Hoppa till huvudinnehåll

User administration in SB Auth

In SB Auth, we manage users and their access to some of our restricted resources. The system is intended to replace WS Auth, as it integrates with GU X accounts and other eduGAIN identitity providers.

This page provides instructions for SB Auth administrators, and is not intended for all SB Auth users to read.

If you need help with giving users access, talk to Herbert.

Data model

  • A User can have a Grant to a Resource
  • The Grant is of a certain Level: READ, WRITE or ADMIN
  • Each Resource is of a certain Resource type

Administration interface

User interface

  • The interface at spraakbanken.gu.se/auth is open for any authenticated user
  • It shows the user's User record and associated Grant records
  • When clicking a resource where they have the ADMIN level, they can also see other Users and Grants for that resource
  • There is also an Add user button for creating Invites, but this functionality is broken at the moment

As the functionality is still limited and broken, we do not usually inform users about this interface.

Adding access to a user

New users cannot really be added manually, because some values need to given by their Identity Provider (IdP). Instead, their accounts are created automatically when they authenticate for the first time. This results in a rather awkward workflow, which we intend to fix soon.

  1. Ask the user to access the restricted content
  2. The user will be prompted to choose their identity provider (e.g. GU), and then username and password (e.g. X account)
  3. They will then receive some kind of error because they do not yet have the required permission
  4. Now you can enter the administration interface and add a new Grant, selecting the User, Resource and Level as needed
  5. Finally, tell the user to try again

More on the data model

Model Purpose Notes
User Stores an identity as provided by an IdP
Grant Relates a User with a Resource and a Level
Resource Anything that needs permission management: a dataset, an app... The majority right now are Mink corpora which are generated by user activity
Level Define access levels Closed group, changing these may break services
Resource type Group resources at a high level Changing the type of an existing resource may break services
Invite Let a new user gain access to a selected resource Broken atm, see sb-auth issue #32
Group Not yet in use