are allowed on a per-collection basis. Annotations are only visible to the user who creates them (or in that user's slideshows), so even if annotations are allowed for everybody, they should not do any harm.
Creating slideshows
Can MDID protect creating slideshows and annotations etc to be staff only
How does a staff member then make the slideshow only viewable to a group
A. By default, "Authenticated Users" can view slideshows. To change that, change Management>Settings>Slideshow Default Permissions. This will only affect slideshows created after the change, existing slideshows have to be handled manually or in bulk in the database: http://mdid.org/mdidwiki/index.php?title=Setting_permissions_on_all_slideshows
If you want to control access on each slideshow individually, blank out the Slideshow Default Permissions and have your staff set permissions individually, but this has to be done on each slideshow, so it's a bit of work: My Slideshows>[slideshow] Properties>Permissions.
Uploading new users without LDAP
Can we upload new users without using LDAP or wiping previous information? We'd like looking at trying to write either an import script or some mysql scripts that would take a XML or .csv list of users from our records system and import into MDID so that we could update the users and groups efficiently at the start of each term without destroying previous data.
User Info:
- peter smith,staff,departmentX
- joe jones,student,departmentY
- sam smith,student,departmentX
A. LDAP would of course be best since it would assign users to groups dynamically, but it is also easy to dynamically manage membership groups directly in the database. I don't see any problems, since group memberships are only cached for the duration of one page request, so changes you make in the database are effective immediately. This should also make is easy to create the groups needed to do "Staff from Dept. X" etc.