2. Account manager overview
2.1 Users: introduction
2.2 Groups:
introduction
3. Users
3.1 Add a new User
3.2 Edit: User properties, access
permissions, Group/Capacity memberships
3.2.1 Basic: Edit
User username (Full Name)
3.2.2
Groups/Capacities
3.2.2.1 Add a User to a Group/Capacity
3.2.2.2 Remove a User from a Group/Capacity
3.2.2.3 Change a User's Capacity in a Group
3.2.3
Intranet
3.2.4 Administrator
permissions: username (Full Name)
3.2.5 Page
Manager
3.2.5.1 Table: Roles and permissions
3.2.5.1 Edit User username (Full
Name)
3.3 Delete a User account
4. Groups and Capacities
4.1 Add a new Group
4.2 Edit: Group properties,
Capacities, add Users to Capacities
4.2.1 Basic
properties
4.2.2 Capacities
1-8
4.3 Add a User to a
Group/Capacity
4.4 Delete a Group
5. Skins
5.1 Base Skin
5.2 Big Skin
5.3 Braille Skin
5.4 Low vision Skin
5.5 Text Only Skin
In Website@School, we have tried to make account management as simple as possible by implementing a refined Role Based Access Control (RBAC) philosophy for Users and Groups. However this simplicity has one weakness; it is easy to make administrative errors. For example, by accidentally checking one box in a User account, you can incorrectly give that User full access to everything on the web site. So special care must be exercised when managing User accounts!
Website@School has a selection of special fonts and color contrasted properties which Users can request their web pages to be displayed in. These selectable 'skins' can accommodate screen readers, braille terminals or other visual improvement tools. can accommodate screen readers, braille terminals or other visual improvement tools. The skins can be easily customized further to suit almost every visual impairment.
Group | Members |
---|---|
NoGroup [*] | Wilhelmina Bladergroen (wblade) (webmaster) |
Faculty | Amelia Cackle (acackl) (Principal) Helen Parkhurst (hparkh) (Member) Maria Montessori (mmonte) (Member) |
Juniors | Georgina King (georgina) (Pupil) Herbert Spencer (herbert) (Pupil) Helen Parkhurst (hparkh) (Teacher) |
Seniors | Andrew Reese (andrew) (Pupil) Catherine Hayes (catherine) (Pupil) Maria Montessori (mmonte) (Teacher) |
Team | Amelia Cackle (acackl) (Member) Freddie Frinton (ffrint) (Member) Helen Parkhurst (hparkh) (Member) Maria Montessori (mmonte) (Member) |
The opening screen is divided into two parts:
After opening the Account Manager, the Account Manager overview shows a summary of the total active and inactive Users and Groups.
NOTE: Regular visitors (1) are just visitors, having no access
at all.
Users with Intranet access (2) can log in to the web site
using http://exemplum.eu/index.php.
Users (3) with enough permissions to do management tasks can log
in via the management login dialogue using
http://exemplum.eu/admin.php.
A User with only Intranet read permission who tries
to log in using the suffix admin.php
, is allowed to
log in, but receives the Access denied
dialogue:
The User can now either:
NOTE: Newly created Users, whose access permissions were not set, receive the same Access denied message.
Logging in can be done by adding index.php
and
admin.php
suffixes to the web site URL. When
switching from viewing the web site to the management function or
vice versa, the User does not have to log in a second time. When
logging out of the web site, the User is also automatically
logged out of Website@School management function and vice
versa.
Clicking the Users link opens the Users dialogue:
Explanation:
Menu: The selected link is underlined.
NOTE: It is also possible to navigate to a User's account if you know to which Group the User belongs.
NOTE: The total number of Users in all Groups (23) exceeds the actual number of Users (9) defined; a User can be a member of one or more Groups. For example, the existing User Helen Parkhurst with login name hparkh is a member of four Groups:Users:
All Users | faculty | juniors | seniors | team |
---|---|---|---|---|
Amelia Cackle (acackl) | Principal | Principal | ||
Andrew Reese (andrew) | Pupil | |||
Catherine Hayes (catherine) | Pupil | |||
Freddy Frinton (ffrint) | ||||
Georgina King (georgina) | Pupil | |||
Herbert Spencer (herbert) | Pupil | |||
Helen Parkhurst (hparkh) | Member | Teacher | Member | |
Maria Montessori (mmonte) | Member | Teacher | Member | |
Wilhelmina Bladergroen (wblade) |
Notice that Wilhelmina does not belong to any Group/Capacity. She is a member of the No group.
A Group is a collection of Users. Users (or members) of a
Group share a single space (called a 'folder' or a 'directory')
where files can be stored. The files are used in Sections and
pages that the Group has access to.
A Group is always composed of one or more so-called 'Capacities'.
A User within a Group is always associated with only one Capacity
within that Group. The Capacity is what assigns the privileges to
the User, for example to manage (parts of) the Page Manager or
the Translate tool.
File Manager example
Group members can easily create links to existing files in the
Group storage space from their web pages (via the Insert/Edit
button in the (F)CKEditor), provided they have sufficient
privileges for the Page Manager. Group members can
upload files to this storage space, but only if they
have sufficient privileges for the File Manager.
Example:
Andrew Reese and Catherine Hayes are members of the Group
'Seniors' in the 'Pupil' Capacity. Maria Montessori is also a
member of the Group 'Seniors' but in the 'Teacher' Capacity. If
Maria has access to the File Manager, she can upload files to the
storage space of the Group 'Seniors'. If other Group members,
like Andrew and Catherine, have access to the Page Manager (but
not the File Manager), they can use the files Maria uploaded, but
they cannot upload files themselves.
Page Manager example
Assume that Helen Parkhurst (the teacher of the Juniors)
initially has no permissions whatsoever. This means that her
account hparkh
:
- is not associated with any Group/Capacity (Groups),
- has no privileges with any Private Area (Intranet),
- has no administrator privileges (Admin), let alone permissions
to manipulate pages (Page Manager).
By associating her account hparkh
with the Group
Team in the Member-capacity, she inherits all permissions
associated with the combination Team/Member. These permissions
could include read access to the Private Area containing the Team
Intranet.
If subsequently she is also associated with the Group Juniors in the Teacher-Capacity, she enjoys all privileges associated with the Teacher-Capacity of the Juniors-Group too. These privileges could include access to the File Manager and access to the Page Manager (say as Areamaster) limited to the (protected) Juniors Intranet.
Her pupils may also be associated with the Group Juniors but in the Pupil-Capacity rather than the Teacher-Capacity. Privileges associated with this Pupil-Capacity could be limited to viewing pages in the protected Juniors-Area, whereas the Teacher-Capacity would allow for adding to and editing pages in that (protected) Area.
The bottom line is that the total permissions for Helen
Parkhurst consist of the combination of:
- those of her User account hparkh
itself (no
permissions), and
- Team/Member (Team Intranet), and
- Juniors/Teacher (File Manager, Page Manager for Juniors
Intranet).
To expand on the above example: When Helen becomes Teacher of the Seniors next year, it is very easy to end her membership of the Juniors Private Area, make her a member of the Private Area of the Seniors and give the Teacher capacity of the Juniors to the her replacement teacher Mary Astell.
About the relationship between Users, Groups and Capacities:
The table below shows the relationships between the properties of Users, Groups and Capacities. Some properties (among others: data directory, active) belong to Group while others (permissions for Intranet, Admin, etc.) belong to Capacity.
Properties | User | Group | Capacity |
---|---|---|---|
Name | X | X | |
Password | X | ||
Full name | X | ||
Description | X | ||
X | |||
Active | X | X | |
Capacity 1-8 | X | ||
Redirection | X | ||
Language | X | ||
Editor | X | ||
Skin | X | ||
Data directory | X | X | |
Group memberships | X | ||
Intranet privileges | X | X | |
Admin privileges | X | X | |
Page Manager privileges | X | X |
To summarize:
A Group is a collection of Users. A User can only be associated
with a Group via a single Capacity. A Capacity consists of a set
of permissions. Each User within a Group can have only one
Capacity in that Group. A User can be a member of more than one
Group with different Capacities in each Group.
NOTE: Capacity names can be changed. For example, if your institution does not use terms like 'Principal', 'Teachers' and 'Pupils' but prefers to use 'Manager', 'Facilitator' and 'End Users', the label names can be easily changed. See chapter Tools, section 3.5 Small language adaptations.
Explanation:
Menu:
Groups:
To add a new User, click the Add a User link in the Users pane to enter the Add a new User dialogue:
The Add a new User dialogue is shown.
Explanation:
NOTE: The login name consists of a maximum of sixteen characters: lower case (a-z), digits (0-9), underscore (_) and starts with a letter. A username is always unique.
NOTE: Since the name of the User's Data Folder is derived from the username, the name of the Data Folder cannot be subsequently changed. So it is important to make a good choice here. If you decide to change the username later on, it may become confusing to have the 'old' Data Folder name linked to the 'new' username.
It is also a good idea to choose a password of more than six characters long. For example, a good password is 'Mrbh3ws!' (omit the quotes). This password is easy to remember when you know it stands for the sentence: "My red bike has 3 wheels!". But it is difficult to guess when you do not know the original sentence. This sentence trick is an easy way for pupils to create difficult passwords and remember them easily.
NOTE: When the chosen password does not meet the above requirements, a warning message is issued and another attempt to enter an improved password is given.
NOTE: 1. In general any file in the data folder of an
active User, an active Group or an active public Area
can be retrieved by anyone as long as the name of
the file is known.
2. If a User, Group or Area is inactive, no files
can be retrieved, even if the name of the file is known. In
other words, once a User, Group or Area is made inactive, it
appears to a visitor as if the account or the Area, and its
files, no longer exists.
NOTE: The same active/inactive conditions also apply to pages in Areas. Once an Area is made inactive, its pages are no longer viewable. Even if the URL of the page is provided, the page still cannot be retrieved.
The User is added to the All Users Group (now 10 Users) and the No Group (now 2 Users). The last Group contains the Users who do not (yet) belong to a Group. Adding a User to a Group is discussed in 3.2.2.1 Add a User to a Group/Capacity.
User's access permissions will be discussed in the next section.
Explanation:
NOTE: The username can be changed, but the name of its corresponding data folder cannot be changed.
NOTE:
1. In general, any file in the data folder of an active User,
an active Group or an active public Area can be
retrieved by anyone provided the name of the file is
explicitly specified in the Universal Resource Locator
(URL).
2. If a User, Group or Area is inactive, no files
can be retrieved, even if the name of the file is known. In
other words, once a User, Group or Area is inactive, it will
appear to a visitor as if the account or the Area, along with
its files, no longer exists.
NOTE: The same active/inactive conditions also apply to pages within an Area. Once an Area is inactive, it appears to a visitor as if the pages in that Area no longer exist.
NOTE: This feature can be useful for Users who are only interested in particular Areas, Sections or just a page. After logging out they can thus end on their favorite page, or on a web page of some other unrelated web site. See the Redirect module for details.
NOTE: The language used in the login dialogue is defined in the Configuration Manager section 4. Site.
NOTE: It is also possible to set the language of the login
dialogue from the URL with the language=ll option,
for example:
http://exemplum.eu/admin.php?language=es for
Spanish.
If your web site URL is bookmarked with this option, you can
always enter the login dialogue in your preferred
language.
This feature and its screenshots are discussed further in section 5. Skins.
In the Menu, the Groups link is underlined. And in the workplace it
can be seen that the User is not a member of any Group.
Click Add a Group membership to enter
the Add a Group membership to User username:
(Full Name) dialogue:
Mary Astell is a new teacher, so she will be made a member of the Group 'faculty' in her Capacity as Member. Open the dropdown menu and select faculty/Member. Next click [Done] to save the change and return to the list of Memberships username: (Full Name) dialogue:
The User is now a member of the Group: Group name (Short description of Group) / Capacity
Now check the Intranet permissions of Mary by clicking the Intranet link in the Menu to enter the Intranet access: username(Full Name) dialogue:
Observe that in Intranet access: username (Full Name) under Related, Mary is a member of the Group 'faculty' with Capacity Member and has Access permissions to the Exemplum Intranet.
NOTE: If "faculty/Member Access" is not shown, these permissions were not set for that Capacity. The permissions can now be set via: Account Manager > Groups > Group name > Capacity name > Intranet/Admin/Page Manager.
NOTE: Adding a User to a Group/Capacity has the advantages that all permissions required by the User are set in one action. This saves time and prevents errors occurring.
NOTE: Files in a Group directory are publicly accessible when the file and path names are known.
In the Menu column, the Groups link is underlined.
NOTE: There is no warning message issued when a User is removed from a Group after clicking the Trashcan icon. However, it is easy to reassign a User to a Group by repeating the procedure in section 3.2.2.1 Add a member to a Group/Capacity.
To remove a User from membership of a Group, click the
Trashcan icon associated with the Group/Capacity.
Only the User's membership of the Group is removed; the
Group itself continues to exist.
In the Menu column, the Intranet link is underlined.
NOTE: Do not accidentally grant a User the Guru permissions to 'All current and future private areas' (Intranets)! It is advisable to grant this permission only to Wilhelmina Bladergroen, the webmaster of the Exemplum Primary School, or to Amelia Cackle.
The Intranet permissions are:
In the Menu column, the Admin link is underlined.
Explanation:
Notice that Mary Astell has the Roles: Basic administrator, Page Manager and File Manager.
[*] Top-level, in this case, means that the Sections and pages are visible in the menu bar of a theme. The possibility to add a top-level Section or page influences the number of items in the main menu of an Area (the horizontal top row in themes like Frugal or Rosalina). A page in a Section, or a Section in a Section, is not considered a top-level page or Section.
The table below shows the permissions associated with the various Roles.Content master |
Page master |
Section master |
Area master |
Site master |
|
---|---|---|---|---|---|
Content C of page P in section S or area A | X | X | X | X | X |
Page P in section S or area A | - | X | X | X | X |
Section S in area A | - | - | X | X | X |
Area A | - | - | - | X | X |
All current and future areas | - | - | - | - | X |
Example:
A pupil is given the Contentmaster permission and his teacher
gets the Pagemaster permission. This combination enables the
pupil to create only the content on an invisible or inactive page
given to him by the teacher. The teacher can modify the content,
make the page visible or set embargo/expiry dates with the
Pagemaster permissions.
When the Page Manager was selected in the previous section '3.2.4 Administrator permissions: username (Full Name)', the Page Manager link is added to the Menu of the Edit User username (Full Name) dialogue:
In the Menu, select Page Manager to open the Page Manager permissions: username (Full Name) [nn-nn of nn] dialogue:
Now we can grant the Page Manager permissions to Mary Astell. She is a new User to Website@School so we grant her Guru permissions in the sandbox, i.e. the Exemplum inactive Area. This Area is segregated and no one can see what takes place in this enclosed area.
NOTE: Be careful ! Do not accidentally give a User permission to 'All current and future areas'.
Notice the You are here: breadcrumb trail, indicating
what web page you are on, and allowing easy navigation to the
higher pages. The Page Manager permissions:
username (Full Name) [nn-nn of
nn] can sometimes indicate that the list of
allowable Intranets is longer than shown on this page.
The View: at the bottom of the page allowes easy jumping
to other page(s).
Also notice the opened Area 3: Mary Astell has no pages created
by her as yet.
Explanation:
NOTE: Remember the ascending permissions table that was shown earlier.
Click on the Trashcan icon to open the Confirm delete of User username (Full Name) dialogue:
Click [Delete] to delete this User account or [Cancel] to abort the Delete action.
NOTE: By deleting the User account, all ACL's (Access Control
Lists), all records from the database belonging to this User and
all data associated with this User are deleted.
An access control list (ACL) is a list of permissions attached to
Users, to processes and to operations. Each entry in a typical
ACL specifies a subject and an operation. For example, when a
teacher leaves the school, his User account is deleted, as well
as his membership of the Group team and his access permissions to
read certain pages in the Intranet.
NOTE: If all directories, subdirectories and files belonging to a User are to be deleted, all the files in the directories belonging to him must be deleted before deleting his User account. If any direcory is not empty, an error message is displayed (This is a design feature).
Beware: Deleting files can cause broken links in pages.
NOTE: The empty data directory itself is not deleted
automatically.
NOTE:
1. In general any file in the data folder of an active User, an
active Group or an active public Area can be retrieved
by anyone as long as the name of the file is known.
2. If a User, Group or Area is inactive, no files can be
retrieved, even if the name of the file is known. In other words,
once a User, Group or Area is made inactive, it appears to a
visitor as if the account or the Area or the files do not exist
anymore.
NOTE: Bear in mind that everything existing in a public Area is always publicly accessible once a visitor knows the file path to the file. If you need a protected place for files, use an Intranet instead. A Rule of Thumb: everything is publicly accessable except that which is not public.
At this point, we will not delete Mary's account.Here is an example to illustrate the power of the
Group/Capacity feature:
Suppose you can grant twenty parents each with permissions to
read only the Parents Intranet (Role: Access), together with
permissions to do 'everything' (Role: Guru) in just one
Section of the Parents Intranet. (This is possible but it entails
actions which can be error prone; doing the same mouse clicks
repeatedly twenty times.)
It is far easier to create a Group called 'Parents', set the
properties of the Capacity once as described above (carefully
checking your work!), and make the twenty parents members of the
Parents Intranet Group. Using this technique makes it easier to
add, change, or remove properties of a Group/Capacity.
To understand the technique we have created two accounts: Mr. W.G. Spencer, father of Herbert Spencer (Junior pupil) and Mrs. A. Hayes-Hall, mother of Catherina Hayes (Senior pupil).
In the Menu, click the Groups link to enter the Groups dialogue:
Clicking the Add a Group link, opens the Add a new Group dialogue.
Explanation:
NOTE: The Group name consists of a maximum of sixteen characters: lowercase (a-z), digits (0-9), underscore (_)and starts with a letter. A Group name can only occur once and cannot be changed. The Group name is also used to create the Group data directory.
NOTE:
1. In general, any file in the data folder of an active User,
an active Group or an active public Area can be
retrieved by a visitor as long as the name of the file is
known.
2. If a User, Group or Area is inactive, no files
can be retrieved, even if the name of the file is known. In
other words, once a User, Group or Area is made inactive, it
appears to a visitor as if the account or Area no longer
exists, together with the files therein.
NOTE: The same active/inactive conditions apply to pages in Areas. Once an Area is inactive, it appears to a visitor that an Area or the pages in that Area do not exist anymore.
In the bottom part of the Add a new Group dialogue, the capacities can be selected:
Explanation:
In the list (next to the Trashcan and the edit icons) the name
of the new Group and its corresponding Capacities are shown:
Group name (Capacity name 1, Capacity name 2, ..., Capacity name
8).
Both the pencil icon and the Group name take you to the Basic
Properties dialogue. The names of the Capacities are direct links
to dialogues where permissions can be assigned to that
Capacity.
In the Menu column of the web page:
NOTE:
1. In general, any file in the data folder of an active User,
an active Group or an active public Area can be
retrieved by anyone as long as the name of the file is
known.
2. If a User, Group or Area is inactive, no files
can be retrieved, even if the name of the file is known. In
other words, once a User, Group or Area is made inactive, it
appears to a visitor as if the account, the Area or its files
do not exist anymore.
NOTE: The same active/inactive conditions also apply to pages in Areas. Once an Area is inactive, it appears to a visitor as if the pages in that Area or the Area itself do not exist anymore.
NOTE: Once you remove a Capacity from a Group in this Basic Properties dialogue, all Users that were members of the Group in that Capacity are no longer associated with that Group/Capacity.
NOTE: It is possible to change the label of a Capacity. Use the dropdown menu to change the labels. Observe screenshot accountmanager_account_manager_open.png. Notice that from the first three groups, the two classes have a hierarchy that differs from the 'faculty' group which has a top-down hierarchy. The Teacher must be first in the hierarchy and then the Pupil. Select Teacher for Pupil without saving in Capacity 1. Then change Pupil for teacher in Capacity 2. After completing these actions, save your work.
Summary: go: You are here: accounts &gr; Users > ahayes > groups > Add a Group membership > dropdown menu: parent/Member
Click on the Trashcan icon to open the Confirm delete of Group Group name (Short description of the Group) dialogue:
Click [Delete] to delete this Group account or [Cancel] to avoid creating orphaned web pages.
NOTE: By deleting the Group account, all ACL's (Access Control Lists), all records in the database for this Group and all data associated with this Group are deleted. An ACL is a list of permissions attached to Users, to processes and to operations. Each entry in a typical ACL specifies a subject and an operation. For example, when a teacher leaves the school, his User account is deleted, as well as his membership of the Group team and his access permissions to read certain pages in the Intranet.
NOTE: If you want to physically delete all directories, subdirectories and files, do that as a separate action before deleting the User account. Deleting files can cause broken links in web pages. An empty data directory itself is not deleted automatically.
NOTE: Remember that everything that is located in a public Area is publicly accessible once a visitor knows the file path to a file. If you need a protected place for files, use an Intranet. The Rule of Thumb is everything is public except that which is not public.
NOTE: Here is an interesting feature. After logging in with http://exemplum.eu/admin.php, you can change Skins 'on the fly'. In the browser enter one of the following URL's:
Below are some examples of web pages belonging to the
management functions that can be modified to help Users with
impaired vision or other visual disabilities.
Skins can be created for almost every form of low vision or color
blindness.
NOTE: Skins can only be applied to the management web pages of
the product and not to the web pages created by Users and seen by
visitors.
The Skin for use with braille terminals is designed in such a way that accessing the main functions is achieved with minimal tabbing.
This is a rather artificial example, only to demonstrate the almost endless possibilities of Skins for visually impaired Users.
This is an example of a management web page without icons.