Menu
▾
▴
Re: [Unity-idm-discuss] Group administrator role
|
From: Sander A. <sa....@fz...> - 2020-09-03 08:05:02
|
Dear Krzysztof, On Fri, 2020-08-28 at 19:39 +0200, Krzysztof Benedyczak wrote: > Dear Sander, > > W dniu 27.08.2020 o 10:09, Sander Apweiler pisze: > > Dear Krzysztof, > > I try to explain it. We start with one group, let's call them HIP. > > Within this group several projects are funded and the projects have > > different lifetimes and different resources. The people who are > > working > > in the projects are very volatile, that there is an ongoing adding > > and > > removing users from the projects. The projects are subgroups in > > unity. > > > > So the idea is to have a HIP-manager who creates the subgroups > > (projects in HIP) within the HIP group. The information about the > > funded projects, e.g. lifetime, or PI, is only known within the HIP > > group for this reason the handling of the subgroups should be > > handled > > to the HIP-group. Because the HIP-manager is not involved in the > > daily > > project work and membership updates are delayed if the HIP-manager > > needs to update it, the plan is to have project-managers that do > > the > > membership-management in their own projects (unity subgroups). > > Because > > different resources are bounded to (sub-)group membership we want > > to > > prohibit the manipulation of other subgroups where the project- > > manager > > is not member or the parent group we want to have the hierarchical > > administration permission. The GDPR is another issue why project- > > managers should not have access to the full tree. > > > > The process of creating and deleting projects within HIP (subgroups > > in > > unity) is ongoing. For this reason we can't do an initial > > delegation to > > HIP to create the subgroups, revoke revoke the delegation after it > > and > > delegate the subgroup management. > > > > The HIP-group is only one, we will have multiple of such groups. > > The > > manual subgroup creation and delegation creation does not scale > > very > > well for the unity administrators. The fast increasing number of > > registration and enquiry forms is another issue. If unity can > > handle > > this can be estimated by you much better. > > > > Hopefully this explains why the suggestion to delegate the > > subgroups > > does not fit for our use case. > > Thanks for the explanation, I guess I understand where this problem > is. > Let me ask one follow on question, to confirm my understanding. > > So let's imagine that the main unity admin created HIP and delegated > its > management to some HIP-wide admin. > > Now the HIP admin will add/remove projects under HIP from upman what > works fine. Let's say the projects under HIP are 'hop' and 'clap'. > > HIP admin wants to delegate hop and clap management to other ppl. But > it > can be done only by the main Unity admin what is cumbersome and is > the > problem described here. > > Did I get this correctly? Yes. The "administrator" of hop and clap should invite the collaborators of their projects. > > > If yes then I, yes we have a feature gap here. We would need > something > like this: > > 1. extra permission (settable by the main unity admin on projects > admin): allow-to-re-delegate-subgroups > > 2. in upman (only for ppl with the permission from the point above) > add > option to delegate subgroup management separately (as a sub project). > > 3. in upman allow to control sub-project admins (what is separate > from > the main project admin) > > 4. internally we would need to take care of deriving all forms for > the > sub project from the main project forms > > That isn't a small change, but also doesn't sounds as something > terribly > complicated. This sounds like the feature we need. Can you send me an estimation? Cheers, Sander > > > Best > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
