Roles and community roles
In the default authorisation configuration for Ontocloak, there are a number of roles and community roles with differing privilege levels.
The five available user roles
The following diagram shows the roles required in a typical comprehensive deployment. The roles are described in the tables below.
For more details on configuring security and the security model in Ontoserver, refer to http://ontoserver.csiro.au/docs/6/security-model.html.
Roles
| User Role | Description | Can access Account Management console | Capabilities in Administration console |
|---|---|---|---|
| Consumer | – Read-only access – Can be granted read access to community resources | Yes | No access |
| Author* | Read/write access | Yes | – Can manage own account – Can create communities – creating a community grants this role the Community Owner community role – Can manage members of owned communities |
| Content Approver* | – Has all the capabilities as an author – Can syndicate resources for publication from the authoring server | Yes | Has all the capabilities as an author |
| Community Creator | Ability to create and delete communities. | N/A | – The Communities menu item is shown in the administration console – Can create communities – creating a community grants this role the Community Owner community role – Can delete communities |
| Service Desk Team* | – Can create and manage users, system clients and permissions – Is automatically a content member administrator | Yes | – Can create and manage other users account (including other service desk members and assigning author and approval roles) – Can manage all communities – Can create and manage client credentials |
| Administrator* | – Can create and manage users, system clients and permissions – Can create and manage Service Desk team users | Yes | – Can create and manage other users account – Can manage all communities – Can create and manage client credentials – Can reconfigure the authorisation server, including adding/changing connected identity providers |
Community roles
| Community role | Description | Role required |
|---|---|---|
| Community Consumer | Has read only access to resources in membership communities | Granted to Consumer or Author by Community owner |
| Community Author | Has write access to resources in membership communities | Granted to Author by Community owner |
| Community Owner | Can manage their communities by: – controlling membership (adding and removing members) – controlling which roles members play in their community (consumer, author and/or owner) | – Granted to Author when they create a community – Granted to other Authors by Community owner |
| Community Content administrator | can modify any resource irrespective of community security labels on the resource | Granted to Author by Service Desk Team |
| Community Member administrator | Content member administrators can manage all communities:are effective “owner” of all communities always able to modify community membership | Granted to Service Desk by default |
Community roles for authorisation in Snapper
Community roles can also be used for managing authorisation in Snapper
| Role | Capabilities |
|---|---|
| Consumer | read-only access to resources that are not locked into a community, and communities that they have membership Terminology resources – canbuildvalidatedownload |
| Author | READ-only access to resources that are not locked into a community/communities that they have consumer membership WRITE access to communities that they have author membership Terminology resources – canbuildvalidatedownloadupload to server |
| Content approver | READ-only access to resources that are not locked into a community/communities that they have consumer membership WRITE access to communities that they have author membership Terminology resources – canbuildvalidatedownloadupload to serversyndicate (approve) |