[Bug 35693] New: Granular Permissions to Everything
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Bug ID: 35693 Summary: Granular Permissions to Everything Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: System Administration Assignee: koha-bugs@lists.koha-community.org Reporter: cbrannon@cdalibrary.org QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com I don't know exactly how to file this. Koha is growing all the time and new features are always being added, but they are often being added with very little permission granularity. Often the permissions are too broad. For example, the newer pages under additional-contents.pl is under the entire umbrella of one permission for the user, and gives them access to ALL pages, ALL news, and ALL HTML customizations. I am hoping that Koha will start thinking more about roles in the library, and allowing us to give specific people access to specific pages, customizations, etc. This goes even further with who can override things. We don't have a lot of control over who can do what specific things. Maybe there is a bug on this topic already? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #1 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- We are certainly due a permission clean-up and I there are a lot of bugs when you look for 'permission' that we could put here to make this an omnibus bug. One thing we might want to think about is moving away from the mix of borrowers.flags and the permissions table to give us a better base to order and group permissions. As a topic for discussion, it might be better suited for the mailing list or developer meetings. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #2 from Christopher Brannon <cbrannon@cdalibrary.org> --- I think that is a great idea. Also, I think maybe the best approach to something of this nature is creating a foundation framework for this that new features can use and existing features can hook onto as they are improved. I don't want people to look at this as a major overhaul to existing permissions. This should be something we can create the structure for and then move things over to as we move forward. Otherwise, I fear that developers are going to look at this as a daunting task, and too big to take on, especially as more and more features are continually developed and added on to Koha. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Rebecca Coert <rcoert@arlingtonva.us> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rcoert@arlingtonva.us -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #3 from David Cook <dcook@prosentient.com.au> --- (In reply to Christopher Brannon from comment #0)
I am hoping that Koha will start thinking more about roles in the library, and allowing us to give specific people access to specific pages, customizations, etc. This goes even further with who can override things. We don't have a lot of control over who can do what specific things.
I think that you make a very good point, but Koha developers are a fairly loose group which support a variety of different libraries, and I think most developers have never worked as librarians themselves (with the exception of a few of us). Change usually comes from starting with one developer/vendor and then building support across the group. Personally, most of my (many) libraries have very small staff sizes, and I haven't heard any complaints around permissions (except for the latest one about requiring "edit_borrowers" to search/list borrowers). So I'm unlikely to get sponsorship for such a change. But I imagine there are other vendors who support libraries with larger staffs who would be more likely to get that kind of sponsorship. In the meantime, something that could be helpful is libraries coming up with a list of "personas" and "scenarios". These are useful elements of system design. Something basic like "Joe is a collection development librarian" (persona). The collection development librarian "needs to search the catalogue" (scenario), "needs to update only certain allowed lists" (scenario), "needs to update only collection development HTML pages" (scenario). Basically just outlining the hypothetical people and the things they need to do.
From there the developers can start working out how we can technologically allow those people to do those scenarios.
-- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Lauren Denny <lauren_denny@sil.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lauren_denny@sil.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Michelle Spinney <mspinney@clamsnet.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mspinney@clamsnet.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Katie Bliss <kebliss@dmpl.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kebliss@dmpl.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Miranda Nero <mnero@oslri.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mnero@oslri.net -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Miranda Nero <mnero@oslri.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mnero@oslri.net -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Mathieu Saby <mathsabypro@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mathsabypro@gmail.com --- Comment #4 from Mathieu Saby <mathsabypro@gmail.com> --- Hi For information, you can have a look at the FOLIO permission system https://docs.folio.org/docs/platform-essentials/permissions/ "FOLIO has a user permissions system that allows for granular control over what users can access in their FOLIO installation. ... By default, a FOLIO installation does not provide roles or permission profiles for library staff. Instead, FOLIO administrators can build their own groups of permissions called permission sets that correspond to their local needs." I love that! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- (In reply to Mathieu Saby from comment #4)
Hi For information, you can have a look at the FOLIO permission system https://docs.folio.org/docs/platform-essentials/permissions/
This doesn't really look too different from Koha, in my opinion. I quite like AWS's IAM policies which essentially boils down to "subject", "verb", "object", and "condition". X subject can perform Y action on Z object when C condition is met. Each service/module has a list of actions, and these actions are where you get a lot of the granularity. But as Christopher was saying... if you're able to define the "object" or the "condition", you can make it so that X subject can only Y update an existing Z news item. -- Koha permissions typically are only checked at page load time, although I think there are a couple that are checked at action time. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #6 from David Cook <dcook@prosentient.com.au> --- But... overhauling permissions would take a lot of deliberation and cooperation across a number of Koha devs and I don't see that happening any time soon. Architectural changes like these are some of the hardest to make in Koha due to 25+ years of inertia. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |needs_rfc -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Technically, I suppose we could add a lot more subpermissions to cover more actions, and then maybe just think about improving the top-level permissions... -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Sally Lodico <Slodico@knoxlib.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Slodico@knoxlib.org --- Comment #8 from Sally Lodico <Slodico@knoxlib.org> --- I understand how complicated--and expensive--it would be to change Koha's permission system, but Christopher's point about the permissions for additional-contents.pl needing to change seem to have been lost to that bigger conversation. These particular settings, having been moved from System preferences to Tools using the same permissions as the existing News feature is allowing people without the appropriate training or authority to edit things they have no business editing. They couldn't do it before because they did not have permission to edit the System preferences. If someone does not have permission to access a feature before a new development moves or changes something, they shouldn't have access to that feature after. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #9 from David Cook <dcook@prosentient.com.au> --- (In reply to Sally Lodico from comment #8)
If someone does not have permission to access a feature before a new development moves or changes something, they shouldn't have access to that feature after.
That is a very interesting point. I imagine a lot of devs would argue that a tools permission is a better fit for the additional contents generally speaking, but... yeah it's not a change that would've been expected and I don't think it was noted, so good point. Maybe it would've been a good idea to create a new separate permission for it, as then it could've been populated off of the manage system preferences permission. Unfortunately, I think it's a bit late now. Damage done I imagine. That said... it sounds like you're saying you see News and Additional Contents as quite distinct in terms of permissions on an on-going basis not just a historical one? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I think a separate permission for HTML customizations could still be added now and even if we can't populate it only from the general one, libraries will again be able to adjust at least. But can you please file a separate bug and link it to this one? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=37849 --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Actually there already is one: Bug 37849 - Permissions for additional content - HTML Customizations, Pages, News, OPAC, etc -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 Lisette Scheer <lisette@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lisette@bywatersolutions.co | |m --- Comment #12 from Lisette Scheer <lisette@bywatersolutions.com> --- I think this would be a good topic for the next development meeting. Personally I think a role based access control (rbac) similar to the patron permissions plugin we have with the option to set on the individual level if there were niche permission sets would be great. I also think something like Object (item) []View []Edit []Delete []Add []View all branches []Edit all branches []Delete all branches []Add all branches type granular permissions would be more what the bigger libraries we've talked to would like to see. You could set a role/persona with the permissions for example: Circ staff -View all items -Edit items at my branch and assign folks to a role/persona to grant those permissions, but another example: cataloger: view all branches, edit items at my branch, delete items at my branch, add items at my branch. https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20813 Revamp user permissions system (currently failed qa) has a number of bugs it depends on that I filed last year as prerequisites to fixing the issues outlined on that bug in it's current state. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #13 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- I wonder how we could best factor library groups into the permission system or if "mine" should always be "home library and all libraries within my group"? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #14 from Lisette Scheer <lisette@bywatersolutions.com> --- (In reply to Katrin Fischer from comment #13)
I wonder how we could best factor library groups into the permission system or if "mine" should always be "home library and all libraries within my group"?
From the type of controls I could see consortia wanting, probably something like my above example +
[]View all branches in group []Edit all branches in group []Delete all branches in group but gosh that just adds even more to keep track of. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=16631 -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #15 from David Cook <dcook@prosentient.com.au> --- (In reply to Lisette Scheer from comment #14)
(In reply to Katrin Fischer from comment #13)
I wonder how we could best factor library groups into the permission system or if "mine" should always be "home library and all libraries within my group"?
From the type of controls I could see consortia wanting, probably something like my above example +
[]View all branches in group []Edit all branches in group []Delete all branches in group
but gosh that just adds even more to keep track of.
I'm not sure I'm understand this. What I was thinking of was a condition where you could specify something like "all_libraries", "my_library_groups", "my_library" or something like that. So for something like "List borrowers" you'd add the relevant condition (with the default probably being "all_libraries"). -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35693 --- Comment #16 from Lisette Scheer <lisette@bywatersolutions.com> ---
What I was thinking of was a condition where you could specify something like "all_libraries", "my_library_groups", "my_library" or something like that.
So for something like "List borrowers" you'd add the relevant condition (with the default probably being "all_libraries").
That sounds much better. +1 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org