Account Manager

Contents

1. Introduction
    1.1 Features
    1.2 Assumptions

2. Account manager overview
    2.1 Users: introduction
    2.2 Groups: introduction

3. Users
    3.1 Add a new user
    3.2 User properties, access permissions, group/capacity memberships
        3.2.1 Basic
        3.2.2 Groups/capacities
            3.2.2.1 Add a user to a group/capacity
            3.2.2.2 Take away a membership from a group/capacity
            3.2.2.3 Change a members capacity in a group
        3.2.3 Intranet
        3.2.4 Admin
        3.2.5 Page Manager
    3.3 Delete a user account

4. Groups and capacities
    4.1 Add a new group
    4.2 Edit a group
        4.2.1 Basic properties
        4.2.2 Capacities 1-8
    4.3 Add a user to a group/capacity
    4.4 Delete a group

5. Skins

6. Concluding remarks

1. Introduction

In a school with so many areas (sites) to manage, with sometimes hundreds of users, from pupils to the governing board, each with differing access permissions in their groups, with users being members of several groups however with different permissions, with a dozen or so modules to manage, on which some have permissions and others have no or partial permissions, account management can be a task you would not wish for you worst enemy.

In Website@School we have tried to make account management as simple as possible, as well as also permitting a refined, role based access control (RBAC) on users and groups. This advantage has its drawback. It's easy to make mistakes. By checking one wrong box you can give a user access to everything. Please take care when managing accounts!

1.1 Features

The features of the Account Manager in no specific order:

• Skins: Selectable skins for blind and visually impaired users t suit their preferences.
• Users: Add, edit, delete user accounts and their properties: user name, password, full name, e-mail address, active/inactive, redirection (where to go to after logout), language selection, visibility mode, editor selection, data folder, and various permissions.

  NOTICE:
  Please read paragraph 2.1 User Manager overview for details on the different types of users.

• Groups: Add, edit, delete groups and their properties: group name, description, active/inactive, add 1 to 8 capacities.

  NOTICE:
  Please read the 2.2 Groups Manager overview for details on- and examples of groups and capacities.

• Capacities: Add, edit, delete up to 8 capacities. A capacity is a label to which access permissions can be given on the different managers, tools, sites, areas, sections and pages. Capacity names can be changed to other preferences. Capacities are discussed in paragraph 2.2 Groups: introduction and in paragraph 3.2 User properties, access permissions, group/capacity memberships.
• Labels: 19 labels to name or rename capacities to the institution's preferences.
• Memberships: Assign or take away a user's membership of a group/capacity.
• Intranet: Assign, revoke Intranet privileges to users or group/capacities. Three Roles are available. They are discussed in paragraph 3.2.3 Intranet.
• Admin: Assign, revoke Admin privileges to users or group/capacities on: Everything, Startcenter, Page Manager, File Manager, Module Manager, Account Manager, Configuration Manager, Statistics and the various Tools. Admin is discussed in paragraph 3.2.4 Admin.
• Page Manager: Assign, revoke Page Manager privileges to users or group/capacities using fine grained RBAC (Role Based Access Control). The Page Manager is discussed in paragraph 3.2.5 Page Manager.
• Role Based Access Control: (RBAC) Seven Roles for management the site, areas, sections and pages. Each role grants access to defined privileges. RBAC is discussed in paragraph 3.2.5 Page Manager.
• Breadcrumb trail: The breadcrumb trail at the top of the workplace are clickable links to facilitate navigation.

1.2 Assumptions

This chapter elaborates on other chapters. We assume you have read and done the General part of the Table of Contents.

(top)

2. Account Manager overview

To enter the Account Manager, please click on its icon to open the Account Manager dialogue:
accountmanager_account_manager_overview.png

The opening screen is split in two parts:

• Menu pane: Depending on the task you are performing, clickable links in the Menu give access to several options in the Workplace.
  • Users: The clickable link gives access to the Users Manager.
  • Groups: The clickable link gives access to the Groups Managager.
• Workplace pane: Where options can be edited.

After opening the Account Manager, the Account Manager overview shows a summary of active, inactive and total number of users and groups.

2.1 Users: introduction

There are three types of users in Website@School:

1. Regular visitors of the site and areas, having no account to log in anywhere,
2. users with an account with permissions only to read Private Area(s) (i.e.Intranet(s)) and
3. users with an account that permits them to perform management tasks in Website@School.

NOTICE:
Regular visitors (1) are just visitors, having no access at all.
Users with Intranet access (2) can login via the site, i.e. via index.php.
Users (3) with enough permissions to do management tasks can login via the login dialogue, i.e. admin.php.

A user with only Intranet read permissions, accidentally trying to log in via admin.php, is logged in, but encounters the Access denied dialogue:

accountmanager_account_manager_access_not_valid.png

The user can now either:

• Select the public area and access her Intranet(s) via the 'Select Area' dropdown menu, because she is already logged in, or
• select to login, whereafter she is directed to the login dialogue to login with another name that has sufficient permissions.

NOTICE:
Newly created users, whose access permissions are forgotten to be set, receive the same Access denied message. This results in a complaining user.

Logging in can be done via index.php and admin.php. When switching from the site to management or vice versa, the user does not have to login again. When logging out on the site, the user is also logged out in Website@School management and vice versa.

Time to do some real work. Clicking the Users link opens the Users dialogue:

accountmanager_account_manager_users.png

Explanation:
Menu: The selected link is underlined.

• All users (9): Every user always belongs to the All users group.
• No group (1): Those users that do not belong to any other group besides All users can be found in the 'group with no group'. Newly created users are found here. Once a user in the No group is added to a 'real' group, his membership from No group ends.
• faculty (3) : Users can be a member of one or more groups, for example, Team, Juniors, Seniors, Faculty, et cetera. In that group that user has a certain capacity.
• juniors (3): See previous group.
• et cetera

Note that the total number of users in all groups (23) far exceeds the number of users (9). A user can be a member of zero, one or more groups. For example, the existing user Helen Parkhurst, login name hparkh can be found as a member in 4 places:

1. Under All users,
2. under Faculty as Member,
3. under Juniors as Teacher,
4. under Team as Member.

Or, in other words, every user occurs at least twice in this list. Once under All Users and once under No group, or at least once in another group.

For even easier navigation, note that it is also possible to navigate to a user account if you know to which group the user belongs.

Users:

• You are here: accounts > users > all users: breadcrumb trail links permit easy navigation.
• Add a user: Clickable link to the Add a new user dialogue. This subject is discussed in paragraph 3.1 Add a new user
• Trashcan icon: Clickable link to delete a user account. This subject is discussed in paragraph 3.3 Delete a user account
• Pencil icon: Clickable link to edit the Basic properties of the user account. This subject is discussed in paragraph 3.2.1 Basic
• Full Name (username): A clickable link also giving access to the Basic properties of the user account.

2.2 Groups: introduction

Groups, and the closely related subject Capacities are a rather complex subject. To take full advantage of the nearly endless possibilities of Website@School's Role Based Access Control (RBAC), we strongly advise you to not skip this paragraph in which we give some examples on its possibilities.

A group is a collection of users, also called the members of a group. Members of a group share space (called a 'folder' or a 'directory') where files can be stored, or space like areas, sections and pages where content is stored.
A group is always divided into 1 or more so-called 'capacities'. A user's group membership is always associated with exactly one capacity within that group. The group member's capacity is used to grant privileges, for exampe to manage (parts of) the Page Manager or the Translate tool.

File Manager example
Group members can easily create links to existing files in the group storage space from their web pages (via the Insert/Edit button in the FCK Editor), provided they have sufficient privileges for the Page Manager. Group members can upload files to this storage space, but only if they have sufficient privileges for the File Manager.

Example:
Andrew Reese and Catherine Hayes are members of the group 'Seniors' in the 'Pupil' capacity. Maria Montessori is also a member of the group 'Seniors' but in the 'Teacher' capacity. If Maria has access to the File Manager, she can upload files to the storage space of the group 'Seniors'. If other group members like Andrew and Catherine have access to the Page Manager (but not the File Manager), they can use the files Maria uploaded, but they cannot upload files themselves.

Page Manager example
Assume that Helen Parkhurst (the teacher of the Juniors) initially has no permissions whatsoever. This means that her account hparkh:
- is not associated with any group/capacity (Groups),
- has no privileges with any Private Area (Intranet),
- has no administrator privileges (Admin), let alone permissions to manipulate pages (Page Manager).

By associating her account hparkh with the group Team in the Member-capacity, she inherits all permissions associated with the combination Team/Member. These permissions could include read access to the Private Area containing the Team Intranet.

If subsequently she is also associated with the group Juniors in the Teacher-capacity, she enjoys all privileges associated with the Teacher-capacity of the Juniors-group too. This privileges could include access to the File Manager and access to the Page Manager (say as Areamaster) limited to the (protected) Juniors Intranet.

Her pupils may also be associated with the group Juniors but in the Pupil-capacity rather than the Teacher-capacity. Privileges associated with this Pupil-capacity could be limited to viewing pages in the protected Juniors-area, whereas the Teacher-capacity would allow for adding and editing pages to that (protected) area.

The bottom line is that the combined permissions for Helen Parkhurst consist of the combination of:
- those of the user account hparkh itself (no permissions), and
- Team/Member (Team Intranet), and
- Juniors/Teacher (File Manager, Page Manager for Juniors Intranet).

To expand the above example: When, next year, Helen becomes Teacher for the Seniors, it is very easy to end her membership of the Juniors Private Area, make her a member of the Private Area of the Seniors and give the new teacher Ovide Decroly the Teacher capacity of the Juniors.

About the relationship between users, groups and capacities:

1. A user can be given zero, one or more privileges. For example the privilege to edit a certain page.
2. A user can be a member of zero, one or more groups in a certain quality, i.e. capacity.
3. Each group is constructed out of one or more parts (subgroups) named capacities. The membership of 1 user to a group implies also the connection to exactly 1 of the capacities of that group.
4. To a group/capacity can be given zero, one or more privileges, for example the privilege to manage a certain section.

To summarize this complex issue in other words:
A group is a collection of capacities. Each capacity consists of a set of certain permissions. Each user belonging to a group, can have one capacity in that group. A user can be a member of more groups, having different privileges in each group.

NOTICE:
Capacity names can be changed to other preferences. Example: If your institution dislikes words like 'Principal', 'Teachers' and 'Pupils' but prefers 'Manager', 'Facilitator' and 'End Users', the label names can be changed. See chapter Tools, paragraph 3.5 Small language adaptations.

accountmanager_account_manager_groups.png

Explanation:
Menu:

• Users: Discussed earlier, see above
• Groups: The selected link is underlined.

Groups:

• You are here: accounts > groups: breadcrumb trail links permit easy navigation.
• Add a group: Clickable link to the Add a new group dialogue. This subject is discussed in paragraph 4.1 Add a new group
• Trashcan icon: Clickable link to delete a group. This subject is discussed in paragraph 4.5 Delete a group
• Pencil icon: Clickable link to edit the Basic properties of the group. This subject is discussed in paragraph 4.1.1 Edit a group
• groupname: A clickable link also giving access to the Basic properties of the group.
• (Capacity1, Capacity2, Capacityn): Each capacity name is a clickable link giving access to the list of users belonging to that capacity. The names of the users are also clicable links, giving access to the Basic Properties of the user's account.

(top)

3. Users

In this paragraph we create a user account, grant the user access permissions and make the user a member of an existing group. The creating of new groups is discussed in 4. Groups and capacities

3.1 Add a new user

In the opening screen of the Account Managers Menu, click the Users link to open the Users dialogue:
accountmanager_account_manager_users.png

To add a new user, click in the Users pane the Add a user link to enter the Add a new user dialogue:

accountmanager_account_manager_users_add_user.png

The Add a new user dialogue is shown.

Explanation:

• Name: Enter the login name for the new user. For example: odecrol.

  NOTICE:
  The login name consists of maximum 16 characters: lower case (a-z), digits (0-9), underscore (_) and starts with a letter. A username can only occur once.

  NOTICE:
  Since the name of the user's Data Folder is derived from his user name and the name of the Data Folder cannot be changed afterwards, it is important to make a good choice here. If you decide to change the user's user name later on, it may be difficult or confusing to have the 'old' Data Folder name and the 'new' user name.

• Password: Website@School does not accept simple passwords like 'helen' or 'maria2'. These simple passwords are easy to guess and using them endangers your complete system and the data. Passwords must have certain properties to make them difficult to guess. A Website@School password must:
  • have at least a minimum length of 6 (six) characters,
  • have at least 1 (one) uppercase character (A-Z).
  • have at least 1 (one) lowercase character (a-z).
  • have at least 1 (one) digit (0-9)
  • preferably have special character like: at-sign '@', hash '#', dollar '$', percentage sign '%', caret '^', ampersand '&', asterisk '*', left parenthesis '(', right parenthesis ')', dash '-', underscore '_', plus '+', equals '=', left curly brace '{', right curly brace '}', opening bracket '[', closing bracket ']', semicolon ';', slash '/', dot '.', question mark '?' and exclamation mark '!'.

  It is also a good idea to choose a password of more than 6 characters long. Here is an example.
  A good password is 'Mrbh3ws!' (omit the quotes). This password is easy to remember when you know it stands for the sentence: "My red bike has 3 wheels!". However, and that makes it a good password, it's very difficult to guess when you do not know the sentence. This sentence trick is an easy way for pupils to create difficult passwords and remember them.

  NOTICE:
  When your password does not meet the requirements, you get a warning message and you can enter an improved password.

• Confirm password: Exactly retype the password.
• Full name: The full name of the owner of this account. For example: Ovide Decroly.
• E-mail: Enter the e-mail address of this user. This e-mail address is used when the user has forgotten his password and is also used for sending alert messages. For example: o.decroly@exemplum.eu.
• Active user [  ] Mark this user as active:
  - Active: a user, group or area must be active before any files can be served.
  - Inactive: if a user, group or area is inactive, it is as if they do not exist. But, the rule of thumb is: everything is public except what is not public, so please read the notice below.

  NOTICE:
  1. In general any file in the data folder of any active user, any active group or any active public area can be retrieved by anyone as long as the name of the file is known.
  2. If a user, group or area is inactive, no files can be retrieved, even if the name of the file is known. In other words: once a user, group or area is inactive, to a visitor it appears that the account or the area no longer exists and that neither the files appear to exist anymore.

  NOTICE:
  The same active/inactive conditions also apply to pages in areas. Once an area is inactive, to a visitor it appears that the pages in that area no longer exist. Even if the URL of the page is known, the page cannot be retrieved.

• Save: To save your results and return to the list of users. The user is added.
• Cancel: To cancel your action and return to the list of users.

After clicking [Save], the user is added to the list:
accountmanager_account_manager_users_user_added.png

The user is added to the All users group (now 10 users) and the No group (now 2 users). The last group contains the users that do not (yet) belong to a group. Adding a user to a group is discussed in 3.2.2.1 Add a user to a group/capacity.

In the next paragraph we will discuss the users access permissions.

3.2 Edit user properties and grant access permissions

When a new user is added he has no permissions at all. This is a security feature. The user can, like everyone, visit the Public Areas.
The permissions for a user are set in five places:

• Basic: Handles the personal settings of the user, notably the acitve/inactive permission. It is set in the Edit user username (Full Name) dialogue, described in paragraph 3.2.1 Basic.
• Groups: The users membeships of groups. These are set in the Memberships username (Full Name) dialogue, described in paragraph 3.2.2 Groups/capacities.
• Intranet: Access and permissions to Intranet(s) for this user. These are set in the Internet access: username (Full Name) dialogue, described in paragraph 3.2.3 Intranet.
• Admin: Access to the different managers, modules and tools. These are set in the Administrator permissions: username (Full Name) dialogue, described in paragraph 3.2.4 Admin.
• Page Manager: This link becomes visible when the user is given access to the Page Manager in Admin. The Page Manager gives access to the areas, sections and pages for this user and his roles in them. These are set in the Page Manager permissions: username (Full Name) [nn-nn of nn] dialogue, described in paragraph 3.2.5 Page Manager.

3.2.1 Basic

To edit the Basic properties of the user account, click its pencil icon or the user name. This opens the Edit user username (Full Name) dialogue:

accountmanager_account_manager_edit_user-top.png
accountmanager_account_manager_edit_user-bottom.png In the Menu the Basic link is selected (underlined).

Explanation:

• Name: The login name the user. A username consists of maximum 16 characters: lowercase (a-z), digits (0-9), underscore (_)and starts with a letter. A username can only occur once.

  NOTICE:
  The user name can be changed, but that's not a good idea because the name of the data directory cannot be changed.

• Password: To renew the password. The old password is not visible. This is a security feature. A good password must:
  • have at least a minimum length of 6 (six) characters,
  • have at least 1 (one) uppercase character (A-Z).
  • have at least 1 (one) lowercase character (a-z).
  • have at least 1 (one) digit (0-9)
  • preferably have special character like: at-sign '@', hash '#', dollar '$', percentage sign '%', caret '^', ampersand '&', asterisk '*', left parenthesis '(', right parenthesis ')', dash '-', underscore '_', plus '+', equals '=', left curly brace '{', right curly brace '}', opening bracket '[', closing bracket ']', semicolon ';', slash '/', dot '.', question mark '?' and exclamation mark '!'.
• Confirm password: Retype the password.
• Full name: The full name of the owner of this account. This name can be changed.
• E-mail: Enter the e-mail address of this user. This e-mail address is used when the user has forgotten her password.
• Active user [  ] Mark this user as active:
  - Active: a user, group or area must be active before any files can be served.
  - Inactive: if a user, group or area is incatve, it is as if they do not exist. But, the rule of thumb is: everything is public except what is not public, so please read the notice below.

  NOTICE:
  1. In general, any file in the data folder of any active user, any active group or any active public area can be retrieved by anyone as long as the name of the file is known.
  2. If a user, group or area is inactive, no files can be retrieved, even if the name of the file is known. In other words: once a user, group or area is inactive, to a visitor it appears that the account or the area no longer exists and that neither the files appear to exist anymore.

  NOTICE:
  The same active/inactive conditions also apply to pages in Areas. Once an Area is inactive, to a visitor it appears that the pages in that area no longer exist.

• Redirection (where to go after logout): If nothing is filled out, after logging out the user is redirected to the login dialogue. If an (URL) Universal Resource Locator is specified, the user is redirected to that location.

  NOTICE:
  This feature can be useful for users who are only interested in particular areas, sections or just a page. After logging out they can thus end on their favorite page, or on the home page or some other place they prefer.

• Language: The dropdown menu shows the languages available for this user. The language names are shown in their own language. After selecting another language, it becomes available for the user after the next log in.

  NOTICE:
  The language of the login dialogue is defined in the Configuration Manager section 4. Site.

  NOTICE:
  It is also possible to set the language of the login dialoge with the language=ll option, for example: http://exemplum.eu/admin.php?language=es for Spanish.
  If you bookmark this URL, you enter the login dialogue in your preferred language. This trick can also be used with the redirect feature, described above.

• Enable text interface [  ] High visibility: This feature is for visually impaired or blind persons and can be used in conjunction with a braille terminal or screen reader.
• Editor: The dropdown menu gives access to available editors for this user. At this moment a WYSIWYG (What You See Is What You Get) editor and a plain HTML editor are available.
• Skin: The skin defines the look and feel of the management interface. Changing the skin takes effect after a new log in. At this moment the follwoing skins are available:
  accountmanager_account_manager_skins.png

  Please take a peek at the available skins in paragraph 5. Skins for an overview.

  NOTICE:
  An interesting feature. After login via admin.php, you can change skins 'on the fly'. In the browsser enter one of the following URL's:

  http://exemplum.eu/admin.php?skin=base http://exemplum.eu/admin.php?skin=textonly http://exemplum.eu/admin.php?skin=braille http://exemplum.eu/admin.php?skin=big http://exemplum.eu/admin.php?skin=lowvision

• Data folder (pathname cannot be changed): The data folder name was derived from the initial username and cannot be changed afterwards.
• Save: To save your results and return to the list of users.
• Cancel: To cancel your action and return to the list of users.

After saving your work, you return to the list of Users where the user is added in the form of Full Name (username).

3.2.2 Groups/capacities

In this paragraph we will add the user to an already existing group. The creation and management of Groups is discussed in paragraph 4. Groups.

3.2.2.1 Add a member to a group/capacity

The user can be made member of one or more groups. To add a member to a group, go to the Account Manager overview and in the Menu click the Users link to enter the list of Users dialogue. Select the user by clicking on the pencil icon to enter the Edit user username (Full Name) dialoge.
Next, in the Menu click the Groups link, to enter the Memberships username: (Full Name) dialogue:
accountmanager_account_manager_user_memberships_none.png

In the Menu the Groups link is underlined. In the workplace can be seen that the user is not a member of any group.
Click Add a group membership to enter the Add a group membership to user username: (Full Name) dialogue:

accountmanager_account_manager_user_group_add_membership.png

Ovide Decroly is a new teacher, so we make him a member of the group 'faculty' in his capacity as Member. Open the dropdown menu and select faculty/Member. Next click [Save] to save your work and return to the list of Memberships username: (Full Name) dialogue:

accountmanager_account_manager_user_group_membership_added.png

The user is now a member of the group:
groupname (Short description of group) / Capacity

Now check Ovide's Intranet permissions by clicking in the Menu the Intranet link to enter the Intranet access: username(Full Name) dialogue:

accountmanager_account_manager_user_group_member_intranet.png

Observe that in Intranet access: username (Full Name) under Related Ovide is a member of the group 'faculty' with capacity Member and has Access permissions to the Exemplum Intranet.

NOTICE:
If "faculty/Member Access" is not visible, these permissions were not yet set for that capacity. Please set the permission via: Account Manager > Groups > Group name > Capacity Name > Intranet/Admin/Page Manager.

NOTICE:
Adding a user to a group/capacity has the advantages that in one go all permissions are set. This saves work and prevents errors.

NOTICE:
Files in a group directory are publicly accessible when the file and path names are known.

3.2.2.2 Take away a membership from a group/capacity

To take a way a membership from a group/capacity, go to the Account Manager overview, click the Users link to enter the list of Users dialogue. Select the user by clicking on the pencil icon to enter the Edit user username (Full Name) dialoge. Next, in the Menu click the Groups link, to enter the Memberships username: (Full Name) dialogue:
accountmanager_account_manager_user_group_membership_take_away.png

In the Menu the Groups link is underlined.

NOTICE:
There is no warning message, the membership of a group is immediately terminated after clicking the Trashcan icon. However, it is easy enough to reinstate the group membership by repeating the procedure in paragraph 3.2.2.1 Add a member to a group/capacity.

To terminate this users membership from a group, click the Trashcan icon associated with the group/capacity.
Only the membership of the group is removed; the group itself remains existent.

3.2.2.3 Change a members capacity in a group

If you need to change a users capacity in a group, first take away his membership from a capacity before giving him another capacity. Remember, a member can only have one capacity in a group.

3.2.3 Intranet

To grant an user access permissions to one or more Intranet(s), click the Intranet link to open the Intranet access: username: (Full Name) dialogue:
accountmanager_account_manager_user_intranet.png

In the Menu, the Intranet link is underlined.

NOTICE:
Take care! Do not accidentaly grant a user Guru permissions to 'All current and future private areas' (Intranets)! It's best to grant this permission only to Wilhelmina Bladergroen, the webmaster of the Exemplum Primary School, or to Amelia Cackle.

The Intranet permissions are:

• None: Null, nothing: this role corresponds to no permissions at all.
• Access: Intranet access granted: private areas can be visited. This is the normal permission for visitors that may only read (parts of) an Intranet.
• Guru: Everything: this role provides all possible permissions, perhaps even more.

3.2.4 Admin

A user can be granted permissions to different Website@School management tools. Click the Admin link to open the Administrator permissions username: (Full Name) dialogue:

accountmanager_account_manager_user_admin_administrator_permissions-top.png
accountmanager_account_manager_user_admin_administrator_permissions-bottom.png

In the Menu the Admin link is underlined.

Explanation:

• Guru (All permissions): Take care! This is the most dangerous permission. If this permission is set, it is not necessary to set any other permission in the list. The user has all permissions.
• Startcenter (Basic administrator): This permission is necessary to access the Webiste@School Startcenter Welcome page. This permission is necessary for all underlaying permissions. This is a useful feature for temporarily blocking the selected permissions for that user.
• Manipulate pages and sections (Page Manager): Gives access to the Page Manager where sections and pages managed.
  When this option is selected, the Page Manager link is added to the users Menu.
• Upload files (File Manager): Gives access to the File Manager, according the permissions set in the Page Manager.
• Module administration (Module Manager): Permits changing the default settings of modules and themes. This feature is not yet implemented (v. 0.90.3).
• Users and Groups (Account Manager): Gives access to the Account Manager [1].
• Site configuration and area manager (Configuration Manager): Gives access to the Configuration Manager.
• Pageviews and performance (Statistics): Gives access to the Statistics.
• Tools (Translations): Gives access to the Translate Tool.
• Tools (Backups): Gives access to creating backups.
• Tools (Log Viewer): Gives access to viewing the log files.
• Tool (Update Manager): Gives access to the Update Manager.
• Save: To save the permissions and return to the basic properties dialogue.
• Cancel: To cancel your action and return to the basic properties dialogue.

[1]
NOTICE:
Checking the Users and Groups (Account Manager) is equivalent to Guru permisions! Because in the Account Manager someone can promote himself (or someone else) to Guru.

Most of the items speak for themselves. Notice that Ovide Decroly has permissions to the Start Center, the Page Manager and Upload Files.

3.2.5 Page Manager

The user's or group/capacity permissions to the Page Manager are set according to Roles. Roles are sets of permissions. Seven Roles are available for managing the site, areas, sections and pages. Below the Roles and their permissions are described in ascending order:

1. --: Null, nothing: this role corresponds to no permissions at all. This is the default setting except for the person that installed Website@School, who has Guru (all) permissions.
2. Contentmaster: Only page content can be modified.
3. Pagemaster: Page properties and page content can be modified.
4. Sectionmaster: Section properties can be modified and subsections and pages can be added.
5. Areamaster: Area properties can be modified and top-level sections and pages can be added. Top level, in this case, means the sections and pages visible in the menu bar of a theme. The possibility to add a top-level section or page influences the number of items in the main menu of an area (the horizontal top row in themse like Frugal or Rosalina). A page in a section or a section in a section is not a top-level page or section.
6. Sitemaster: Site properties can be modified and areas, sections and pages can be added.
7. Guru: Everything: this role provides all possible permissions, perhaps even more.

The table below shows the permissions associated with the various Roles. Note that the 'Null'-role is left out because this Role never has any permissions at all. Also note that the Guru-role is left out because this Role always has all permissions.

 

	Content- master	Page- master	Section- master	Area- master	Site- master
Content C of page P in section S or area A	X	X	X	X	X
Page P in section S or area A	-	X	X	X	X
Section S in area A	-	-	X	X	X
Area A	-	-	-	X	X
All current and future areas	-	-	-	-	X

Legend:
'-' means not allowed,
'X' means allowed.

Example:
A pupil is given the Contentmaster permission and his teacher gets the Pagemaster permission. The combination enables the pupil to only create content on an invisible or inactive page, given to him by the teacher. The teacher can modify the content, make the page visible or set embargo/expiry dates with her Pagemaster permissions.

When, in the previous paragraph 3.2.4 Admin, the Page Manager was selected, the Page Manager link is added to the Menu of the Edit user username (Full Name) dialogue:

accountmanager_account_manager_edit_user_pagemanager_adeed-top.png

In the Menu, select Page Manager to open the Page Manager permissions: username (Full Name) [nn-nn of nn] dialogue:

accountmanager_account_manager_edit_user_pagemanager.png

Now we can grant Ovide Decroly Page Manager permissions. He is new to Website@School so we grant him Guru permissions in the sandbox, i.e. the Exemplum inactive Area. No one will see what goes on there.

accountmanager_account_manager_edit_pagemanager_expanded.png

NOTICE:
TAKE CARE! Do not accidentally give a user permissions to 'All current and future areas'.

Notice the You are here: breadcrumb trail, indicating where you are and facilitating navigation. The Page Manager permissions: username (Full Name) [nn-nn of nn] can indicate that the list of Intranets is longer than shown. The View: at the bottom of the page facilitates easy jumping to other page(s).
Also notice the opened Area 3: Ovide not yet has any pages.

Explanation:

• Realms: In the Page Manager the user permissions for a specific realm, i.e. the areas, its underlying sections, subsections and pages can each have a specific Role attached to it.
• Roles:
  • --: Null, nothing: this role corresponds to no permissions at all.
  • Contentmaster: Only page content can be modified.
  • Pagemaster: Page properties and page content can be modified.
  • Sectionmaster: Section properties can be modified and subsections and pages can be added.
  • Areamaster: Area properties can be modified and top-level sections and pages can be added
  • Sitemaster: Site properties can be modified and areas, sections and pages can be added.
  • Guru: Everything: this role provides all possible permissions, perhaps even more.

    NOTICE:
    Please remember the ascending permissions table earlier discussed.

• Save: To save the permissions and return to the basic properties dialogue.
• Cancel: To cancel your action and return to the basic properties dialogue.
• View: By clicking on Previous 1 Next All, you can navigate trough the (sometimes long) list of areas, sections and pages.

3.3 Delete a user account

To delete a user account, go to the Account Manager, click on the Users link to open the list of Users dialogue:
accountmanager_account_manager_users_with_odecrol.png

Click on the Trashcan icon to open the Confirm delete of user username (Full Name) dialogue:

accountmanager_account_manager_delete_user_account.png

Click [Delete] to delete this user account or [Cancel] on second thoughts.

NOTICE:
By deleting the user account, all ACL's (Access Control Lists) all records from the database of this user and all data associated with this user are deleted.
An access control list (ACL) is a list of permissions attached to users, to processes and to operations. Each entry in a typical ACL specifies a subject and an operation. For example, When a teacher leaves the school, his user account is deleted, as well as his membership of the group team and his access permissions to read certain pages in the Intranet.

NOTICE: The users directory and (sub)directories, files and the user directory itself are not deleted. This is a feature to retain eventual links to pages. If you really want to delete all directories, subdirectories and files, you must that before deleting the user account itself. Deleting files can cause broken links. The empty data directory itself is not deleted.

NOTICE:
1. In general any file in the data folder of any active user, any active group or any active public area can be retrieved by anyone as long as the name of the file is known.
2. If a user, group or area is inactive, no files can be retrieved, even if the name of the file is known. In other words: once a user, group or area is inactive, to a visitor it appears that the account or the area no longer exists and that neither the files appear to exist anymore.

NOTICE:
Bear in mind that everything that is in a public area is publicly accessible once a visitor knows the file path to a file. If you need a protected place for files, use an Intranet. Rule of thumb: everything is public except what is not public.

(top)

4. Groups and capacities

When discussing this paragraph we assume you have read paragraph 2. Account Manager overview, in which groups and capacities are explained and examples are given. In paragraph 3. Users, the Groups, Admin and Page Manager were discussed, but now they are treated from a different perspective, i.e. a group as a collection of permissions, given to a user.

Just one example to illustrate the power of the group/capacity feature. You can grant 20 parents each permissions to only read the Parents Intranet (Role: Access) and also grant them permissions to do 'everything' (Role: Guru) in just one section of the Parents Intranet. This is a lot of dumb work and error prone, doing the same mouse clicks 20 times over.
It's much easier to create a group 'Parents', set the capacities once, as described above - carefully check your work!- and make 20 parents member of the Parents Intranet.
It's also easy to change, add to or remove capacities or users from an existing group.

4.1 Add a new group

After clicking the Account Manager icon, you are on the Account Manager overview:
accountmanager_account_manager_overview_user_added.png

In the Menu, click the Groups link to enter the Groups dialogue:

accountmanager_account_manager_group_open.png

Clicking the Add a group link opens the Add a new group dialogue.

accountmanager_account_manager_group_add_group-top.png

Explanation:

• Name: Enter the name for the new group. Example: parents.

  NOTICE:
  The group name consists of maximum 16 characters: lowercase (a-z), digits (0-9), underscore (_)and starts with a letter. A group name can only occur once and cannot be changed. The group name is also used to create the group data directory.

• Description: A short description of the group.
• Active group [  ] Mark this group as active:
  - Active: a user, group or area must be active before any files can be served.
  - Inactive: if a user, group or area is inactive, it is as if they do not exist. But, the rule of thumb is: everything is public except what is not public, so please read the notice below.

  NOTICE:
  1. In general any file in the data folder of any active user, any active group or any active public area can be retrieved by anyone as long as the name of the file is known.
  2. If a user, group or area is inactive, no files can be retrieved, even if the name of the file is known. In other words: once a user, group or area is inactive, to a visitor it appears that the account or the area no longer exists and that neither the files appear to exist anymore.

  NOTICE:
  The same active/inactive conditions also apply to pages in areas. Once an area is inactive, to a visitor it appears that the pages in that area no longer exist. area no longer exist.

In the bottom part of the Add a new group dialogue the capacities can be selected:
accountmanager_account_manager_group_add_group-bottom.png

Explanation:

• Capacity1 to 8 : A group can have one or more capacities with a maximum of 8.
  Use the dropdown menu to select one or more capacities from hte list.
• Labels: Opening the dropdown menu shows the list of 19 labels (names) that can be given to a capacity. The list suggests some capacities. The label names can easily be changed to the institutional preferences. See the Tools chapter, paragraph 3.5 Small language adaptations paragraph how to change the label names.
• Save: To save your results and return to the groups list.
• Cancel: To cancel your action and return to the groups list.

After selecting one or more capacities, click [Save], where after the, group and its capacities are added to the list:
accountmanager_account_manager_group_added.png

In the list, next to the Trashcan and the edit icon the name of the new group and the capacities are visible:
groupnname (Capacityname1, Capacityname2, ..., Capacityname8).
Both the pencil icon and the groupname lead to the Basic Properties dialogue. The names of the capacities are direct links to dialogues where permissions can be assigned to that capacity.

4.2 Edit a group

To edit the properties of a group, open the Groups list. Click on the pencil icon or the name of the group to edit the Basic properties in the Edit a group dialogue:

accountmanager_account_manager_edit_group-top.png
accountmanager_account_manager_edit_group-bottom.png

In the Menu is visible:

• Basic properties: The basic properties of the group can be edited in Edit a group, discussed in 4.2.1 Basic.
• Member: The name is a clickable link to the permissions for that capacity, discussed in 4.2.2 Capacities 1-8
• ...
• Capacity 7: see above
• Capacity 8: see above

4.2.1 Basic properties

Explanation:

• Name: A group name can only occur once and cannot be changed. The group name is also used to create the group data directory.
• Description: A short description of the group.
• Active group [  ] Mark this group as active:
  - Active: a user, group or area must be active before any files can be served.
  - Inactive: if a user, group or area is inactive, it is as if they do not exist. But, the rule of thumb is: everything is public except what is not public, so please read the notice below.

  NOTICE:
  1. In general any file in the data folder of any active user, any active group or any active public area can be retrieved by anyone as long as the name of the file is known.
  2. If a user, group or area is inactive, no files can be retrieved, even if the name of the file is known. In other words: once a user, group or area is inactive, to a visitor it appears that the account or the area no longer exists and that neither the files appear to exist anymore.

  NOTICE:
  The same active/inactive conditions also apply to pages in areas. Once an area is inactive, to a visitor it appears that the pages in that area no longer exist. area no longer exist.

• Capacity1-8: Capacities can be added or removed.

  NOTICE:
  Once you remove a capacity from a group in this Basic Properties dialogue, all users that were members of the group in that capacity are no longer associated with that group/capacity.

• Data folder (cannot be changed): Greyed out thus unchangeable.
• Save: To save your results and return to the groups list.
• Cancel: To cancel your action and return to the groups list.

4.2.2 Capacities 1-8

Clicking on one of the capacity names in the Menu opens the Overview: groupname - capacity name dialogue:
accountmanager_account_manager_group_capacity_overview.png

• Overview: , discussed in 4.2.1 Basic properties.
• Intranet: Acess permissions for Intranet, discussed in 3.2.3 Intranet
• Admin: Acess permissions for Admin, discussed in 3.2.4 Admin
• Page Manager: This link becomes available when in Admin the Page manager was selected. The Page Manager is discussed in 3.2.5 Page Manager

4.3 Add a user to a group/capacity

This subject is discussed in paragraph 3.2.2.1 Add a user to a group/capacity

4.4 Delete a group

To delete a group, go to the Account Manager, click on the Groups link to open the list of Groups dialogue:
accountmanager_account_manager_groups_with_parents.png

Click on the Trashcan icon to open the Confirm delete of group groupname (Short description of the group) dialogue:

accountmanager_account_manager_delete_group.png

Click [Delete] to delete this group account or [Cancel] to not create orphans.

NOTICE:
By deleting the group account, all ACL's (Access Control Lists) all records from the database of this group and all data associated with this group are deleted.
An access control list (ACL) is a list of permissions attached to users, to processes and to operations. Each entry in a typical ACL specifies a subject and an operation. For example, When a teacher leaves the school, his user account is deleted, as well as his membership of the group team and his access permissions to read certain pages in the Intranet.

NOTICE:
The group directory and (sub)directories, files and the group directory itself are not deleted. This is a feature to retain eventual links to pages. If you really want to delete all directories, subdirectories and files, do that before deleting the user account. Deleting files can cause broken links. The empty data directory itself is not deleted.

NOTICE:
Bear in mind that everything that is in a public area is publicly accessible once a visitor knows the file path to a file. If you need a protected place for files, use an Intranet. Rule of thumb: everything is public except what is not public.

(top)

5. Skins

accountmanager_account_manager_skins_base.png
accountmanager_account_manager_skins_big.png
accountmanager_account_manager_skins_braille.png
accountmanager_account_manager_skins_lowvision.png
accountmanager_account_manager_skins_textonly.png
0textonly.png

(top)

6. Concluding remarks

Main points in this chapter:

• Take care not to give Guru permissions to the wrong user.
• Creating groups/capacities and making users a member to a capacity is the easiest way of giving permissions to individual users.

(top)

Author: Dirk Schouten <schoutdi (at) knoware (dot )nl>

Last updated: 2012-02-27