4. Permissions

Several actions within COmanage require specific permissions to perform them. Permissions are usually granted by making a CO Person a part of a group, and then granting permission to that group to do specific tasks.

The types of actions that can require special permission include:

Configuring the COmanage platform or specific organizations or collaborations represented in the platform
Enrolling (registering) people in COmanage
Managing CO Person objects, their connected attributes (information), and the values stored for the person.
Managing one’s own attributes (information) (Self Service Permissions)
Creating and managing groups and who is included in the groups

Automatic permission groups

Some groups for managing these permissions are created automatically when configuring the objects that you will use when modeling your organization. (Next lesson!)

Admin groups - for some component that you use to model your organization, a group will be created for each that will contain administrators for that organizational component. Members of this group will have permissions allowing them to manage the organizational component and the things attached to the organizational component. There is also a general admins group that contains all people who are an admin in any capacity.
Active Members group - All people registered with an active status in COmanage will be included in this group. Members of this group will have permissions allowing them to do thing like signing into COmanage.

Self Service Permissions

COmanage allows certain attributes (information) to be managed by users directly.

Attributes always available for self service

CO Group Memberships (for open groups or groups owned by the CO Person) - we will be talking about Groups in the next lesson.
SSH Keys attached to a CO Person record - we will be talking about authenticators and SSH Keys in a later lesson.

Attributes that may be configured for self service

By default, these attributes are read only.

CO Person

Name
Role Address
EmailAddress
Identifier
URL

CO Person Role

TelephoneNumber

Attributes that are never available for self service

CO Person

Status

CO Person Role

attributes

Org Identity

All attached attributes the object

Discussion - Permissions

We will move back to our breakout groups for 10 min. Consider the people that you have identified in the earlier exercises. What permissions would each of these individuals need?

Consider the relationships that you listed in the Memberships section. Would this person be an Owner or Administrator for any of these collections of people?
Would this person be considered a platform administrator, responsible for setting up organizational structure within COmanage?
Would this person be allowed to change attributes (information) about themselves, for example, email address, name or phone number?
Would this person be allowed to self enroll for any memberships? If so, what types of groups would this person elect to be a part of?
Is this person considered a guest - i.e., the person has a limited connection to your organization or collaboration.

Jot down your thoughts on the worksheet. There are check boxes to indicate things like administrative or ownership permissions as well as self service or self enrollment privileges.

[10 min]

Terminology & resources

See resources and definitions for COmanage-specific terminology in this lesson.

3. Memberships 5. Your first person

101: Workshop Intro & Getting to Know COmanage

201: Installing COmanage Using Docker Images

310: Modeling People in COmanage

320: Modeling Organizational Structures in COmanage

330: Linking to Systems Outside of COmanage

340: Enrollment Workflows

350: Provisioning

360: Offboarding

370: Extending COmanage Training