Updated documentation to remove auth groups

doc/administrative-dashboard.rst

@@ -14,17 +14,17 @@ The dashboard is located, relative to your site root, at ``/ckan-admin/``.
 .. note:: To create your first sysadmin you cannot use Dashboard as you will
           not yet have access! Instead create a sysadmin using the command line
           ``paster`` by running the following command::
-          
+
             paster sysadmin -h
 
 Setting System-Level Roles
 ==========================
 
 Authorization interface is located at: ``/ckan-admin/authz``
 
-This page allows you to see and change the users and authorization groups who
-have 'roles' on the 'System Object'. In a standard installation, there are four
-'roles' which a user can have on the System (or on any object):
+This page allows you to see and change the users who have 'roles' on the
+'System Object'. In a standard installation, there are four 'roles' which
+a user can have on the System (or on any object):
 
 * admin (administrator)
 
@@ -42,7 +42,7 @@ have 'roles' on the 'System Object'. In a standard installation, there are four
     create an account, so they're locked out forever unless they already
     have a valid account.
 
-* editor (Update action allowed) 
+* editor (Update action allowed)
 * anon-editor
 
 .. note:: these roles can be applied to users on your system as well as to

doc/api-tutorial.rst

@@ -3,7 +3,7 @@ CKAN API: Quickstart Tutorial
 =============================
 
 A quickstart tutorial for the CKAN API that walks through some of the main
-features. For full details of the API see :doc:`api` and its 
+features. For full details of the API see :doc:`api` and its
 :ref:`api-reference` section.
 
 The following examples use the demonstration instance at http://test.ckan.org/.
@@ -56,42 +56,42 @@ Viewing permissions
 To view authorization roles on a dataset::
 
   curl http://test.ckan.org/api/action/roles_show -d '{"domain_object": "freshwateratlasrivers"}'
-  
+
   {
-    "help": "Returns the roles that users (and authorization groups) have on a\n    particular domain_object.\n    \n    If you specify a user (or authorization group) then the resulting roles\n    will be filtered by those of that user (or authorization group).\n\n    domain_object can be a package/group/authorization_group name or id.\n    ", 
+    "help": "Returns the roles that users have on a\n    particular domain_object.\n    \n    If you specify a user then the resulting roles\n    will be filtered by those of that user.\n\n    domain_object can be a package/group name or id.\n    ",
     "result": {
-      "domain_object_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a", 
-      "domain_object_type": "Package", 
+      "domain_object_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a",
+      "domain_object_type": "Package",
       "roles": [
         {
-          "authorized_group_id": null, 
-          "context": "Package", 
-          "id": "481b6cd8-350b-4599-bd20-5e3c0ed0a8cb", 
-          "package_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a", 
-          "role": "editor", 
-          "user_id": "4229c297-fe28-4597-a191-3ebbbee6c47a", 
+          "authorized_group_id": null,
+          "context": "Package",
+          "id": "481b6cd8-350b-4599-bd20-5e3c0ed0a8cb",
+          "package_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a",
+          "role": "editor",
+          "user_id": "4229c297-fe28-4597-a191-3ebbbee6c47a",
           "user_object_role_id": "481b6cd8-350b-4599-bd20-5e3c0ed0a8cb"
-        }, 
+        },
         {
-          "authorized_group_id": null, 
-          "context": "Package", 
-          "id": "aba38fa7-2fb4-4f84-98e1-02cb76c5d95a", 
-          "package_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a", 
-          "role": "admin", 
-          "user_id": "e7f30c0d-944b-4a69-84c4-61b08bbf6b98", 
+          "authorized_group_id": null,
+          "context": "Package",
+          "id": "aba38fa7-2fb4-4f84-98e1-02cb76c5d95a",
+          "package_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a",
+          "role": "admin",
+          "user_id": "e7f30c0d-944b-4a69-84c4-61b08bbf6b98",
           "user_object_role_id": "aba38fa7-2fb4-4f84-98e1-02cb76c5d95a"
-        }, 
+        },
         {
-          "authorized_group_id": null, 
-          "context": "Package", 
-          "id": "e06b1293-86ec-4417-8e28-b9499161348e", 
-          "package_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a", 
-          "role": "reader", 
-          "user_id": "41cb1162-3d61-4b16-a3af-4cae27836ac5", 
+          "authorized_group_id": null,
+          "context": "Package",
+          "id": "e06b1293-86ec-4417-8e28-b9499161348e",
+          "package_id": "9da77628-2ac5-4965-af12-c7c51cc1d99a",
+          "role": "reader",
+          "user_id": "41cb1162-3d61-4b16-a3af-4cae27836ac5",
           "user_object_role_id": "e06b1293-86ec-4417-8e28-b9499161348e"
         }
       ]
-    }, 
+    },
     "success": true
   }
 

doc/authorization.rst

@@ -31,12 +31,11 @@ Objects
 +++++++
 
 Permissions are controlled per object: access can be controlled for an individual
-dataset, group or authorization group instance. Current objects include
-**datasets**, dataset **groups**, **authorization groups** and the **system**.
+dataset or group instance. Current objects include **datasets**, dataset **groups**
+and the **system**.
 
 * A dataset is the basic CKAN concept of metadata about a dataset.
 * A group of datasets can be set up to specify which users have permission to add or remove datasets from the group.
-* Users can be assigned to authorization groups, to increase flexibility. Instead of specifying the privileges of specific users on a dataset or group, you can also specify a set of users that share the same rights. To do that, an authorization group can be set up and users can be added to it. Authorization groups are both the object of authorization (i.e. one can have several roles with regards to an authorization group, such as being allowed to read or edit it) and the subject of authorization (i.e. they can be assigned roles on other objects which will apply to their members, such as the group having edit rights on a particular group).
 * Finally, the system object is special, serving as an object for assignments that do not relate to a specific object. For example, creating a dataset cannot be linked to a specific dataset instance, and is therefore a operation.
 
 
@@ -52,7 +51,6 @@ The **read-site** action (associated with the system object) allows or denies ac
  * Dataset search
  * Group index
  * Tags index
- * Authorization Group index
  * All requests to the API (on top of any other authorization requirements)
 
 There are also some shortcuts that are provided directly by the authorization
@@ -108,10 +106,10 @@ These defaults can be changed in the CKAN config - see ``default_roles`` in :doc
 Managing Permissions
 --------------------
 
-The assignment of users and authorization groups to roles on a given
-protected object (such as a dataset) can be done by 'admins' via the
-'authorization' tab of the web interface (or by sysadmins via that
-interface or the system admin interface).
+The assignment of users to roles on a given protected object (such as
+a dataset) can be done by 'admins' via the 'authorization' tab of the
+web interface (or by sysadmins via that interface or the system admin
+interface).
 
 There is also a command-line authorization manager, detailed below.
 
@@ -134,17 +132,12 @@ The ``rights make`` command lets you assign specific permissions. For example, t
     paster --plugin=ckan rights -c my.ini make bar admin dataset:foo
 
 As well as users and datasets, you can assign rights to other objects. These
-include authorization groups, dataset groups and the system as a whole.
+include dataset groups and the system as a whole.
 
 For example, to make the user 'chef' a system-wide admin::
 
     paster --plugin=ckan rights -c my.ini make chef admin system
 
-Or to allow all members of authorization group 'foo' to edit group 'bar'::
-
-    paster --plugin=ckan rights -c my.ini make agroup:foo edit \
-        group:bar
-
 To revoke one of the roles assigned using ``rights make``, the ``rights remove`` command
 is available. For example, to remove **bar**'s **admin** role on the foo dataset::
 
@@ -206,7 +199,6 @@ To operate in this mode:
      ckan.default_roles.Package = {"visitor": ["reader"], "logged_in": ["editor"]}
      ckan.default_roles.Group = {"visitor": ["reader"], "logged_in": ["editor"]}
      ckan.default_roles.System = {"visitor": ["reader"], "logged_in": ["editor"]}
-     ckan.default_roles.AuthorizationGroup = {"visitor": ["reader"], "logged_in": ["editor"]}
 
 
 3. Publisher Mode
@@ -237,6 +229,4 @@ To operate in this mode:
      ckan.default_roles.Package = {"visitor": ["reader"], "logged_in": ["reader"]}
      ckan.default_roles.Group = {"visitor": ["reader"], "logged_in": ["reader"]}
      ckan.default_roles.System = {"visitor": ["reader"], "logged_in": ["reader"]}
-     ckan.default_roles.AuthorizationGroup = {"visitor": ["reader"], "logged_in": ["reader"]}
 
-Note you can also restrict dataset edits by a user's authorization group.

doc/configuration.rst

@@ -594,7 +594,7 @@ Authorization Settings
 default_roles
 ^^^^^^^^^^^^^
 
-This allows you to set the default authorization roles (i.e. permissions) for new objects. Currently this extends to new datasets, groups, authorization groups and the ``system`` object. For full details of these, see :doc:`authorization`.
+This allows you to set the default authorization roles (i.e. permissions) for new objects. Currently this extends to new datasets, groups and the ``system`` object. For full details of these, see :doc:`authorization`.
 
 The value is a strict JSON dictionary of user names ``visitor`` (any user who is not logged in)  and ``logged_in`` (any user who is logged in) with lists of their roles.