(WIP) Curator's Role

[mb-wali]

Intro:

invenio-records-marc21 is planned to provide a data model for different systems such as PURE, ALMA, DIGLIB and CMSCampus online, and there are modules for each of the above-mentioned systems in order to fetch & push data via cronjobs of celery.

• invenio-alma
• invenio-campus-online
• invenio-pure
• invenio-diglib

And each of the modules defines an account that will be used as the owned_by field to add his id. e.g.	Name	Email	Id (owned_by)
alma_account	alma_account@repository.at	500
pure_account	pure_account@repository.at	600
diglib_account	diglib_account@repository.at	700
cms_account	cms_account@repository.at	800

keep in mind that the ids and emails are not a valid value, just an example.

Defining multiple roles:

consider defining a role for each of the systems in our repository data.

• curator_alma can view/edit records that were created by the alma_account.
• curator_pure can view/edit records that were created by the pure_account.
• curator_diglib can view/edit records that were created by the diglib_account.
• curator_cms can view/edit records that were created by the cms_account.

[mb-wali]

Questions:

• Are these created records public for other users except the roles given?
  • Yes, this should happen at cronjobs while mapping.
  • And even admin should not be allowed to access the records, unless permission given - This should happen at the marc21Permissionpolicy level.
• Is there anything in invenio already - saying that it's restricted to only the owner?
  • Yes, it's called restricted.

known resources:

• rdm-permission_policy uses something called generators.

• tests for permission_policy

• invenio-rdm-records generators

• invenio-records-permissions Generators

• invenio-access : Role-based access control with object level permissions.

[rekt-hard]

Account Actions The accounts fetching external records (e.g. 'pure_account') should only be allowed to create new records and edit their own unpublished records.

Other accounts with the associated role should be able to edit and publish these records (e.g. an account with role 'curator_pure' can edit and publish all records created by 'pure_account').

Role Management Following commands can be used for role management. To create a new role: invenio roles create curator_pure To add a role to a user: invenio roles add user1@tugraz.at curator_pure To remove a role from a user: invenio roles remove user1@tugraz.at curator_pure

Permission Policy As invenio-records-marc21 will have its own permission policy (and not inherit from RDMRecordPermissionPolicy), it is necessary to define the policy in this module as well. The generators for the curators can be imported from invenio-config-tugraz. This will make sure, that no module relies on invenio-rdm-records