Ilias 3 Manual

7/27/2019 Ilias 3 Manual

1/29

S 3 Manual

//www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/manual.html[9/23/2014 4:01:02 PM]

ast update: 07/03/2003

his manual is slighty outdated! A revised version will be published around the end of October 2003.

Contents

Role Based Access Control (RBAC) in ILIAS3

What is RBAC?Basic ConceptObject HierarchyRole Permission TemplatesSystem RolesLocal RolesRole TemplatesPermission Inheritance

Working with RBAC & using the Administration Console

General AdministrationBasic SettingsLanguage ManagementMail settingsObjects & Type Definition settingsRole Managment

Permission typesUser Management

Object ManagementExample scenario

nformation for developers

class structuredatabase modelAdding new modules to ILIAS3

Defining & adding a new object typeDefining & adding new operationsSetting up the basic object classes

Object type definition conceptobjects.xml documentation

Active Roles & Sessions

Unique Identiferfor object typesfor object instances

Object conceptObject type documentation

Root Folder objectSystem Folder objectLanguage Folder objectLanguage objectMail settings objectRole Folder object


2/29

S 3 Manual


Role objectRole Template objectUser Folder objectUser objectObject Folder objectObject Type objectCategory objectGroup objectForum object

File objectCourse objectLearningModule objectSCORM LearningModule object

HTML TemplatesError handlingSystem feedback

sendMessage()Infopanel

Database updates & migration

AppendixGlossaryResourcesAPI Documentation

Used PEAR classesPHPdoc

Role Based Access Control (RBAC) in ILIAS3

What is RBAC?

Role Based Access Control (RBAC) has been developed by theNational Institute Of Standards And Technology (NISis based on the idea that a specific user does not have any permission to access any object directly, but he/she is

ssigned to a role. These roles contain exactly defined permissions to protect objects and data against unauthorizedccess. A specific user may be assigned to one or more roles (see Figure 1)
http://hissa.nist.gov/project/rbac.htmlhttp://hissa.nist.gov/project/rbac.html


3/29

S 3 Manual


igure 1: RBAC reference model

Objects (Obj):An object can be any ILIAS3 system resource subject to access control, such as a category, forufile, group, user, role

Operations (Ops):An operation defines a single action that may be performed with an object. Each object typemay have a different set of allowed operations (i.e. the 'join' operation only applies for a group, course andlearningmodule object)

Permissions:A Permission is an approval to perform an operation on one or more RBAC protected objects. Inother words permissions are sets of relations for each object and the possible operations on it. Roles are linked w

a list of these permissions and a list of users.

Role:A Role reflects a job function within the context of an organization with some associated semantics regarthe authority and responsibility conferred on the user assigned to the role. Technically a role is a collection of uand permissions.

User:A user is defined as a person with a valid account within an ILIAS installation.

Basic Concept

he implemented RBAC system in ILIAS3 follows the proposed recommendations for an RBAC reference model, levCore RBAC') byNIST. Core RBAC defines a minimum collection of RBAC elements, element sets, and relations inrder to completely achieve a Role-Based Access Control system. This includes user-role assignment and permission-ssignment relations, considered fundamental in any RBAC system.

n addition, Core RBAC introduces the concept of role activation as part of a user's session within a computer systemwhich is partly implemented in ILIAS3 (see Active Roles).
http://www.nist.gov/http://www.nist.gov/


4/29

S 3 Manual


The Object hierarchy

All resources in ILIAS3 are treated as objectsand are organized in a tree structure (see object concept) which allows ionjunction with RBAC the concept of Local Roles(Roles with limited scope), Role Permission Templatesand thenheritance of object permissions. These features greatly simplify the administrative tasks of the system. In addition, thee structure is crucial to RBAC by handling the problem of newly created objects (see Permission inheritance).

RBAC protected Objects

All RBAC protected objects are stored in the tree structure. The term 'RBAC protected objects' refers to all objects whave its own permission set stored in the database. Some object typeslike useror roledon't have a permission settingecause it is not necessary to distinguish within RBAC among them. But to provide any access control to these objectypes, they are latched into specific container objects (Role folderrespectively User folder) which are subject to accesontrol by the RBAC system.

Role Permission Templates

or every object there exists a set of permissions linked to a role. Each role has its own set of permissions for everyndividual object! What happens if you create a new object is that you are required to set the permissions of the objectvery existing role in the system which is first an intolerable administrative effort for the user and second a possibleecurity hole.

herefore ILIAS3 offers you the possibility to set a so called Permission Templatefor each role. That means you canreate default permissions for every object type. If a specific object is created, the permissions are set accordingly to template permissions.

urthermore it is possible to accommodate the permissions of all existing objects after changing the role template (seeption description 'Change existing Objects'). You can also assign/deassign users to roles.

ystem Roles

As stated above, roles are linked into the Object hierarchyby latching them in a specific Role folder. The so calledystem Roles (Administrator, Author and Learner) are roles, which are stored in the main Role Folder right beneath tystem Settings Folder. This is the top most Role Folder object and the roles within it do have a 'global' influence on bjects in ILIAS3. If a new object is created anywhere in the hierarchy, it 'inherits' its permissions from these System

Roles.

Local Roles

very RBAC protected object can possess its own role folder where you may add new roles (and assign users to themRoles in other role folders except the main Role folder in the system settings are called 'local roles' because they only h

local scope. Their influence ranges from the location in the object hierarchy downwards the tree structure including tarent object where the Role folder is assigned to.

We distinquish two types of local roles:

'Real' local rolesare created manually in a local Role folder by the user. You may assign users to these local ro
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/07http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/07


5/29

S 3 Manual


'Linked' local rolesare created by the RBAC system when the inheritance of permissionswas interrupted. It is possible to assign users to these local roles.

Role Templates

Role Templates are like common roles but you cannot assign users to them. The purpose of Role Templates is to storendividual permission presets you want to use later on particular objects only. Whenever you create a new Local Role

re prompted to set its permission rules. Instead of applying all permission settings manually every time a new Local Rs created, you may just adopt your settings from a Role Template.

Normally when you setup your access control strucure for the first time by modelling the proper Roles and Local Roleou aim for a role model that automate the permission settings for most cases to keep administrative maintainance lowut in some special cases you want to change the permission settings for an individual branch of your object hierarchy

hat cannot be covered by pre-defined permission rules (i.e. Consider an unpredictable minor change in yourrganizational structure or in the responsibility of a small subset of users.) In such cases Role Templates can be usefuccommodate the changes with 'one click'.

n the Adminstration console Role Templates are distinquished from common roles by the color of their icons. Icons foRole Templates are greyed.

Permission Inheritance

When ever a user creates a new object its permission settings is inherited from all role permission templates found in Role folder 'above', starting from the position where the new object is inserted into the object hierarchy. The RBACystem 'looks up' the tree structure and creates for each role found on the path a permission set for the new object. At toint the benefits of the object hierarchy become apparent: The user who created the object doesn't need to worry abony permission settings as this is done automatically by the system.

topping Permission Inheritance

You may interrupt this inheritance mechanism for every object and role separately. This is useful when you want to alhe permission setting rules for new objects of an existing role only at a specific position in the object hierarchy. Whaappens is that under the object a new local role folder is created (only if there is not already one existing) and a localole with the same name is created.

his local role is 'linked' with that role from which the inheritance was stopped. You may then alter the permissionettings of the linked local role. It is theoretically possible to stop the inheritance of a specific role arbitrarily often. Thocal scope of each linked local role reaches down the tree structure until another linked local role from the same 'mastole is found. Remember that these rule for the scope of local roles also apply to the option Change existing objects. Ohe objects in the scope are accommodated!

Working with RBAC & using the Administration Console

All configurations in ILIAS3 are done in the administration console. Here you can manage all objects and administrateeneral settings of your system. To get to the administration console, log into the system with an Administrator accounnd click in the main menu on the button with the monkey wrench.


6/29

S 3 Manual


igure 2: Where to enter the administration console

he administration console uses two frames. A navigation frame to the left shows all available system resources. The bontent frame on the right shows different information of a system resource you have currently selected.

creenshot: Interface components of the administration console

The navigation frame

his explorer-like interface represents your current system resources in their hierarchical order. All available objects ahown with their title and a small icon which tells you the type of each object. When an object contains other objects mall plus icon is displayed next to that object. By clicking on it you can expand the view to show the containing objen the explorer frame. When you click on the object title its content is shown in the content frame to the right.

With the refresh button right under the explorer tree you can reload the view after altering your system resources (i.e.dded/moved or deleted objects in the hierarchy).

The content frame

ach panel you are viewing in the content frame is composed of several interface elements:

Admin tabs:At the top of the content frame you see different tabs where you may view and edit the differentproperties of the current object shown. Depending of the object type you are viewing the offered admin tabs madiffer but almost all object types have a 'View Content', 'Edit Properties', 'Permissions' and 'Show Owner' tab.

Common tabs and their function:

'View Content' - Shows you a list of all other objects the current object contains. This is the default viewwhen you click on an object.

'Edit Properties' - Let you edit the title and description of the current object. Depending on the object typeother options that you may edit are displayed.

'Permissions' - Displays you a table where all applicable roles and their possible operations on the currentobject are listed. You may set/unset each permission for each role for the current object.

'Show Owner' - Displays the owner of the current object. The owner is the user who created the currentobject.
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin1.pnghttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin1.pnghttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin1.png


7/29

S 3 Manual


Object title:Right under the admin tabs is the title of the current object displayed.

Locator:The locator tells you where you are in the object hierarchy by displaying the path from the top node('ILIAS open source') to the object you are currently viewing. You may click on each object title shown in the pto navigate directly to that object.

Content table:Displays basic information about all containing objects of your current object.

Action buttons:Displays several actions you may perform with any of the objects listed in the content table. N

that if an object listed has no checkbox you can't do any of the offered actions with it. This applies for systemrelated object types like the system settings folder itself.

General Administration

nter the 'system settings' by clicking the name either in the navigation frame or in the content frame. You see severalbjects and a list of basic settings.

creenshot: The main System Settings folder

Basic settings

odo

Language Management

n this panel all language administration is done. ILIAS3 is capable of supporting multiple languages.
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin2.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin2.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin2.gif


8/29

S 3 Manual


creenshot: Language administration panel

Refresh languages:This option updates all installed languages. The language data is deleted from database andwill be re-read again from the language file.

Check languages:Checks all languages file for validity. This option is only interesting if you want to modify yolanguage data or add your own translation.Further information about the language concept being used in ILIAS, instructions on how to add your owntranslation and details about the data format can be found in the online manual, chapter Language concept.

Install language:Installs a language and makes it available for all users to choose from.

Uninstall language:Uninstalls a language.

Set system language:Set the default language for unregistered users.

Set user language:Set the language for the current account (you). This option does the same like the languageselection in your personal profile.

Mail settings

lick on the permission tab and specify which roles should grant the users normal Email usage or sending of internalystem messages.

Allow Email:check the box for the operationsmtp mailfor the appropriate role

Allow system message:Check the box for the operationsystem messagefor the appropriate role

odo: some mail settings are missing

Object and Type definition settings

his panel offers options only for developers. You don't need to change here anything. The purpose of this panel is tohange the assignment of operations to each object type. Click on an object in the list and choose the tab 'Edit

Operations'. Here you may enable and disable the possible operations for the current object.
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_lang1.gifhttp://www.homer.ilias.uni-koeln.de/iliasdoc/doc/html/1.htmlhttp://www.homer.ilias.uni-koeln.de/iliasdoc/doc/html/8_4.htmlhttp://www.homer.ilias.uni-koeln.de/iliasdoc/doc/html/8_4.htmlhttp://www.homer.ilias.uni-koeln.de/iliasdoc/doc/html/1.htmlhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_lang1.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_lang1.gif


9/29

S 3 Manual


Role Managment

he Role Management panel is where the primary permission setting is done. Here you define the access rules for eachole and assign users to them. When you enter the Role Management you see a list of already existing roles and roleemplates, each with its name and a short description. Roles have a blue icon, those for role templates are grey. The onifference between a role and a role template is that you cannot assign users to a role template.

creenshot: Overview of existing Roles and Role Templates

Add new Role/Role Template:At the bottom right of the list with the existing roles you see a drop down selecbox. Choose 'Role' or 'Role Template' and click 'add'. Next you see the 'edit properties' panel where you have togive the new role a name. Note that each role must have a unique name.

Delete a Role/Role Template:To delete a role or a role template mark the checkbox next to that role/role tempand click the 'delete' button. You cannot delete a role if there are still users assigned to it.

Edit access rules:In the list click on the icon next to the role's name and you are taken to the permission settinpanel. You see a table with a matrix showing the possible permission settings for each object type. Each columnrepresents one object type identified by its internal abbreviation (see Unique identifier). The rows list the

permissions with a checkbox for each object type in case the particular permission is applicable for that type (sepermission types).

Screenshot: The Role Permission Template matrix

Change existing objects:Beside the main purpose of a role to manage access control for the assigned users, a racts like a pre-defined Permission Templatefor newly created objects. If a specific object is created, the

permissions are set accordingly to these template permissions. But if you change the permission settings of anexisting role you may want to accommodate your changes to all objects that were already existent in your systemTo do so check the option 'change existing objects' in last row of the table. All objects within the scope of that r(see chapter x.x permission inheritance) will be adjusted by the changes you have made.
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles1.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles2.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles2.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles2.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles1.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles1.gif


10/29

S 3 Manual


Adopt permission settings from another role or a role template:You may adopt the permission settings of arole/role template to another one. This option may be useful when you want to define a role whose settings diffeonly slighty from another role. Instead of set each single permission setting manually just choose a role from th

below permission matrix and click 'adopt'. After filling your new role with the adopted 'pre-settings' you can appyour changes. In this way you can reduce your administrative effort reasonably.

Assign/deassign a User:Click on the tab 'Userassignment' (todo: this option is still located in 'permission' tab) treview the users currently assigned to the role and to assign/deassign users. Just select or unselect the checkbox to a user's name to assign or deassign him. Note that you cannot deassign a user if the role would be the only on

currently assigned to him.

Screenshot: Panel for adopting role permission settings and user-role assignment

Permission types

here are 12 different permissions in ILIAS3. In the following table is a description how each permission behaves whser performs an operation on a RBAC protected object.

Permission description

CreateUser can create an object of that type. This permission is checked when the users tries to add a new objeof that type.

Delete User can delete an object of that type. This permission is checked when the users tries to delete any obje

Delete PostUser can delete a post in a forum. This permission is checked when the users tries to delete a post in aforum. Toggles the display of 'delete' in the option list shown at the bottom of each post. This permissiononly applies to the forum object.

EditPermission

User can modify the permission settings of an object of that type. This permission is checked when theusers tries to access the permission settings panel.

Edit PostUser can edit a post in a forum. This permission is checked when the users tries to edit a post in a forumToggles the display of 'edit' in the option list shown at the bottom of each post. This permission only

applies to the forum object. Note that a post can always be edited by its author.

Join

User can autonomous join a group respectively subscribe to a course or learning module. This corresponto the concept of open groups in ILIAS2.x where a user can freely subscribe to a group. If this permissiois not granted to the user he only may join a group by being invited of a group member, and according tolearning modules and course the user has to be subscribed manually by another user.

LeaveUser can autonomous leave a group respectively unsubscribe from a course or learning module. This

permission is not used yet. Its purpose was the intention that a user may not leave a group/course on its obut needs to consult the responsible tutor/teacher for that resource.

ReadUser can read an object of that type. This permission is checked when the users tries to access any objecThis is the most common permission since it is checked every time an object is being accessed by a user
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles3.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles3.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_roles3.gif


11/29

S 3 Manual


Smtp mailUser can send normal Email with the Mailsystem. Toggles the display of the option 'send email' in the mmodule when the user composes a new internal mail.

Systemmessage

User can send internal mails with status 'System message'. Toggles the display of the option 'systemmessagel' in the mail module when the user composes a new internal mail. A System message is onlydisplayed on the recipient's personal desktop and won't be saved to his message inbox.

VisibleUser can see an object of that type. This permission is checked whenever the users access a page whereobjects are displayed.

Write User can edit an object of that type. This permission is checked when the users tries to modify any objec

f you want to develop new modules for ILIAS3 you might come into the situation that you want to check a specificermission in your application but none of the existing operations seem to suit your special case. Then you need to adew operations to the RBAC system what can be easily done. How to add new operationsand further details forevelopers are described in the section Information for developers

User Management

Here you can add, delete and review all user accounts.

creenshot: The user administration panel

Add new User:At the bottom right of the list with the existing users you see a drop down select box. Choose 'Uand click 'add'. You are taken to the user data form for new users. Fill out all required fields and click 'save' tocreate a new user account.

Delete a User:To delete a user mark the checkbox next to that user and click the 'delete' button.

Change role assignment:Each user account must be assigned to at least one role, the default role. This is donethe 'edit properties' panel of the user. If you want to assign the user to more than one role click on the tab 'RoleAssignment' Here you can review all roles the user is currently assigned to and add/drop the user from a role. (t

role assignment tab doesn't exist yet. The list 'active roles' is located in edit properties).

Edit User profile:Click on the icon next to the user's name to open the user data form. Here you may alter thedata. At the bottom is an option 'send email to inform user about changes'. This could be important if you changthe password or login name. Note that this option only works if the mail server is properly configured (see MailSettings).

Object Management
http://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_users1.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_users1.gifhttp://www.zahnaerzte-rd-eck.de/www.z-sh.de/ilias3/docs/images/admin_users1.gif


12/29

S 3 Manual


he term object management refers not to a specific panel but to the basic administrative task like creating, deleting,opying and moving objects within your object hierarchy. Most objects can be manipulated this way, except special fobjects like the system settings folder or role folders. In the object list below you see different buttons that provide yohe basic managing options: Cut, copy, link, paste, delete.

Working with this tools is done in a manner similar to any file explorer you might used to from your PC.

Adding an new object: To the bottom right of your object list you see a dropdown men, where you choose the desire

bject you want to create in the object currently viewing. Depending on the object's containment rules defined inbjects.xmlthe list of the offered subobjects may differ. When you have selected an object you are taken to the editroperties panel that you are already familiar with. Click 'save' when finished to register the new object to the system.

Moving an object

elect the objects in the list you want to cut by checking the approbiate checkboxes and click on 'cut'. You will still sehe object(s) in the list but they are now crossed out. Furthermore a new button appeared in in the button bar saying 'pa

Now browse to the location where you want to move the prior selected object(s). Once arrived click on 'paste' to 'dropour object(s) in place.

marking

Whenever you select one of the actions cut, copy or link, the selected objects are only marked, the intended action is nerformed until you click on 'paste'. What actually happens is that the system only 'remembers' the selected objects andhe considered action in the session. Once you have clicked on 'paste' the system conducts your action.

ccess control

lease note that all involved access control issues of your transactions are checked automatically. For example you maot copy or move an object to a place where you have no create permission for that object. Or you may not move anbject although you are permitted to add the object in the new location because you have no right to delete it in the oldlace (what actually will happen when moving objects).

inking and copying objects

oth actions create a new reference on the selected object, object_data entry. The difference between both actions is thnked objects are only referenced

inking an object creates a new reference_id for the selected object(s). This reference_id points to the same object wits data. Thus it doesn't matter from which reference the object is accessed, you work with the same data set. Alleferences pointing to the same object are treated virtual equal in the system. There is no distinction between the 'origineference and the 'second', 'third', Therefore you cannot distinguish between objects in the object hierarchy if they wriginal created or later linked in that place. When you delete an object the system checks if this would be the lasteference of it in the hierarchy and deletes the corresponding data tables too. If there is another reference on this objeche tree, only the reference_id of the selected object is removed.

he managing functions (cut, copy, paste, delete and link) all working recursive. This means that the chosen action iserformed with your selected object and all objects under it!

herefore be careful with the copy function! Because this function copies the whole subtree under the selected object may overload your server if you have a deep object hierarchy with many levels and have selected an object for copyinhe top of the tree. Linking object subtree is no problem because the system only creates new references Ids and inserthem into the tree table. Therefore use the copy function with care and limit it to copy single objects or small subtreesonsider a group containing 5 learning modules, 2 forum and dozen of shared documents. Depending of the size of thourse and the files, copying just this small subset of objects could a quite reasonable impact on your server and theatabase.


13/29

S 3 Manual


Example scenario

he role default setup you will find when installing ILIAS3 the first time reflects the permission model used in ILIAS2he basic system groups 'Administrator', 'Author', 'Learner' and 'Guest' are now referred as system roles. That means th

heir permission settings basically apply for each newly created object in the system. Users with the role 'Learner' mayll resources and have read access to them, 'Authors' may create new learning modules and edit existing ones and

Administrators' have access to the Administration console.

Depending on your organizational structure and your projected use of ILIAS3 it might be that you don't need these basoles at all. Because of the hierarchical concept of the access control system each user must assigned at least one systeole in order to access the root node of the system. That means you may setup only one system role called 'ILIAS user

where all permissions are disabled except for the root object (visible and read). Furthermore you need at least anAdministrator' role that grant you access to everything in order to let you administrate the system.

Consider the following scenario:A small company offers courses and seminars about the use of standard application software like word processing andworking with spreadsheets. The company wants to setup virtual class rooms for the attendants where all resources relao the course are gathered. This could be learning modules for the lessons, additional documents and exercises and

ollaborative tools for the course members only like a forum or email.

Our role model should satisfy these conditions:

Class attendants shall only see the class rooms they actually attend to.Furthermore the users should be allowed to exchange documents with their classmates.In addition the company wants to retain visible access for past courses to those persons that once completed acourse in the past and give them read access to the courses they had subscribed to.And finally we want that all currently running courses should be visible to the public and all non-attendants,respectively, to advertise new costumers.

With these assumptions taken above we can identify the following roles:

ILIAS user (system role)Class attendant (for each group/class room)Guest (for all the rest that never participated or is participating in a class, system role)Archive (not actual an assignable role but a role template, see below)

etting up the role model and object structure

irst we create the system role 'ILIAS user' in the main role folder. In the role's permission template we enable only thisibleandreadpermission for categories beside the root object which requires to be visible and readable too (see abo

How we handle the described 'guest' access? We want to 'tease' new users and encourage them to become our custome

howing to them all currently available seminars. But they only shall see the running courses not those in the archive. Tanscription of the described conditions leads to the conclusion that we need to define another system role 'guest'. Wenly permit the 'visible' permission for categories and groups to the 'guest' role (and for the root object of course).

Now we create two category objects. The first is labelled 'current classes' containing the classes recently running, and ther category 'past classes' to hold classes that are already over. The permission settings for these objects are set uplmost correctly due to our predefined settings for the roles 'ILIAS user' and 'guest'. Why almost? Well, we decided th

guest' only shall peer into the currently running courses not into the archive. Therefore we need to stop the inheritanceermission settingsfor the 'past courses' category: Select the category and click on the permission tab. In the permissi

matrix find the column for the 'guest' role and check the box to the bottom saying 'stop inheritance'. Now switch into thewly created role folder and select the local role 'guest'. Here we revoke ALL permissions and activate the option chxisting objects(to accommodate the category itself). 'Guest' users now will weather see the 'past courses' category no


14/29

S 3 Manual


ble to access any classes in it.

Now we are ready to set up the 'class rooms' for the seminars. For each class room a new group object is created in thurrent classes' category. For every group we need to define a local role 'class attendant'. Fortunately two local roles areated by default in each group object: A 'member' role and an 'administrator' role. The 'member' role fits well for ountended 'class attendant' role.

We only have to accommodate the permission template settings for that role by enable the following permission

Group: visible,readLearning module: visible,readCourse: visible,readForum: visible,read, write(maybecreateto allow users to add new forums)File: visible,read,create(we want to allow the users to upload files)

he Role template 'Archive'

n this scenario we demanded that after a course is over it should be still accessible by the users formerly attended to iince the course has ended the last state should be 'frozen', thus revoking any write access to the resources. This task ce performed by manually revoking all writeandcreatepermissions in the role settings once a course is moved to therchive. Or we prepare a Role Templatethat consist of similar settings above but not the permissions writeandcreate

ny object type. With this Role Template at hand we can do this easily by adopting it's permission settingsto the memole of the course when we put the group in the archive.

Common use cases and how to conduct them

his is basic framework that fulfils the conditions of the scenario described here. Now you are ready to add your learnmodules, forums and documents to each group ('class room') and of course assign users to them.

1. Assign a user to a class room:Switch to the regarded group an select the option add new member (not implemented yet). Alternatively switch tthe user administration panel, select the user and click an the tab 'Role assignment'. Here you see a list of theexisting roles and those one active for the user you are currently reviewing. Pick the member role of the regarded

group and assign it to the user (Panel 'role assignmemt' is not implemented yet. Currently this functionality islocated in the Role administration panel).

2. Deassign a user from a class room:Switch into the group view and click the 'Group members' tab. Here you may unsubscribe the user by clicking othe arrow icon next to the user's entry row.

3. You have a document or learning module in a class room that shall be accessible to another class room:Switch into the group view and check the box of the object in question. Click link, switch to your target group aselect 'paste'. The correct permission settings is accommodated automatically by the system.

4. You want to use a learning module in another class room but you have to modify the content a bit in order to suwith the theme of the target group.Proceed like in 3. but instead linkyou click on copy. The content of the entire learning module is copied, thusretaining the original source from being changed when you modify the learning module in the target group.

5. Your seminar is over and you want to move the class room to the 'past courses' folder:This works similar to the procedure described in 3. and 4.: Select the 'current courses' folder and check the box the whole group you want to move. Now select cut, switch to the 'past courses' folder andpastethe group into i

6. You want to grant read only access to the archive for the course attendants after the course is over and you movthe course into the archive:Here comes the previously created role template 'archive' into play: Because the course is closed, the last state wthe course ended should be preserved. Switch to the role administration panel and select the member ('classattendant') role for the course. Scroll down and adopt the permission settings from the pre-defined 'archive' roletemplate. (To do: needs an additional checkbox to accommodate 'existing objects' according to the new settings)

7. Assign all users of the course to the 'archive' role.However, you have to do this manually because an appropriate function to perform group wise role assignments


15/29

S 3 Manual


not implemented yet.

A remark on the 'guest' role

he idea behind the guest role is to handle all unregistered users. In other words: A role for users passing along thewebsite. This assumes that you are able to access ILIAS3 without having an account what is not possible yet but will bmplemented in the initial beta release.

Of course the translation of the assumed conditions in this scenario may be achieved with another role model too. For

xample the 'guest' functionality could be also realized by setting up a third category called 'public' where youlink

in tourse that should be visible to guests. Then you do not model the 'guest' role as system role but as a local role within public' folder and stop the inheritance for the 'ILIAS user' role. The advantage of this approach is, that not all resourcehe 'current courses' are visible to the public but only those you explicitly link into the 'public' folder.

Modelling tips

he conditions I presumed in this scenario were chosen with the intention to scope all features of the RBAC system anemonstrate their usage by common use cases you might encounter when working with ILIAS3. You should nownderstand the main purpose of the cut,copy,link&pastefunctionality, of Local Rolesand Role Templates, and how tse the options stop inheritanceand change existing objects.

he key point is to analyze your organizational structure BEFORE you start modelling your roles. Identify roles andesponsibilities of all involved persons and think about the workflow of common tasks you want to implement later in ystem. Choosing the wrong model could end up in a very complicated permission administration.

A good rule of thumb to follow when designing a role model is to identify the 'least common denominator' for theermissions that should be granted to users by one role and put this definition on the top of your structure (System Ro

Grant more specialized permissions to users with local roles deeper in the hierarchy. For example if the role 'ILIAS usn the scenario presented above would grant visibleor evenreadaccess to all group objects you would end up in stopphe inheritancefor each new group created resulting in many local roles I have to consider when managing my resournly to prevent the access for everyone.

nstead of stopping the inheritancefor each role you may also change only the object permission. But remember when

ver you choose the option change existing objectsin a role's permission template where the object's permissions derivrom, the permissions will be set back to the permission settings according to the permission rules defined in the Roleermission Template.

nformation for developers

Class structure

he RBAC core system consists of the following classes:

class.ilRbacAdmin.phpclass.ilRbacAdminH.phpclass.ilRbacReview.phpclass.ilRbacReviewH.phpclass.ilRbacSystem.phpclass.ilRbacSystemH.php


16/29

S 3 Manual


According to the RBAC Functional specification from NIST the functions are divided up in administrative, system andeview functions. The class name tells you where it belongs to.

Administrative functionsspecify administrative operations for the creation and maintenance of RBAC elementsets and relations.

Review functionsare for performing administrative queries.

System functionsare for creating and managing RBAC attributes on user sessions and making access control

decisions

he class files marked with an 'H' at the end of their name are empty yet. They should contain functions belonging to econd level of RBAC with Role Hierarchies. The feature may be implemented in future.

Database model

he following picture describes the database structure and the tables involved to RBAC system.

Database model and table relations of the RBAC system


17/29

S 3 Manual


object_data:Contains basic data for each object in ILIAS3.

object_reference:All RBAC protected object are not addressed by their object_id but with a reference_id (seeUnique Identifier). Only the object's reference_id is stored in the tree table. An object may have more than 1reference_id This allows to allocate the same object multiple times in the object hierarchy and apply individual

permission settings.

tree:Contains the object hierarchy. The RBAC system uses this structure information forpermission inheritanceand to determine the scope of Local Roles. Furthermore the tree helps to store less data for the permission

information for the same object.

rbac_operations:Contains all operations. If you need a specific operation that does not exist yet, you have to ahere.

rbac_templates:Contains the data for the Role Permission Templates.

rbac_ta:(Type assignment) Contains the operation-object type relations. Each object type has specific sets ofoperations.

rbac_pa:(Permission assignment). This table contains the most important information: Here are the relations


18/29

S 3 Manual


between a role, the object and the permission settings stored. For each specific object there exists a data base enwhich role may exercise which operation on this object. In order to keep the data set small, the operations areserialized, put down thus as string.

rbac_ua:(User assignment) Contains the user-role relations.

rbac_fa:(Folder assignment) This table holds the information in which role folder a role is located. Because ro(and users) have no permission entries, the permissions of these objects are administrated by a container object'Role Folder' (resp. 'User Folder') in which they are stored. This table is important for the Local Role concept.

'Linked' Local Roles are flagged 'unassignable'.

A specific operation (visible,read, write...) is assigned to each object (Category, Learning Module, Forum ). For eapecific object there exists a data base entry, which role may exercise which operation on this object. In order to keepata set small, the operations are serialized, put down thus as string, in the table rbac_pa (Rbac by permissionssignment). For roles and users there are no permission entries. The permissions of these object are administrated by tontainers (Role Folder ,User Folder) in which they are stored. The tree table contains the information about the objecierarchy. All RBAC protected objects are stored here.

Adding new Modules to ILIAS3

add object type definitiondefine & add new operations (if required)create object classes

Adding a new object type

tep 1

ind an abbreviation for your object type with at least 2 and no more than 5 or 6 characters. This abbreviation is used he whole system to identify your object type. Examples arefrmfor the ForumObject, grpfor the GroupObject.

tep 2

reate the object type definition. This is done in objects.xml

tep 3

You have to register your new object type in the system by adding the following data to the object_data table:

NSERT I NTO obj ect _dat a ( t ype, t i t l e, descr i pt i on, owner , cr eat e_dat e, l ast _updat e)ALUES ( ' t yp' , ' ' , ' ' , - 1, now( ) , now( ) ) ;

tep 4

og into ILIAS3 and go to the Object Type Management Panelin the Adminstration Console. Find in the Object typeefiniton list your previously created object type defintion and click on it. Click the tabEdit Operationsto enable theperations you want to allow to be performable on your object type. Some operations are mandatory and should be asyp every object type likecreate, visibleorread.

f you find out that non of the available operations suit for a special task you have intended for your object type you no define additional operations (see Defining & adding new operations).


19/29

S 3 Manual


tep 5

Now switch to the Role Management Paneland accommodate the access control of the roles for your new object type

Defining & adding new operations

New operations needs to added manually to the database with the following SQL statement

NSERT I NTO r bac_oper at i ons ( oper at i on, descr i pt i on)ALUES ( ' ' , ' ' ) ;

he operation in now registered to the system and can by assign to any object type interactively via the ObjectAdministration Panel.

etting up the basic object classes

Your basic object classes must be derived from cl ass. i l Obj ect . phpand cl ass. i l Obj ect GUI . phpto ensure the corr

ntegration of your new module into the ILIAS system. To keep the integration easy the system looks automatically forour derived object classes by using the name you defined by the attribute 'class_name' in objects.xmlas a part of the ame:ass. i l Obj . phpand cl ass. i l Obj GUI . php.

n the classes directory of the ILIAS3 distribution you will find two template classes (those with the prefix 'template')roviding a basic setup. Copy theses templates and rename them to the appropriate file names.

hen you have to accommodate the code according your definitions made in objects.xml (see pictures below):

module_name: This is the name of the class defined by class_nametype ID: The Identifier you defined in objects.xml


20/29

S 3 Manual


ode snippet of class template for your Object class.

ode snippet of class template for your ObjectGUI class

As you can see both constructors are very similar. The last thing you have to concern about is to decide wether object


21/29

S 3 Manual


s called by a reference ID or its object ID. The common way is to refer an object by a reference ID (That's the defaultetting). If the derived objects from your new module should be protected by the RBAC system, the object's location inhe object hierarchy needs to be stored in the tree table, and therefore have to be called by a reference ID only. (Morehis topic can be found in the chapters about Unique Identifiersand todo.

With this basic classes setup you are able to create new instances of your new object type and they have all the basicunctionalities already implemented. Now you can start to populate the classes with your own functions.

Object type definition concept

he file obj ect s. xml contains important basic definitions for each object type in ILIAS3. Here you define an uniquedentifierwhich is used in all application levels of ILIAS3 and specify the hierarchical relations between this object tynd other object types. In addition, you define also the main interface options - property tabsand action buttons- thathould be displayed to the user in the interface.

All type definitions in objects.xml are read on every mouse click in ILIAS3 into the variable $Obj Def i ni t i on.Obj Def i ni t onis an object instance of the class cl ass. i l Obj ect Def i ni t i on. phpand provides all methods you needccess and work with the object type data (for detailed a description of each method please consult the ILIAS3-APIocumentation for that class).

elow you see the object type definition for the LearningModule object as an example. right after the example you finocumentation that explains the meaning of each element and what are the effect of their attributes.

xample XML for an object type definition of 'LearningModule'

object.xml documentation

DescriptionThis is the root element of an object type definiticontaining all information about the object type

Subelements (required), ,

Attributes name(required)

The abbreviation you chose is usein the whole system to identify yobject type:

In code object types areaddressed by this IdentifierAdditional database tables are required to store the obtype specific data should hathe Identifier as prefix in thtable name (i.e. f r m_post s


22/29

S 3 Manual


post data of the forum objeFurthermore the Identifier used in by the template engto automatically load aappropiate standard templa(see Using templates).

Your Identifier should have at lea2 and no more than 5 or 6

characters. The data is stored in tobject_data table where the titlecolumn contains the abbreviationand the type column 'typ'.

class_name(required)

All object classes must be derivefrom cl ass. i l Obj ect . phpandcl ass. i l Obj ect GUI . phpto ensuthe correct integration of the objetype into the ILIAS system. To kthe integration easy the system loautomatically for your derivedobject classes by using class_namas a part of the file name:cl ass. i l Obj . phpcl ass. i l Obj GUI . p

Both classes are derived fromcl ass. i l Obj ect . phpandcl ass. i l Obj ect GUI . php

respectively and inherit the requirbasic funtionality from them. (seeObject conceptfor more informatand example class templates to u

for new object classes).checkbox(required inadministration

panel only)

Toggles the visibility of thecheckbox in the AdministrationConsole. When the user is notallowed to perform any actions wthat object (i.e. copy,paste, deletthe value is set to '0', otherwise '1

inherit(required in

administration

panel only)

This flag determines if it is allowto stop permission inheritance forthis object type (set to '1').Some RBAC protected object are

specific container objects that doenot allow to contain a local rolefolder. Examples are the SystemFolder object (adm) and User Foobject (usrf).

Description Here you define which other object types this obmay contain.

Subelements none

Attributes name Put here the Identifier of the obje


23/29

S 3 Manual


(required) type you want to allow to within object.Rules:

You may add any other obtype defined in objects.xmlYou may add as many objetypes as you like,You may add the current

object type itself,You may NOT add an objetype that leads to a recursivloop due to the possiblesubobjects defined in theobject type you want to addExample: A Category obje(cat) may contain a Groupobject (grp) but then a Groobject is not allowed tocontain Category objects

because both containment

rules overlap each other whcause an infinite loop in thRBAC system.

max Determines the maximum numbeobjects that are allowed to exist oan object type in this object. SomRBAC protected objects withspecific purposes like the SystemSettings Folder object or the RoleFolder object may only appear on

within another object (max=1)

Description Here you may define different property panels.These panels are displayed in the user interface a'tabs'. The text you have written between the tag interpreted as the tab's label. The system treats thlabel text as a language keyword and automaticaattempts to translate the tab label by looking in tlanguage data for an entry with this value.

Subelements none


Here you define the commandkeyword which triggers the propetab in the code. When you click otab the global interface controlvariable $cmdis loaded with thatvalue and send to the server. Youmay now process the $cmdvariabin your object class and determinwhat should happen when thecommand was sent. Please note thall commands in the administratioconsole trigger appropriate functi


24/29

S 3 Manual


named in the way Obj ect(i.e. If the value of $cmdis 'read' fuction named 'r eadObj ect ' iscalled automatically). Thisconvention only applies to theadministration interface.

module Determines if the property tabshould appear in the administratioconsole (no module attribute) or i

the interface of your module itsel(set to '1').

Description Here you may define different actions which aredisplayed by submit buttons in the interface. Thefunctionality is similiar to the concept of property

panels described above. The name attribute definthe keyword value of $cmd which is send to theserver and triggers your code block. The text witthe tag labels the button and passes the sametranslation process. The only difference is that if

action is performed a list of object (or reference)IDs is submitted to the server to tell the system fwhich objects the action should be executed.

Subelements none


Defines the command keyword (sname attribute of property elemenabove)

Active Roles & Sessionshe set of active roles of user are only read once from the database when the user logs in. All roles are stored in theession data of that user.

pecial case: When an already logged in user is assigned to a new role he has do log out and log in again in order topdate his set of active roles. Please keep this in mind whenever you update the role list of a user.

o do: Move Sessionmanagement to database and use an additional column with the user_id. When this feature ismplemented, the described problem can be easily solved.

Unique Identifier

LIAS3 knows three different ways to identify unambiguous every object and every object type. To use three differentoncepts might sound confusing but it isn't. Each concept serves a different purpose and is used for another task in theystem.

Type ID (for object types)


25/29

S 3 Manual


All objects have a small 'signature' that tells you of what type the object is. This signature is a short abbreviation definn objects.xml and consists of at least 2 letters.

he type ID is used in ILIAS3 in several ways: First you are always able to determine an object's type as this informat part of the basic data in the object registry (object_data table). Thereby decision making in code is possible dependipon the object's type. You may also use the type ID to filter particular object types or generate lists of objects of oneype. In the API are already some functions included that offers type-based operations like Ut i l : : get Obj ect sByOper at i ons( ) .

urthermore the type ID acts as a recommendation how to label database tables and HTML templates. All properties tre associated to a specific object type should be marked with the appropiate type ID. This allows other developers toack down object type related parts of ILIAS3 throughout the application layers:

object type specific database tables should have type ID as prefix in their name: _t abl ename.object type specific HTML-templates are named in the way t pl . _. ht ml (i.e. ifneed a template that is used for displaying basic information about a course, you want to name your template likt pl . cr s_overvi ew. ht ml ).

n code the variable's name containing the type ID is $type.f passed via the URI: $_GET["type"].ype ID is a member variable of cl ass. i l Obj ect . phpand is accessed with the function $obj - >getType( ) .

bject ID (for object instances)

very time when you create a new object, this object is registered in the system with a few basic information (object tbject title & description, create date and who created it). In the registering process a numeric ID is generated andssigned to that object. This Identifier is referred asobject IDand is unique in the entire system. No object ID is assigwice to different objects.

n code the variable's name containing the object ID is $obj_id.

f passed via the URI: $_GET["obj_id"].Object ID is a member variable of cl ass. i l Obj ect . phpand is accessed with the function $obj - >get I d( ) .

eference ID (for object instances)

n addition to the object ID generated during the registering process of an object, for all RBAC protected objects anothdentifier calledreference IDis generated. Each object has always exactly one object ID but may have multiple refereDs. Each reference ID is unique like the object ID. Thus you may have an object ID '15' and a reference ID '15' but thon't must identify the same object!

An object ID refers directly to the corresponding data entry in the object_data table, that - depending on the objetype - 'knows' the additional db tables holding the remaining data that are belonging to the object.Reference IDs are stored in the object_reference table and only point to an object ID.

f you are experienced in programming (and I guess you are if you're reading this part of the manual) you might beamiliar with such a referencing concept.

Reference IDs were introduced in ILIAS3 only for one purpose to allow one and the same object to be allocated multimes in the object hierarchy. Putting an object into the hierarchy several times in different locations is a useful featur

when managing your access control rules (see Example scenario).


26/29

S 3 Manual


n code the variable's name containing the reference ID is $ref_id.f passed via the URI: $_GET["ref_id"].

Reference ID is a member variable of cl ass. i l Obj ect . phpand is accessed with the function $obj - >get Ref I d( ) .

Object Concept

eneral description of the system architecture

o do

Database layer: How objects and their data are stored in the database

Application layer:

resentation layer (GUI):

Object type documentationetailed description of each object type, their intended purposes and remarks about the usage of special folder objects

lease place object type related descriptions here!

Root Folder object

System Folder object

Language Folder object

Language object

Mail settings object

Role Folder object

hecreateoperation is only used and checked if you create a new role folder manually.

reateis NOT checked when

you add an object for which a local role is created by default. A role folder under the new object to place thedefault local role is created automatically. (Example object types are Group, Forum or Learning Module);you stop the inheritance of permission settings for a role. A linked local role is created and placed into an also acreated local role folder.

n this cases thecreate- operation is not checked because the permission is not granted by the role folder itself but by bject which actually was created. The system only checks if the user is permitted to create the Forum, Group, etc.orrelated with the local role folder. The role folder object is part of the 'creation process' of that object. As with stoppnheritance where role folder creation is part of the 'stopping inheritance' process.

n both cases a rolefolder is created by the system automatically. Taking into account that these cases are the most


27/29

S 3 Manual


ommon cases you don't need to grant the 'create' operation for role folders for most of the users .

Role object

Role Template object

User Folder object

User object

Object Folder object

Object Type object

Category object

Group object

Forum object

File object

Course object

LearningModule object

SCORM LearningModule object

Using templates

o do

emplate structure of ILIAS default skin: basic structure


28/29

S 3 Manual


Relation between php scripts and templates of ILIAS default skin: (Example: admin console)

Error handling

System feedback

endMessage()

nfopanel


29/29

S 3 Manual

Database updates & migration

Appendix

Glossary

o do

Resources

o do

ownload proposed standard (pdf)
http://csrc.nist.gov/rbac/rbac-std-ncits.pdfhttp://csrc.nist.gov/rbac/rbac-std-ncits.pdf

Documents

Ilias 3 Manual