390 likes | 400 Views
Explore the significant changes in the Sakai platform from version 2.0 to 2.1, focusing on features like defining subsections, controlling object display, and section membership management. Understand the proposed framework modifications to support user requirements and course management. Learn about the Section Tool's key role and its impact on the user experience.
E N D
Sakai 2.1 Framework Changes OverviewDraft - 08-03-2005 Charles Severance csev@umich.edu
Major Issues to be Solved in 2.1 • The ability to define subsections within a class • The ability to control the display or sorting of objects (like announcements) based on section membership • The ability to sort and filter data within tools (like the grade book) based on section membership and other section information such as role • The ability to control within Sakai the membership and roles of sections within courses. This is called the “Section Tool”.
Outline • End-User Requirements - Sections, Groups, and Course Management • Proposed framework changes to support these requirements • Appendix S: SQL Statements
Section Tool • The section tool is being specified separately and is outside of the scope of this document
Sakai 2.0Current Capabilities Admin Annc Sched Push Sakai Legacy APIs (Site, Realm) Pull Enterprise Data
Sakai 2.1CM API Section Tool Push Sakai Common APIs (Agent, Group, AuthZ) Course Management API Pull SIS Data
Display to Members (default) Display to Non-Members Display to Selected SubGroups Section 001 Section 002 Section 003 Sakai 2.1 Section Aware GUI - Subgroup Publishing
Site Sakai 2.1 Section Aware Tools Samigo Grade Book Section Tool Annc Sched Sakai Common APIs (Agent, Group, AuthZ) Course Management API SIS Data
Sakai 2.1 Groups Site: EECS280
Lead Member 2.1 Group Tool Assign Permissions Manage Groups View GroupsAdd MemberAdd Role Editing Group: Green-Group User ID Role in Group Sally Lead Joe Member Ana
observe access maintain Display to Members (default) Display to Non-Members Display to Selected SubSItes Green Red 2.1 Site - Permissions Tool Permission Set New AubSite SubSite: Green csev maintain Green (group) access Lead maintain Member access SubSite: Red csev maintain Red (group) observe Lead maintain ViceLead access Member Yes indicates group is to be included in SubSite lists
Display to Course (default) Display to Non-Members Display to Sections Section 001 Section 002 Permission Set 2.1 Site - Permissions Learning Context Instructors maintain Chuck’s Helpers maintain Section 001 Section-001 (group) observe Section Lead access Student observe Section 002 Section-002 (group) observe Section Lead access Student observe View/edit in Section Tool View/edit in Groups Tool
Overall Flow for 2.1 (Learning) Site Samigo Grade Book Section Tool Annc Sched Sakai Common APIs (Agent, Group, AuthZ) Course Management API SIS Data
Overall Flow for 2.1 (Research/Project) Site Annc Sched Sakai Common APIs (Agent, Group, AuthZ) External Information
Section Aware Facade Site Samigo Grade Book Section Tool Annc Sched Section Aware Facade Sakai Common APIs (Agent, Group, AuthZ) Course Management API SIS Data
Issues • How does worksite setup “course” mode change? • At some level if all course sites are pushed from the CM API, then this feature should likely be disabled. Some sites may prefer to use worksite setup and the pull providers and others will exclusively use worksite setup for project sites.
Summary - Part I • This document describes how a generic, group and sub group permission model will be supported by Sakai’s common APIs and how that generic model will be connected to the new CourseManagement API and sectioning tool so as to produce a highly learning contextualized administration environment where appropriate. • The Sakai software can operate without the CourseManagement API and Section Tool in those non learning environments.
annc.read annc.write sched.read sched.write annc.read annc.write sched.read sched.write annc.read sched.read annc.read sched.read access access maintain maintain Announcement Manager Calendar Manager Sakai 2.0 S15 | S16 A1 Sched A1 A2 A2 C2 ANNC C1 A3 Thread Context:S15 Site Manager S15 S16 Sched Home ANNC ANNC Realm: 15 Realm: 16 csev josh ggolden ray dogle oliver
annc.read annc.write sched.read sched.write annc.read annc.write sched.read sched.write maintain maintain annc.read sched.read annc.read sched.read annc.read sched.read access access access maintain annc.read annc.write sched.read sched.write A30 Grant Capabilities in 2.0 S15 Sched ANNC A31 Grant Capabilities in 2.1 A30 A31 Student S15 Sched contextNode ANNC N20 Student A32 G40 A33 annc.write TA A15 G50/TA G50/Learner
N1 G49 Nodes and Grants in a Hierarchy G50 maintain access N15 G51 access N16 G52 S15 N20 access Sched ANNC G49 G49 maintain maintain N17 N19 G50/Learner N18 G52/Learner access access maintain G50/TA maintain G52/TA
G49 maintain StoringObjects/Entities N20 G50 access G49 maintain A53 N17 N19 G50/Learner N18 access Display to Members Selected SubGroups G50/TA maintain A51 A56 A52 Display to Members A57 Display to Members Selected SubGroups Selected SubGroups N17/G50 N17/G50 N18/G51 N18/G51 N19/G52 N19/G52
Display to Public Authorized Users Display to Members Selected SubGroups Display to Public Display to Members Selected SubGroups G49 AUTHZ onEntities maintain A59 G-Auth annc.read N20 G50 access G49 maintain N17 G50/Learner access G50/TA maintain A58 G-Auth/Faculty annc.read Display to Public A53 G-Anon Authorized Users annc.read Faculty Students Display to Members Selected SubGroups
G49 FlexibleInheritance maintain N20 G50 access C92 G49 G-Anon maintain content.read N17 N22 C91 G50/Learner access C93 G50/TA maintain C94 G49 N21 N23 maintain C95 N26 N24 A007 maintain content.read content.write A99
G49 G63 Non-Blockable(or admin)Grants maintain maintain N20 G50 access C92 G49 G-Anon content.read N17 N22 C91 G50/Learner access C93 G50/TA maintain C94 G49 N21 N23 C95 N26 N24 A007 maintain content.read content.write A99
“unBlockablein every way…” N1 G85 G86 *.* access S11 Sched G87 ANNC G49 maintain N15 G50 maintain access N16 G51 S15 N20 Sched access ANNC access G52 N17 N19 G50/Learner N18 G52/Learner access access maintain G50/TA maintain G52/TA
Block-awareTransitive Closure N15 N20 N17 N22 N29 N23 C93 A99 content.read
G86 A45 Can Agent A45 read Content Blob C93? N15 access G49 maintain G50 access N20 access G51 N22 N29 C93 A99 content.read
Needed Changes to Common APIs • Permissions need some alteration • Permission sets need to be supported • SuperStructure needs to understand adding a node with inheritance blocked. • AuthZ queries need some rework :) • None of this is particularly difficult
Needed Changes to Legacy API IMPLs • For those legacy application API implementations, they will need to track the Node(s)/Context(s) from which their objects inherit permissions. • When asking authz questions, the API impl code will need to provide the node(s) which apply for the object. • If none are specified, the current node/context will still be used - for upwards compatibility with the 2.0 style of object authorization. • If fine-grained object level AUTHZ is needed, the API impl will need to make the API calls to set the fine-grain AUTHZ
Summary - Part II • This provides a flexible and high performance authorization/inheritance structure which will satisfy requirements well beyond the 2.1 stated requirements. • This is just a draft - comments to csev@umich.edu
References • XACML Working Group • http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml • XACML 2.0 - Hierarchy and Roles • http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-rbac-profile1-spec-os.pdf • IMS Enterprise • http://www.imsglobal.org/enterprise/entv1p1/imsent_infov1p1.html • WEBDAV Access Control • http://www.ietf.org/rfc/rfc3744.txt • http://webdav.org/specs/rfc3744.pdf
N15 N20 N17 N22 N29 N23 Inheritance Table
G86 N15 access G49 maintain G50 G50/TA access N20 maintain N17 N22 A99 C94 N29 N23 content.read C95 C93 Grant Table * The grants are slightly changed from earlier examples to show more detail