Skip to content

Functionality

Jump to bottom
Okke Harsta edited this page Sep 4, 2020 · 3 revisions

SBS Functionality

The SBS application has the following roles:

  • Platform admin
  • Organisation admin
  • Organisation manager
  • Collaboration admin
  • Collaboration member
  • Regular user

The next section describes which functionality the application offers to each role:

Platform admin

The platform admin can do everything including impersonating other users to test the roles & rights. The main responsibilities of the platform admin are:

  • Create organisations and invite organisation administrators
  • Create services

When a platform admin creates a service the following properties of a service determine who is allowed to make a service available for a collaboration (or organisation):

  • Automatic connection allowed?
    • If this is True then the service can be be made available to every collaboration (or organisation) if there are - see next bullet - no organisational limitations
  • Allowed organisations
    • Restricts the service to one or more organisations. Only collaborations part of these organisations can make the service available for the members of this collaboration
  • Whitelisted
    • SBS offers customers an API to create restricted collaborations and only whitelisted services can be made available to restricted collaborations

Organisation admin

An admin of an organisation can:

  • Create / delete / update collaborations for this organisation
  • Invite administrators or members for collaborations of his / her organisation
  • Manage groups for collaborations of his / her organisation
  • Invite new organisations admins or managers in his / her organisation
  • Edit the organisation details
  • Resend / delete pending invitations
  • Add / delete API keys - an API key allows the organisation to programmatically create restricted collaborations and bulk invite members

Organisation manager

A manager of an organisation can only manage collaborations for his / her organisation and add / delete API keys. An organisation admin can do everything that a collaboration admin may do for collaborations under his / her organisation.

Collaboration admin

A admin of a collaboration can:

  • Edit / delete the collaboration
  • Invite new members for the collaboration
  • Change the role of existing members of the collaboration
  • Remove members from the collaboration
  • Add / remove services to / from the collaboration
  • Manage groups within the collaboration and manage members of the groups
  • Mail all collaboration members

Collaboration members

A member of a collaboration has read-only access to collaborations he / she is a member. Collaboration members can not see the other members of a collaboration. This has been forbidden explicitly and therefore collaboration members can not email other members / admins.

Users

Everyone in the application can request to join a collaboration. If a collaboration is configured to Disable Join request for this collaboration then this is not allowed. Also everyone can request new a collaboration if the schac home identifier of the IdP used to login matches the unique schac home of an organisation.

Also each user can add a ssh key to his / her profile.

Everyone in the application has read-only access to the services which are made available to the user. See the next section for more information about how services are made available to users.

Collaboration members and regular users - e.g. those who can not create collaborations - can request for a new collaboration if the schac home identifier of the IdP used to login matches an organisation. The request for a new collaboration can only be made for the matching schac home organisation. If an organisation is marked Automatically approve CO creation requests then the request is granted automatically. The requester is made an admin of the new collaboration.

Services

A user can use services that are linked to his / her account. A service is linked to an account if:

  • The service is configured to be made available for a collaboration the user is a member of
  • The service is configured to be made available for a organisation the user is a member of
  • The service is configured to be made available for a organisation and the user is a member of one or more of the collaborations in that organisation

When a user tries to access a service then the API of SBS is called to get all attributes of a user. User attributes are only returned if the user is not suspended and the service is made available to the user. Part of the user attributes are all collaboration and group memberships.

Groups

When a new group is created in a collaboration then the group can be marked Auto-provision new collaboration members. This means all collaboration members and future members - e.g. accepted invites - will be added as a group member.

If a group is marked with Auto-provision new collaboration members then no members can be deleted - as this conflict with the whole idea of Auto-provision new collaboration members.

Suspensions

Every used is required to login from time to time to prevent suspension from SBS and all the services made available to this user. The period after which a user is suspended is configurable per SBS environment.

# The retention config determines how long users may be inactive, how long the reminder magic link is valid and when do we resent the magic link
retention:
  allowed_inactive_period_days: 90
  reminder_expiry_period_days: 14
  reminder_resent_period_days: 7

A user receives a email with a warning he has not logged in for 90 days. After 14 days the user receives a second warning and after 7 days after the user will be suspended. Collaborations admins can lift the suspension for collaboration members.

Clone this wiki locally