SU Tool Setup - UCD Implementation
Jon Gorrono coded an UCD implementation of SU tool for non-administration users to satisfy Jira SAK-131: Add Role based SU security which originated from the need of IT Express support personnel to SU as UC Davis faculty for problem resolution and support. The tool was added to Smartsite v2.3.x.
The test plan, at https://confluence.ucdavis.edu/confluence/display/UCDSAKAI/SU+Tool+-+Test+Plan, covers many of the specifications of the tool's functionality. When the code was ported for the upgrade to Sakai 2.4, we discovered the need for further documentation on how to set up the SU tool on a vanilla system.
These implementation steps are available to users with Administration Workspace access only.
Setup Instructions
After the UCD code is in place, follow these steps to add SU access and to provide users with that access:
- Access Realms and select New Realm. Enter and save the following settings:
- Realm Id: !su.can_su_realm
- Provider Id: null - leave blank
- Maintain Role: maintain
- Select the newly created realm and then select Add Role. Enter a name and short description which will make sense to others.
Set Should this role be limited to the group provider only? to No and check su.can_su as the function, and save. - Select Grant Ability. Enter a user's Kerberos name in User Id and select the role that you created in the last step.
Provide each user with access to the Become User function with one of the following methods:
Method 1: Provide Access Directly to the User's My Workspace
- In Sites, locate My Workspace for the individual who you are providing access and select his/her Site Id.
- Select the Pages button from Sites. Select New Page at the top of the Edit: Site screen. Enter a Title like "SU Tool" or "Become User" and then select the Tools button.
- Select New Tool at the top of the screen.
- On the Edit: Site Tolls Feature list, select Admin: Become User (sakai.su) and save.
Method 2: Add User to Site with SU Tool Available
Add the user to a site which has the SU or Become User tool available. This is the method used for IT Express personnel with access to their non-joinable (private) site, for example.
Note that the user cannot exceed his/her SU capabilities based on their own user status as defined in the test plan.