System-level and community roles
In the default authorisation configuration for the authorisation server, Ontocloak, are a number of roles with certain privilege levels. These are used throughout this documentation to describe functionality and processes.
Roles are applied at either system-level or community-level.
A user's system-level roles control what they can and can not do on the system if no other restrictions are applied. For example, if a user is given an Author role at system level, they can then author their own content, and modify other content as long as that content does not have a security label applied. A security label is simply a way of tagging resources so that additional community-level permissions can be applied.
Community-level roles are granted by the community owner to control what a user may do to resources that have a specific community security label applied. Community roles are not permitted to provide a greater level of permission than the system role. For example, a user with a consumer role at system level may not be granted authoring rights within a community.
System-level roles
| Role | Description | Capabilities in account management console | Capabilities in administration console | Capabilities in Snapper |
|---|---|---|---|---|
| Consumer |
Base level of access. READ only access. Can be granted read access to |
Can manage own account. | No access. |
READ-only access to resources:
Terminology resources - they can:
|
| Author |
READ/WRITE access. Can create communities - by creating a community they become the Community Owner. |
Can manage own account. |
Can manage own account. Can create communities. Can manage members of owned communities. |
READ-only access to resources:
WRITE access to communities they have author membership of. Terminology resources - they can:
|
| Content approver |
READ/WRITE access. Has all the capabilities of an author. Can also syndicate (approve) resources for publication from the authoring server, which may then be incorporated in to a release to the staging and ultimately production servers. |
Can manage own account. |
Can manage own account. Can create communities. Can manage members of owned communities. |
READ-only access to resources:
WRITE access to communities they have author membership of. Terminology resources - can:
|
| Service Desk Team |
Can create and manage users, system clients and permissions. Is automatically a content member administrator. |
Can manage own account. |
Can manage own account. Can create and manage other users account including other (service desk members and assigning author and approval roles). Can create communities. Can manage all communities. Can create and manage client credentials. |
N/A |
| Administrator |
Can create and manage users, system clients and permissions. Can create and manage Service Desk team users. |
Can manage own account. |
Can manage own account. Can create and manage other users account. Can create communities. Can manage all communities. Can create and manage client credentials. Can reconfigure the authorisation server, including adding/changing connected identity providers. |
N/A |
Community roles
| Community roles | Description | Roles required |
|---|---|---|
| Community consumer | Community consumer has READ-only access to resources in membership communities | Granted to Consumer or Author by Community owner |
| Community author | Community author has WRITE access to resources in membership communities | Granted to Author by Community owner |
| Community owner |
Community Owners can manage their communities by:
|
Granted to Author when they create a community Granted to other Authors by Community owner |
| Community content administrator | Can modify any resource irrespective of community security labels on the resource | Granted to Author by Service Desk Team |
| Community member administrator |
Content member administrators can manage all communities:
|
Granted to Service Desk by default |
Last edited: 17 March 2021 1:25 pm