From e812e2141fbf54857209e9e515afa9316885d0f2 Mon Sep 17 00:00:00 2001 From: Rufus Pollock Date: Sun, 18 Mar 2012 11:39:33 +0000 Subject: [PATCH] [#2226,doc/publisher-profile][s]: heavily refactor publisher profile docs (and rename from publisher_auth_profile). * Also add into main toc tree --- doc/index.rst | 5 ++- doc/publisher-profile.rst | 69 ++++++++++++++++++++++++++++++++++ doc/publisher_auth_profile.rst | 36 ------------------ 3 files changed, 72 insertions(+), 38 deletions(-) create mode 100644 doc/publisher-profile.rst delete mode 100644 doc/publisher_auth_profile.rst diff --git a/doc/index.rst b/doc/index.rst index 0d44a45f050..9fca3db10fb 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -33,6 +33,8 @@ Customizing and Extending forms form-integration linked-data-and-rdf + filestore + datastore Publishing Datasets =================== @@ -42,8 +44,7 @@ Publishing Datasets loading-data authorization - filestore - datastore + publisher-profile The CKAN API ============ diff --git a/doc/publisher-profile.rst b/doc/publisher-profile.rst new file mode 100644 index 00000000000..6c0856f60bc --- /dev/null +++ b/doc/publisher-profile.rst @@ -0,0 +1,69 @@ +============================== +Publisher Profile and Workflow +============================== + +.. versionadded:: 1.6.1 + +The Publisher workflow in CKAN is designed to support a setup in which datasets +are managed by a "Publisher" organization. Users can become members of one (or +more) Publishers and their membership determines what datasets they have access +to. + +Specifically, the workflow looks like: + +* A User joins or creates a Publisher + + * If creator of the Publisher User becomes administrator of the Publisher + otherwise they become a Member. + * Creation of new Publishers must be approved by a System Administrator + * New Members must be approved by the Group Administrator + +* User creates a dataset. On creation User must assign this dataset to a + specific publisher (and can only assign to a Publisher of which User is a + member) + + * Other members of that Publisher can then edit and update this dataset + +This setup is a natural one for many situations. For example: + + * Government. Publishers correspond to Departments or Ministries (or other + organizational groups) + * Academia: Publishers again correspond to Departments or research groups + + +.. _publisher-configuration: +Enabling and Configuring the Publisher Profile +============================================== + +To switch CKAN to use the publisher profile workflow you need to set the +following configuration option:: + + ckan.auth.profile = publisher + +Setting auth.profile to publisher will enable the publisher authorization +profile. Setting it to nothing, or if it is not present will force CKAN to use +the default profile. + + +Technical Overview +================== + +* Publishers are a specialization of CKAN Groups. As such they retain many of + their features. +* Authorization for most actions is granted based on shared membership of a + group between the **user** and the **object** being manipulated. +* You can design custom forms for publisher sign up and editing. + +In more detail, these concepts are as follows: + +* :doc:`Domain Objects ` such as *groups*, *datasets* and *users* + can be added as members of groups. +* Each user within a group has a capacity with which it can interact with the + group, currently these are *editor* and *administrator*. +* Even though groups are hierarchical there must be an intersection of the + user's groups and the **object**'s groups for permission to be granted, as + long as the capacity is appropriate. For instance, being an *editor* within + a group does not necessarily grant authorization to edit the group. +* This means that individual permissions do not need to granted on a *user* by + *user* basis, instead the user can just be added to the appropriate group. + diff --git a/doc/publisher_auth_profile.rst b/doc/publisher_auth_profile.rst deleted file mode 100644 index ae970da01b3..00000000000 --- a/doc/publisher_auth_profile.rst +++ /dev/null @@ -1,36 +0,0 @@ -=============================== -Publisher Authorization Profile -=============================== - -CKAN provides authorization profiles which will allow authorization to be performed based on group membership rather than individually assigned actions. - -* :ref:`publisher-overview`. An overview of the concepts underlying CKAN's publisher profile. -* :ref:`publisher-configuration`. Configuring the publisher profile -* :ref:`publisher-usage`. Using the publisher profile - -.. _publisher-overview: - -Overview --------- - -In a nutshell: authorization for most actions is granted based on shared membership of a group between the **user** and the **object** being manipulated. - -In more detail, these concepts are as follows: - -* **Objects** such as *groups*, *datasets* and *users* can be added as members of groups. -* Each user within a group has a capacity with which it can interact with the group, currently these are *editor* and *administrator*. -* Even though groups are hierarchical there must be an intersection of the user's groups and the **object**'s groups for permission to be granted, as long as the capacity is appropriate. For instance, being an *editor* within a group does not necessarily grant authorization to edit the group. -* This means that individual permissions do not need to granted on a *user* by *user* basis, instead the user can just be added to the appropriate group. - -.. _publisher-configuration: - -Configuration -------------- - -To configure CKAN to use the publisher profile a single entry should be added to the CKAN configuration see :doc:`configuration` - -Setting auth.profile to publisher will enable the publisher authorization profile. Setting it to nothing, or if it is not present will force CKAN to use the default authorization profile. - -Example:: - ckan.auth.profile = publisher -