Bug 44738 – Make it possible to add further roles in UCS@school

Bug 44738 - Make it possible to add further roles in UCS@school


Summary:	Make it possible to add further roles in UCS@school

Status:	NEW

Product:	UCS@school
Classification:	Unclassified
Component:	General
Version:	UCS@school 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-06-02 21:47 CEST by Michel Smidt
Modified:	2023-06-12 13:55 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021060921000288
Bug group (optional):	Role and Access Model
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michel Smidt 2017-06-02 21:47:27 CEST

I got several questions from current customers how they could handle further staff in UCS@school on educational slaves.
First of all they often misinterpret the concept of staff in UCS@school but also have the need to add users like Sozialpädagogen, Bibliotheksmitarbeiter and further people.
The current workaround is to add "Domain Users" in ldap-base/ou/users but this is only possible for domain admins and not in the delegative adminstration for e.g. school admins. Furthermore they add most of the times group shares like the "lehrer"-share. So, to me the possibility to have more roles is needed in the near future of UCS@school.

Comment 1 Daniel Tröder

2017-06-03 07:20:13 CEST

The list of UCS@school user roles is hard coded and used throughout the entire code. Adding roles would mean changes everywhere.

* Do I understand the scenario correct, that a "staff"-like role is needed, that is replicated to edu-slaves?
* What LDAP-permissions should such a role have?
* What other roles / scenarios are expected?
* What's bad about group shares?

Comment 2 Michel Smidt 2017-06-03 14:08:17 CEST

(In reply to Daniel Tröder from comment #1)
> The list of UCS@school user roles is hard coded and used throughout the
> entire code. Adding roles would mean changes everywhere.
Sure, I know. That's why I created this feature request relatively early before the need to implement such a thing is too fierce.
> 
> * Do I understand the scenario correct, that a "staff"-like role is needed,
> that is replicated to edu-slaves?
Yes, exactly. Multiple separated "staff"-like roles.
> * What LDAP-permissions should such a role have?
Quite the same like students. 
> * What other roles / scenarios are expected?
Parents of course. 
Szenarios:
Teacher and parents would like to message each other over somehow secure channels.
Parents would like to access the cover plan.
Parents need to add the private email address in the self-service for them self or their childrens.
> * What's bad about group shares?
No it's great. That is one of the main features what this staff like groups will use. They will need access to devices and share files.

Comment 3 Daniel Tröder

2017-06-06 09:36:07 CEST

(In reply to Michel Smidt from comment #2)
> (In reply to Daniel Tröder from comment #1)
> > * Do I understand the scenario correct, that a "staff"-like role is needed,
> > that is replicated to edu-slaves?
> Yes, exactly. Multiple separated "staff"-like roles.
Could a single "edustaff" role with multiple groups archive the goal?

> > * What other roles / scenarios are expected?
> Parents of course. 
I totally concur.

Comment 4 Michel Smidt 2017-06-06 09:46:04 CEST

(In reply to Daniel Tröder from comment #3)
> (In reply to Michel Smidt from comment #2)
> > (In reply to Daniel Tröder from comment #1)
> > > * Do I understand the scenario correct, that a "staff"-like role is needed,
> > > that is replicated to edu-slaves?
> > Yes, exactly. Multiple separated "staff"-like roles.
> Could a single "edustaff" role with multiple groups archive the goal?
Yes, I guess so. Important would be that school admins can create/edit/delete this kind of users. 
I think we shouldn't try to anticipate all workflows for this role. For a first iteration I guess following workflows would be totaly sufficient:
1. The user can login to windows, have a home share and a "group share".
2. The user can login to a cloud file service like nextcloud and can share files with other school members.
> 
> > > * What other roles / scenarios are expected?
> > Parents of course. 
> I totally concur.

Comment 6 Dirk Schnick

2021-06-23 11:41:49 CEST

A customer needs something between student and teacher and I think in the last years this requirement has grown in school environments; School accompaniment for People with disabilities should be on nearly every school in Germany. These staff users need access to school network/environment but they schould not be allowed to start and stop exams.
Some customer may want them to have access to the teachers shares; others may not so a flexible configuration would be the best way to solve this, also for other requirements like observing only the accompanied student and so on.
I have attached a ticket of customer who actual has the problem not knowing how to solve the requirements of the school administration.