Permissions for logged in users

[Elizabeth McManus]

Hi

I'm working on our permissions and i'm just looking for clarity.  We are using 2.3.1

As I understand it now the premis permissions only apply to an anonymous user (not logged in).  As soon as I give someone a user name they have full access or have no access to digital objects as I can grant or deny them, and any premis permissions are over-ridden.  Is that correct?

Are there any plans to develop permissions so that a logged-in user would still be regulated by premis unless I give them more access?  Perhaps we will have to think about getting a grant to sponsor this.

Elizabeth

Archivist

xʷməθkʷəy̓əm

Musqueam First Nation

6735 Salish Drive, Vancouver BC, V6N 4C4

emcm...@musqueam.bc.ca

[Dan Gillean]

Hi Elizabeth, 

You're correct. The PREMIS rights currently operate similarly to how publication status works - that is, a logged in user will by default have access to viewing draft records, just as they will be able to view digital objects otherwise restricted using PREMIS. 

Part of this is practical. As I've mentioned previously in the User Forum, AtoM's permissions module hasn't had a significant update since it was first released, almost 10 years ago now. Then, the use case for ICA-AtoM was mostly small archives, though now we have both small and very large international users. The current module is not really designed for the scalability that most users expect these days, but it will be a major development project for us to overhaul it and so far no one has wanted to sponsor that work. 

Basically, because the permissions module can be so granular and the permissions module works via inheritance, it means that every node on a page has be checked against multiple levels of possible permissions settings before it can be loaded for display on a page. As you may know, most web browsers have a timeout limit of about 1 minute to prevent long-running requests from consuming all local resources  - so this can mean that, with a lot of varying granular permissions set, a page might time out before it even completes loading! 

Adding View Draft permissions to all authenticated users (and similarly, view PREMIS-restricted objects) was a way of keeping the base inheritance as simple as possible, so every additional layer of permissions added on top of that have a chance to work without the page timing out. It's a somewhat pragmatic way of trying to work withing AtoM's current limitations - it frees up a whole number of baseline things that would otherwise need to be checked node by node before they could be loaded on a page. 

There aren't currently any institutions who've contacted us about making PREMIS-based restrictions apply to authenticated users. It could likely be added, but it would take some analysis to determine if we can do it in a way that remains performant without having to overhaul the entire permissions module. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-users+unsubscribe@googlegroups.com.
To post to this group, send email to ica-atom-users@googlegroups.com.
Visit this group at https://groups.google.com/group/ica-atom-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/e205fd26-910c-492c-8c5c-a9acccbaffb3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.