Re: [DG: User Experience] Randomly assigning students to groups

Clay,

I think there are typically two senses in which we talk of roles.

In a technical sense we bundle a set of permissions into a role for ease of management - your simplification for the UX (although it's equally helpful at the backend). In it's simplest sense this is like granting a dba role in a database - the role grants the same permissions to all members globally. In a more sophisticated usage the role is a template for the application of a set of meta permissions to create permissions in the context of a specific resource or activity.

In a more human sense people fulfil roles in the context of activities of groups. So in an academic sense we have teachers and students. In clubs we have presidents, secretaries, etc.

The two definitions blend when we use a templated set of permissions to give members of a group the permissions they need to fulfil their role in a group activity.

It is quite possible for members of a group to change roles over time and also to have  multiple simultaneous roles.

If we manage roles within groups we need agreement on the semantics of the roles between the groups system and the activity or resource where the permissions have meaning. Also we need a set of methods to manage roles in the context of a user's membership of a group (and the context of the resource or activity). 

My suggested group model could accommodate roles as metadata on the membership objects. But I don't think this is appropriate for the k2 authorisation model. The JCR ACL as I understand it allows us to add a group to a 'role' for a resource but does not have the functionality or the expectation of assigning different roles or permissions according to attributes of individual's membership within the group. More importantly in the long term, k2 should be generic to meet future needs and should not have today's role semantics built into its core functionality.

The alternative is to define separate groups for each role for a resource or service and use them for the appropriate ACLs. We can create a supergroup of all members of a site or service just by creating a group and adding the 'role groups' as members . 

Within k2 we should have separate groups for each role for 'sites' and similar services, along with a group which is the union of these groups. (This is how I interpret Ian's site group diagrams).

In the set of templates used to create sites and other resources there should be templates of permissions associated with the resource and templates for the definition of groups to align with expected usage roles and permission requirements. This keeps the 'role' expectations in the data rather than the code and hopefully avoids building today's limitations into the kernel.

Roles within groups may be useful for other aspects of membership and can still be supported subject to functionality to manage the extended attributes to support them.

But we should consider that there may uses for group functionality which don't relate to permissions and where role is irrelevant - we should be cautious about requiring them in groups

Paul
________________________________________
From: sakai-ux-bounces@... [sakai-ux-bounces@...] On Behalf Of Clay Fenlason [khomotso@...]
Sent: Monday, October 26, 2009 8:32 PM
To: sakai-ux UX
Subject: Re: User Experience] [Using Sakai] Some thoughts on group      functionality

The first thing that strikes me, something I've ventured tentatively
in the past (it's good to not feel alone), is the idea that roles are
a secondary and optional feature of groups. Something about that just
seems right to me in concept, though I won't claim to have thought
through whether this is ultimately a helpful shift in practice.

I think the value of the role is primarily as a simplification for the
UX, a metaphorical shortcut to help the user achieve sensible
intuitions about a potentially complicated set of permissions. It can
be a valuable design artifact, in other words, in many contexts. But
it need not be assumed for all group contexts. In cases where the
likely intuition might be misleading and harmful, the role might be an
active hindrance and might need to be explicitly set aside in favor of
a specific permission choice in a particular workflow. Again, that
seems to me a design choice in context, and not an inextricable
feature of the technical design. What's more, baking the role deeply
into the technical design may lead to brittleness where role
intuitions are misleading.

~Clay

On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul PBristow@... wrote:

	Re: [DG: User Experience] Randomly assigning students to groups by Daphnedmdp6 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks Marsh! It is very helpful to understand context so your scenario is invaluable. I've added your use cases and scenario to our documentation. This work is being done for Sakai 3. As you probably know, timelines for early releases are out a year and a fuller Sakai 3 is likely a few years out (http://confluence.sakaiproject.org/display/SAKDEV/Sakai +3). So, the bad news is this isn't functionality you'll be able to use soon but the good news is that it is captured and will be integrated into the Sakai 3 work. I'll share designs next week. Priorities and work schedules are still being worked out so I don't have a good feel for when this will be implemented yet but I think it's fair to say that you'll be able to do the activities you mention down the road in Sakai 3. Thanks again, Daphne On Oct 1, 2009, at 12:46 PM, Marshall Feldman wrote: > Hi Daphne, > > I just responded to Joshua Baron's post by adding a feature request > to JIRA. Here's what I wrote: > > This feature request is modeled after and extends a feature on > WebCT. At its core, the request is to add the ability to generate > groups automatically. Students (or project site participants) would > be assigned to groups at random. The instructor would specify the > number of groups or the size of each group, and Sakai would assign > students at random to different groups. Besides random assignment, > additional assignment methods might be included (e.g., in > alphabetical order to divide class into N groups) and/or use certain > criteria for constructing groups (e.g., [1] equal numbers of male > and female students per group or [2] equal numbers of seniors, > juniors, etc. per group). > > In addition to generating groups automatically, the instructor > (maintainer) should be able to select options that would > automatically configure tool components related to groups. For > example, WebCT has the option of creating a Discussion Board topic > for each group to which only group members (and, optionally, the > instructor) have access. On Sakai, this option would create a > separate forum for each group at the time the group is generated. > Sakai might also configure other tools and their components as > follows. (1) Announcements -- automatically send an announcement to > group members informing them of their new status as group members, > (2) Assignments - optionally associate an assignment with the group, > (3) Messages - as an alternative to an announcement, send a message > to all group members and allow instructor to author message content, > (4) Resources - Create subdirectories in a specified path under > Resources and automatically give group members +rwx rights in their > group's subdirectory, (5) allow instructor the option to schedule > events for the group (e.g., a meeting with the group), (6) > optionally add subsections to the wiki, with each group having its > own subsection and appropriate privileges. > > As for scenario, much of what I'm looking for is already captured by > your current scenarios: > > * Instructor creates equally distributed student groups > * Instructor creates small student project teams in 30 person course > > As for what's actually going on, here's the scenario (although I > don't think it adds much to the above): > > Marsh is teaching a 30-student course in which students work in > teams to construct conference posters. As it is a pure > distance-learning course, > he wants to assign students at random to teams. He also wants to > generate for each team various team-specific tools that the team > members can use > for collaboration. These include a separate forum and Resources > subdirectory for each team. The students will use these to > collaborate on and prepare > their posters. When they are ready to submit their posters, the > students will upload them both to their Resources subdirectory and > the Assignment drop box. > To allow the entire class to view the posters, Sakai would ideally > generate a web page with links to the posters, one link per team, or > the instructor may have to do this manually. > > Thanks for asking about this. Please let me know if and when the > tool is ready with these features. > > Regards, > > Marsh Feldman > > -- > Dr. Marshall Feldman, PhD > Director of Research and Academic Affairs > > Center for Urban Studies and Research > The University of Rhode Island > email: marsh @ uri .edu (remove spaces) > > > Contact Information: > > > Kingston: > > 202 Hart House > Charles T. Schmidt Labor Research Center > The University of Rhode Island > 36 Upper College Road > Kingston, RI 02881-0815 > tel. (401) 874-5953: > fax: (401) 874-5511 > > > Providence: > > 206E Shepard Building > URI Feinstein Providence Campus > 80 Washington Street > Providence, RI 02903-1819 > tel. (401) 277-5218 > fax: (401) 277-5464 Daphne Ogle Senior Interaction Designer University of California, Berkeley Educational Technology Services daphne@... cell (925)348-4372 _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Randomly assigning students to groups by dktr adam marshall :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message another scenario could be to "randomly" create group but with constraints so that (say) the group has an equal number of men and women, or an even mix of ethnic minorities and so on. adam \| -----Original Message----- \| From: sakai-user-bounces@... [mailto:sakai-user- \| bounces@...] On Behalf Of Daphne Ogle \| Sent: 01 October 2009 23:25 \| To: Marshall Feldman \| Cc: sakai-user; sakai-ux UX \| Subject: Re: [Using Sakai] Randomly assigning students to groups \| \| Thanks Marsh! It is very helpful to understand context so your \| scenario is invaluable. \| \| I've added your use cases and scenario to our documentation. This \| work is being done for Sakai 3. As you probably know, timelines for \| early releases are out a year and a fuller Sakai 3 is likely a few \| years out (http://confluence.sakaiproject.org/display/SAKDEV/Sakai \| +3). So, the bad news is this isn't functionality you'll be able to \| use soon but the good news is that it is captured and will be \| integrated into the Sakai 3 work. \| \| I'll share designs next week. Priorities and work schedules are still \| being worked out so I don't have a good feel for when this will be \| implemented yet but I think it's fair to say that you'll be able to do \| the activities you mention down the road in Sakai 3. \| \| Thanks again, \| \| Daphne \| \| On Oct 1, 2009, at 12:46 PM, Marshall Feldman wrote: \| \| > Hi Daphne, \| > \| > I just responded to Joshua Baron's post by adding a feature request \| > to JIRA. Here's what I wrote: \| > \| > This feature request is modeled after and extends a feature on \| > WebCT. At its core, the request is to add the ability to generate \| > groups automatically. Students (or project site participants) would \| > be assigned to groups at random. The instructor would specify the \| > number of groups or the size of each group, and Sakai would assign \| > students at random to different groups. Besides random assignment, \| > additional assignment methods might be included (e.g., in \| > alphabetical order to divide class into N groups) and/or use certain \| > criteria for constructing groups (e.g., [1] equal numbers of male \| > and female students per group or [2] equal numbers of seniors, \| > juniors, etc. per group). \| > \| > In addition to generating groups automatically, the instructor \| > (maintainer) should be able to select options that would \| > automatically configure tool components related to groups. For \| > example, WebCT has the option of creating a Discussion Board topic \| > for each group to which only group members (and, optionally, the \| > instructor) have access. On Sakai, this option would create a \| > separate forum for each group at the time the group is generated. \| > Sakai might also configure other tools and their components as \| > follows. (1) Announcements -- automatically send an announcement to \| > group members informing them of their new status as group members, \| > (2) Assignments - optionally associate an assignment with the group, \| > (3) Messages - as an alternative to an announcement, send a message \| > to all group members and allow instructor to author message content, \| > (4) Resources - Create subdirectories in a specified path under \| > Resources and automatically give group members +rwx rights in their \| > group's subdirectory, (5) allow instructor the option to schedule \| > events for the group (e.g., a meeting with the group), (6) \| > optionally add subsections to the wiki, with each group having its \| > own subsection and appropriate privileges. \| > \| > As for scenario, much of what I'm looking for is already captured by \| > your current scenarios: \| > \| > * Instructor creates equally distributed student groups \| > * Instructor creates small student project teams in 30 person \| course \| > \| > As for what's actually going on, here's the scenario (although I \| > don't think it adds much to the above): \| > \| > Marsh is teaching a 30-student course in which students work in \| > teams to construct conference posters. As it is a pure \| > distance-learning course, \| > he wants to assign students at random to teams. He also wants to \| > generate for each team various team-specific tools that the team \| > members can use \| > for collaboration. These include a separate forum and Resources \| > subdirectory for each team. The students will use these to \| > collaborate on and prepare \| > their posters. When they are ready to submit their posters, the \| > students will upload them both to their Resources subdirectory and \| > the Assignment drop box. \| > To allow the entire class to view the posters, Sakai would ideally \| > generate a web page with links to the posters, one link per team, \| or \| > the instructor may have to do this manually. \| > \| > Thanks for asking about this. Please let me know if and when the \| > tool is ready with these features. \| > \| > Regards, \| > \| > Marsh Feldman \| > \| > -- \| > Dr. Marshall Feldman, PhD \| > Director of Research and Academic Affairs \| > \| > Center for Urban Studies and Research \| > The University of Rhode Island \| > email: marsh @ uri .edu (remove spaces) \| > \| > \| > Contact Information: \| > \| > \| > Kingston: \| > \| > 202 Hart House \| > Charles T. Schmidt Labor Research Center \| > The University of Rhode Island \| > 36 Upper College Road \| > Kingston, RI 02881-0815 \| > tel. (401) 874-5953: \| > fax: (401) 874-5511 \| > \| > \| > Providence: \| > \| > 206E Shepard Building \| > URI Feinstein Providence Campus \| > 80 Washington Street \| > Providence, RI 02903-1819 \| > tel. (401) 277-5218 \| > fax: (401) 277-5464 \| \| Daphne Ogle \| Senior Interaction Designer \| University of California, Berkeley \| Educational Technology Services \| daphne@... \| cell (925)348-4372 \| \| \| \| \| _______________________________________________ \| sakai-user mailing list \| sakai-user@... \| http://collab.sakaiproject.org/mailman/listinfo/sakai-user \| \| TO UNSUBSCRIBE: send email to sakai-user- \| unsubscribe@... with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Randomly assigning students to groups by jrnorman :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message This would work particularly well if you were had these attributes available :-) [implications for profile or account registration] John On 2 Oct 2009, at 10:22, Adam Marshall wrote: > another scenario could be to "randomly" create group but with > constraints so that (say) the group has an equal number of men and > women, or an even mix of ethnic minorities and so on. > > adam > > \| -----Original Message----- > \| From: sakai-user-bounces@... [mailto:sakai-user- > \| bounces@...] On Behalf Of Daphne Ogle > \| Sent: 01 October 2009 23:25 > \| To: Marshall Feldman > \| Cc: sakai-user; sakai-ux UX > \| Subject: Re: [Using Sakai] Randomly assigning students to groups > \| > \| Thanks Marsh! It is very helpful to understand context so your > \| scenario is invaluable. > \| > \| I've added your use cases and scenario to our documentation. This > \| work is being done for Sakai 3. As you probably know, timelines for > \| early releases are out a year and a fuller Sakai 3 is likely a few > \| years out (http://confluence.sakaiproject.org/display/SAKDEV/Sakai > \| +3). So, the bad news is this isn't functionality you'll be able > to > \| use soon but the good news is that it is captured and will be > \| integrated into the Sakai 3 work. > \| > \| I'll share designs next week. Priorities and work schedules are > still > \| being worked out so I don't have a good feel for when this will be > \| implemented yet but I think it's fair to say that you'll be able > to do > \| the activities you mention down the road in Sakai 3. > \| > \| Thanks again, > \| > \| Daphne > \| > \| On Oct 1, 2009, at 12:46 PM, Marshall Feldman wrote: > \| > \| > Hi Daphne, > \| > > \| > I just responded to Joshua Baron's post by adding a feature > request > \| > to JIRA. Here's what I wrote: > \| > > \| > This feature request is modeled after and extends a feature on > \| > WebCT. At its core, the request is to add the ability to generate > \| > groups automatically. Students (or project site participants) > would > \| > be assigned to groups at random. The instructor would specify the > \| > number of groups or the size of each group, and Sakai would assign > \| > students at random to different groups. Besides random assignment, > \| > additional assignment methods might be included (e.g., in > \| > alphabetical order to divide class into N groups) and/or use > certain > \| > criteria for constructing groups (e.g., [1] equal numbers of male > \| > and female students per group or [2] equal numbers of seniors, > \| > juniors, etc. per group). > \| > > \| > In addition to generating groups automatically, the instructor > \| > (maintainer) should be able to select options that would > \| > automatically configure tool components related to groups. For > \| > example, WebCT has the option of creating a Discussion Board topic > \| > for each group to which only group members (and, optionally, the > \| > instructor) have access. On Sakai, this option would create a > \| > separate forum for each group at the time the group is generated. > \| > Sakai might also configure other tools and their components as > \| > follows. (1) Announcements -- automatically send an announcement > to > \| > group members informing them of their new status as group members, > \| > (2) Assignments - optionally associate an assignment with the > group, > \| > (3) Messages - as an alternative to an announcement, send a > message > \| > to all group members and allow instructor to author message > content, > \| > (4) Resources - Create subdirectories in a specified path under > \| > Resources and automatically give group members +rwx rights in > their > \| > group's subdirectory, (5) allow instructor the option to schedule > \| > events for the group (e.g., a meeting with the group), (6) > \| > optionally add subsections to the wiki, with each group having its > \| > own subsection and appropriate privileges. > \| > > \| > As for scenario, much of what I'm looking for is already > captured by > \| > your current scenarios: > \| > > \| > * Instructor creates equally distributed student groups > \| > * Instructor creates small student project teams in 30 person > \| course > \| > > \| > As for what's actually going on, here's the scenario (although I > \| > don't think it adds much to the above): > \| > > \| > Marsh is teaching a 30-student course in which students work in > \| > teams to construct conference posters. As it is a pure > \| > distance-learning course, > \| > he wants to assign students at random to teams. He also wants to > \| > generate for each team various team-specific tools that the team > \| > members can use > \| > for collaboration. These include a separate forum and Resources > \| > subdirectory for each team. The students will use these to > \| > collaborate on and prepare > \| > their posters. When they are ready to submit their posters, the > \| > students will upload them both to their Resources subdirectory > and > \| > the Assignment drop box. > \| > To allow the entire class to view the posters, Sakai would > ideally > \| > generate a web page with links to the posters, one link per > team, > \| or > \| > the instructor may have to do this manually. > \| > > \| > Thanks for asking about this. Please let me know if and when the > \| > tool is ready with these features. > \| > > \| > Regards, > \| > > \| > Marsh Feldman > \| > > \| > -- > \| > Dr. Marshall Feldman, PhD > \| > Director of Research and Academic Affairs > \| > > \| > Center for Urban Studies and Research > \| > The University of Rhode Island > \| > email: marsh @ uri .edu (remove spaces) > \| > > \| > > \| > Contact Information: > \| > > \| > > \| > Kingston: > \| > > \| > 202 Hart House > \| > Charles T. Schmidt Labor Research Center > \| > The University of Rhode Island > \| > 36 Upper College Road > \| > Kingston, RI 02881-0815 > \| > tel. (401) 874-5953: > \| > fax: (401) 874-5511 > \| > > \| > > \| > Providence: > \| > > \| > 206E Shepard Building > \| > URI Feinstein Providence Campus > \| > 80 Washington Street > \| > Providence, RI 02903-1819 > \| > tel. (401) 277-5218 > \| > fax: (401) 277-5464 > \| > \| Daphne Ogle > \| Senior Interaction Designer > \| University of California, Berkeley > \| Educational Technology Services > \| daphne@... > \| cell (925)348-4372 > \| > \| > \| > \| > \| _______________________________________________ > \| sakai-user mailing list > \| sakai-user@... > \| http://collab.sakaiproject.org/mailman/listinfo/sakai-user > \| > \| TO UNSUBSCRIBE: send email to sakai-user- > \| unsubscribe@... with a subject of "unsubscribe" > _______________________________________________ > sakai-user mailing list > sakai-user@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-user > > TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... > with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	[DG: User Experience] Some thoughts on group functionality by Bristow, Paul :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message http://docs.google.com/View?id=dcshzgr2_1c892k2pt Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. Comments, suggestions, criticism welcome ---------------------------------------------------- Paul Bristow Applications Architect Division of Information Technology Charles Sturt University Ph: 02 6051 9959 Fax: 02 6051 9919 pbristow@... www.csu.edu.au ---------------------------------------------------- YOU MUST READ THIS NOTICE This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery to you. The views expressed in this email are not necessarily those of Charles Sturt University. It is very important that before opening any attachments to this email you check them for viruses and defects. CSU does not accept liability for any corruption or viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read by its intended recipient at CSU. Please tell us if you have concerns about this automatic filtering. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt University. ---------------------------------------------------- _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by clayf :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message The first thing that strikes me, something I've ventured tentatively in the past (it's good to not feel alone), is the idea that roles are a secondary and optional feature of groups. Something about that just seems right to me in concept, though I won't claim to have thought through whether this is ultimately a helpful shift in practice. I think the value of the role is primarily as a simplification for the UX, a metaphorical shortcut to help the user achieve sensible intuitions about a potentially complicated set of permissions. It can be a valuable design artifact, in other words, in many contexts. But it need not be assumed for all group contexts. In cases where the likely intuition might be misleading and harmful, the role might be an active hindrance and might need to be explicitly set aside in favor of a specific permission choice in a particular workflow. Again, that seems to me a design choice in context, and not an inextricable feature of the technical design. What's more, baking the role deeply into the technical design may lead to brittleness where role intuitions are misleading. ~Clay On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul <PBristow@...> wrote: > http://docs.google.com/View?id=dcshzgr2_1c892k2pt > > Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. > > >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. > > Comments, suggestions, criticism welcome > > ---------------------------------------------------- > Paul Bristow > Applications Architect > Division of Information Technology > Charles Sturt University > Ph: 02 6051 9959 > Fax: 02 6051 9919 > pbristow@... > www.csu.edu.au > ---------------------------------------------------- > > YOU MUST READ THIS NOTICE > > This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email > (and any attachment) is confidential and is intended for the use of the addressee(s) > only. If you are not the intended recipient of this email you must not copy, > distribute, take any action in reliance on it or disclose it to anyone. Any > confidentiality is not waived or lost by reason of mistaken delivery to you. The > views expressed in this email are not necessarily those of Charles Sturt University. > It is very important that before opening any attachments to this email you check them > for viruses and defects. CSU does not accept liability for any corruption or viruses > or any consequence which arise as a result of this email transmission. Email > communications with CSU may be subject to automated email filtering, which could result > in the delay or deletion of a legitimate email before it is read by its intended > recipient at CSU. Please tell us if you have concerns about this automatic filtering. > The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) > Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt > University. > ---------------------------------------------------- > _______________________________________________ > sakai-user mailing list > sakai-user@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-user > > TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... with a subject of "unsubscribe" > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Bristow, Paul :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Clay, I think there are typically two senses in which we talk of roles. In a technical sense we bundle a set of permissions into a role for ease of management - your simplification for the UX (although it's equally helpful at the backend). In it's simplest sense this is like granting a dba role in a database - the role grants the same permissions to all members globally. In a more sophisticated usage the role is a template for the application of a set of meta permissions to create permissions in the context of a specific resource or activity. In a more human sense people fulfil roles in the context of activities of groups. So in an academic sense we have teachers and students. In clubs we have presidents, secretaries, etc. The two definitions blend when we use a templated set of permissions to give members of a group the permissions they need to fulfil their role in a group activity. It is quite possible for members of a group to change roles over time and also to have multiple simultaneous roles. If we manage roles within groups we need agreement on the semantics of the roles between the groups system and the activity or resource where the permissions have meaning. Also we need a set of methods to manage roles in the context of a user's membership of a group (and the context of the resource or activity). My suggested group model could accommodate roles as metadata on the membership objects. But I don't think this is appropriate for the k2 authorisation model. The JCR ACL as I understand it allows us to add a group to a 'role' for a resource but does not have the functionality or the expectation of assigning different roles or permissions according to attributes of individual's membership within the group. More importantly in the long term, k2 should be generic to meet future needs and should not have today's role semantics built into its core functionality. The alternative is to define separate groups for each role for a resource or service and use them for the appropriate ACLs. We can create a supergroup of all members of a site or service just by creating a group and adding the 'role groups' as members . Within k2 we should have separate groups for each role for 'sites' and similar services, along with a group which is the union of these groups. (This is how I interpret Ian's site group diagrams). In the set of templates used to create sites and other resources there should be templates of permissions associated with the resource and templates for the definition of groups to align with expected usage roles and permission requirements. This keeps the 'role' expectations in the data rather than the code and hopefully avoids building today's limitations into the kernel. Roles within groups may be useful for other aspects of membership and can still be supported subject to functionality to manage the extended attributes to support them. But we should consider that there may uses for group functionality which don't relate to permissions and where role is irrelevant - we should be cautious about requiring them in groups Paul ________________________________________ From: sakai-ux-bounces@... [sakai-ux-bounces@...] On Behalf Of Clay Fenlason [khomotso@...] Sent: Monday, October 26, 2009 8:32 PM To: sakai-ux UX Subject: Re: User Experience] [Using Sakai] Some thoughts on group functionality The first thing that strikes me, something I've ventured tentatively in the past (it's good to not feel alone), is the idea that roles are a secondary and optional feature of groups. Something about that just seems right to me in concept, though I won't claim to have thought through whether this is ultimately a helpful shift in practice. I think the value of the role is primarily as a simplification for the UX, a metaphorical shortcut to help the user achieve sensible intuitions about a potentially complicated set of permissions. It can be a valuable design artifact, in other words, in many contexts. But it need not be assumed for all group contexts. In cases where the likely intuition might be misleading and harmful, the role might be an active hindrance and might need to be explicitly set aside in favor of a specific permission choice in a particular workflow. Again, that seems to me a design choice in context, and not an inextricable feature of the technical design. What's more, baking the role deeply into the technical design may lead to brittleness where role intuitions are misleading. ~Clay On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul <PBristow@...> wrote: > http://docs.google.com/View?id=dcshzgr2_1c892k2pt > > Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. > > >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. > > Comments, suggestions, criticism welcome > > ---------------------------------------------------- > Paul Bristow > Applications Architect > Division of Information Technology > Charles Sturt University > Ph: 02 6051 9959 > Fax: 02 6051 9919 > pbristow@... > www.csu.edu.au > ---------------------------------------------------- > > YOU MUST READ THIS NOTICE > > This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email > (and any attachment) is confidential and is intended for the use of the addressee(s) > only. If you are not the intended recipient of this email you must not copy, > distribute, take any action in reliance on it or disclose it to anyone. Any > confidentiality is not waived or lost by reason of mistaken delivery to you. The > views expressed in this email are not necessarily those of Charles Sturt University. > It is very important that before opening any attachments to this email you check them > for viruses and defects. CSU does not accept liability for any corruption or viruses > or any consequence which arise as a result of this email transmission. Email > communications with CSU may be subject to automated email filtering, which could result > in the delay or deletion of a legitimate email before it is read by its intended > recipient at CSU. Please tell us if you have concerns about this automatic filtering. > The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) > Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt > University. > ---------------------------------------------------- > _______________________________________________ > sakai-user mailing list > sakai-user@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-user > > TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... with a subject of "unsubscribe" > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Michael Feldstein-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Two comments here. First, on the difference between the technical sense and the human sense, the LMS will be given information about the "human sense" roles (e.g., student, instructor, teaching assistant, administrator, etc.) from the SIS via the LIS standard. This information maps to permissions in many but not all cases. In some cases it may be important to provide this data in human readable form but less important for the system to represent these roles as distinct permissions structures. So it will be important for us to develop language that makes it easy for us to know which sense we are discussing whenever we are talking about roles. Second, when Paul talks about defining separate groups for a resource or service and then using them for the appropriate ACLs, this sounds to me a bit like Bodington. (I could easily be wrong here.) Bodington's system has very powerful affordances but at a cost of usability. My sense is that Moodle also implemented a (possibly piecemeal) approach to to roles and permissions that may approximate this scheme, at least from a functional perspective. It may be helpful to get comments from folks on list who know more about these systems than I do. It's worth noting that Sakai 2's more flexible roles and permissions system was frequently cited by users as a big advantage over Blackboard in UNC's recent evaluation, I'm not sure exactly what this means, in part because I lack recent hands-on experience with Sakai's roles and permissions, but it may be worth looking at closely. I'd like to understand exactly where the locus of value is and what kinds of complexity were seen to be useful and not confusing. - m Bristow, Paul wrote: Clay, I think there are typically two senses in which we talk of roles. In a technical sense we bundle a set of permissions into a role for ease of management - your simplification for the UX (although it's equally helpful at the backend). In it's simplest sense this is like granting a dba role in a database - the role grants the same permissions to all members globally. In a more sophisticated usage the role is a template for the application of a set of meta permissions to create permissions in the context of a specific resource or activity. In a more human sense people fulfil roles in the context of activities of groups. So in an academic sense we have teachers and students. In clubs we have presidents, secretaries, etc. The two definitions blend when we use a templated set of permissions to give members of a group the permissions they need to fulfil their role in a group activity. It is quite possible for members of a group to change roles over time and also to have multiple simultaneous roles. If we manage roles within groups we need agreement on the semantics of the roles between the groups system and the activity or resource where the permissions have meaning. Also we need a set of methods to manage roles in the context of a user's membership of a group (and the context of the resource or activity). My suggested group model could accommodate roles as metadata on the membership objects. But I don't think this is appropriate for the k2 authorisation model. The JCR ACL as I understand it allows us to add a group to a 'role' for a resource but does not have the functionality or the expectation of assigning different roles or permissions according to attributes of individual's membership within the group. More importantly in the long term, k2 should be generic to meet future needs and should not have today's role semantics built into its core functionality. The alternative is to define separate groups for each role for a resource or service and use them for the appropriate ACLs. We can create a supergroup of all members of a site or service just by creating a group and adding the 'role groups' as members . Within k2 we should have separate groups for each role for 'sites' and similar services, along with a group which is the union of these groups. (This is how I interpret Ian's site group diagrams). In the set of templates used to create sites and other resources there should be templates of permissions associated with the resource and templates for the definition of groups to align with expected usage roles and permission requirements. This keeps the 'role' expectations in the data rather than the code and hopefully avoids building today's limitations into the kernel. Roles within groups may be useful for other aspects of membership and can still be supported subject to functionality to manage the extended attributes to support them. But we should consider that there may uses for group functionality which don't relate to permissions and where role is irrelevant - we should be cautious about requiring them in groups Paul ________________________________________ From: sakai-ux-bounces@... [sakai-ux-bounces@...] On Behalf Of Clay Fenlason [khomotso@...] Sent: Monday, October 26, 2009 8:32 PM To: sakai-ux UX Subject: Re: User Experience] [Using Sakai] Some thoughts on group functionality The first thing that strikes me, something I've ventured tentatively in the past (it's good to not feel alone), is the idea that roles are a secondary and optional feature of groups. Something about that just seems right to me in concept, though I won't claim to have thought through whether this is ultimately a helpful shift in practice. I think the value of the role is primarily as a simplification for the UX, a metaphorical shortcut to help the user achieve sensible intuitions about a potentially complicated set of permissions. It can be a valuable design artifact, in other words, in many contexts. But it need not be assumed for all group contexts. In cases where the likely intuition might be misleading and harmful, the role might be an active hindrance and might need to be explicitly set aside in favor of a specific permission choice in a particular workflow. Again, that seems to me a design choice in context, and not an inextricable feature of the technical design. What's more, baking the role deeply into the technical design may lead to brittleness where role intuitions are misleading. ~Clay On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul PBristow@... wrote: http://docs.google.com/View?id=dcshzgr2_1c892k2pt Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. Comments, suggestions, criticism welcome ---------------------------------------------------- Paul Bristow Applications Architect Division of Information Technology Charles Sturt University Ph: 02 6051 9959 Fax: 02 6051 9919 pbristow@... www.csu.edu.au ---------------------------------------------------- YOU MUST READ THIS NOTICE This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery to you. The views expressed in this email are not necessarily those of Charles Sturt University. It is very important that before opening any attachments to this email you check them for viruses and defects. CSU does not accept liability for any corruption or viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read by its intended recipient at CSU. Please tell us if you have concerns about this automatic filtering. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt University. ---------------------------------------------------- _______________________________________________ sakai-user mailing list sakai-user@... http://collab.sakaiproject.org/mailman/listinfo/sakai-user TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe" -- Michael Feldstein \| Principal Product Manager \| +1.818.817.2925 Oracle Academic Enterprise Solutions Group 23A Glendale Road, Glendale, MA 01229 _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Bristow, Paul :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Yes, this whole field is full of ambiguous terms so we ideally need a reference glossary with clearly defined terms and meanings. I think a Groups System may (and will) be provisioned with human sense roles for groups (common or separate) associated with teaching roles eg student, instructor via the LMS through LIS or from the SIS directly, perhaps through LIS. LMS services may associate those roles with permissions also possibly accessing the role semantics through LIS. But a Groups System should not need to be confined in scope to the LMS (even assuming sakai 3 scope is limited to LMS functionality) and roles within the LMS should not be confined to roles from the SIS. Ideally a group management system should be whole of enterprise and cooperating with group and identity systems external to the enterprise. New groups and new roles should be able to be defined as required and not necessarily together. Groups and roles may be sourced from other systems within and outside the LMS, the SIS and the enterprise. There are more groups and more roles than our SISs know about and more group use cases than just our LMSs. I think groups and identity are fundamental to the activities and relationships on which our organisations are built and should be able to be integrated, leveraged and reused across all our systems. While I don't expect to get there tomorrow I don't want new systems requiring limited functionality as a feature. This is why I'd prefer generic interfaces with included implementations that can be replaced or extended as we mature. It's also why I'd prefer to try to keep clean interfaces with clearly defined linkages between groups, roles and permissions as far as is practical. So we can define basic group and group management functionality. We can overlay human sense role information as attributes on group membership which 'functionality' that's aware of the semantics of that role information can use to customise behaviour according to how it understands the role. We can have authorisation or permission systems that use this role information at the cost of limiting them to known role semantics. We can have authorisation or permission systems that just link groups to permissions without needing to know anything about these roles. We can use the 'template role' concept to drive provisioning services to provision groups and ACLs for services based on standard 'template roles' for the service. And we can link any group to any ACL for any resource. I think it's important that UI designs simplify possibilities to support ease of use. I think it's important that back end designs be generic enough to support changing use. UI designs should limit functionality according to context. Will we see the LIS publicly released as part of 'LIS Alliance will be launched in October 2009'? Perhaps LIS already addresses this broader functionality? Does LIS provision membership of course groups? If so I think the Group System would interact with the SIS directly. LMS - SIS interaction would include provisioning sites. Perhaps sakai 3 could have an LIS aware site provisioner where LIS identified the groups to include in ACLs and created them in the group management system? Paul ________________________________________ From: sakai-ux-bounces@... [sakai-ux-bounces@...] On Behalf Of Michael Feldstein [michael.feldstein@...] Sent: Tuesday, October 27, 2009 12:55 AM To: Bristow, Paul Cc: sakai-ux UX Subject: Re: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality Two comments here. First, on the difference between the technical sense and the human sense, the LMS will be given information about the "human sense" roles (e.g., student, instructor, teaching assistant, administrator, etc.) from the SIS via the LIS standard. This information maps to permissions in many but not all cases. In some cases it may be important to provide this data in human readable form but less important for the system to represent these roles as distinct permissions structures. So it will be important for us to develop language that makes it easy for us to know which sense we are discussing whenever we are talking about roles. Second, when Paul talks about defining separate groups for a resource or service and then using them for the appropriate ACLs, this sounds to me a bit like Bodington. (I could easily be wrong here.) Bodington's system has very powerful affordances but at a cost of usability. My sense is that Moodle also implemented a (possibly piecemeal) approach to to roles and permissions that may approximate this scheme, at least from a functional perspective. It may be helpful to get comments from folks on list who know more about these systems than I do. It's worth noting that Sakai 2's more flexible roles and permissions system was frequently cited by users as a big advantage over Blackboard in UNC's recent evaluation, I'm not sure exactly what this means, in part because I lack recent hands-on experience with Sakai's roles and permissions, but it may be worth looking at closely. I'd like to understand exactly where the locus of value is and what kinds of complexity were seen to be useful and not confusing. - m Bristow, Paul wrote: Clay, I think there are typically two senses in which we talk of roles. In a technical sense we bundle a set of permissions into a role for ease of management - your simplification for the UX (although it's equally helpful at the backend). In it's simplest sense this is like granting a dba role in a database - the role grants the same permissions to all members globally. In a more sophisticated usage the role is a template for the application of a set of meta permissions to create permissions in the context of a specific resource or activity. In a more human sense people fulfil roles in the context of activities of groups. So in an academic sense we have teachers and students. In clubs we have presidents, secretaries, etc. The two definitions blend when we use a templated set of permissions to give members of a group the permissions they need to fulfil their role in a group activity. It is quite possible for members of a group to change roles over time and also to have multiple simultaneous roles. If we manage roles within groups we need agreement on the semantics of the roles between the groups system and the activity or resource where the permissions have meaning. Also we need a set of methods to manage roles in the context of a user's membership of a group (and the context of the resource or activity). My suggested group model could accommodate roles as metadata on the membership objects. But I don't think this is appropriate for the k2 authorisation model. The JCR ACL as I understand it allows us to add a group to a 'role' for a resource but does not have the functionality or the expectation of assigning different roles or permissions according to attributes of individual's membership within the group. More importantly in the long term, k2 should be generic to meet future needs and should not have today's role semantics built into its core functionality. The alternative is to define separate groups for each role for a resource or service and use them for the appropriate ACLs. We can create a supergroup of all members of a site or service just by creating a group and adding the 'role groups' as members . Within k2 we should have separate groups for each role for 'sites' and similar services, along with a group which is the union of these groups. (This is how I interpret Ian's site group diagrams). In the set of templates used to create sites and other resources there should be templates of permissions associated with the resource and templates for the definition of groups to align with expected usage roles and permission requirements. This keeps the 'role' expectations in the data rather than the code and hopefully avoids building today's limitations into the kernel. Roles within groups may be useful for other aspects of membership and can still be supported subject to functionality to manage the extended attributes to support them. But we should consider that there may uses for group functionality which don't relate to permissions and where role is irrelevant - we should be cautious about requiring them in groups Paul ________________________________________ From: sakai-ux-bounces@...<mailto:sakai-ux-bounces@...> [sakai-ux-bounces@...<mailto:sakai-ux-bounces@...>] On Behalf Of Clay Fenlason [khomotso@...<mailto:khomotso@...>] Sent: Monday, October 26, 2009 8:32 PM To: sakai-ux UX Subject: Re: User Experience] [Using Sakai] Some thoughts on group functionality The first thing that strikes me, something I've ventured tentatively in the past (it's good to not feel alone), is the idea that roles are a secondary and optional feature of groups. Something about that just seems right to me in concept, though I won't claim to have thought through whether this is ultimately a helpful shift in practice. I think the value of the role is primarily as a simplification for the UX, a metaphorical shortcut to help the user achieve sensible intuitions about a potentially complicated set of permissions. It can be a valuable design artifact, in other words, in many contexts. But it need not be assumed for all group contexts. In cases where the likely intuition might be misleading and harmful, the role might be an active hindrance and might need to be explicitly set aside in favor of a specific permission choice in a particular workflow. Again, that seems to me a design choice in context, and not an inextricable feature of the technical design. What's more, baking the role deeply into the technical design may lead to brittleness where role intuitions are misleading. ~Clay On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul <PBristow@...><mailto:PBristow@...> wrote: http://docs.google.com/View?id=dcshzgr2_1c892k2pt Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. Comments, suggestions, criticism welcome ---------------------------------------------------- Paul Bristow Applications Architect Division of Information Technology Charles Sturt University Ph: 02 6051 9959 Fax: 02 6051 9919 pbristow@...<mailto:pbristow@...> www.csu.edu.au<http://www.csu.edu.au> ---------------------------------------------------- YOU MUST READ THIS NOTICE This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery to you. The views expressed in this email are not necessarily those of Charles Sturt University. It is very important that before opening any attachments to this email you check them for viruses and defects. CSU does not accept liability for any corruption or viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read by its intended recipient at CSU. Please tell us if you have concerns about this automatic filtering. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt University. ---------------------------------------------------- _______________________________________________ sakai-user mailing list sakai-user@...<mailto:sakai-user@...> http://collab.sakaiproject.org/mailman/listinfo/sakai-user TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@...<mailto:sakai-user-unsubscribe@...> with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@...<mailto:sakai-ux@...> http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@...<mailto:sakai-ux-unsubscribe@...> with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@...<mailto:sakai-ux@...> http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@...<mailto:sakai-ux-unsubscribe@...> with a subject of "unsubscribe" -- [cid:part1.03050208.04040101@...]<http://www.oracle.com> Michael Feldstein \| Principal Product Manager \| +1.818.817.2925 Oracle Academic Enterprise Solutions Group 23A Glendale Road, Glendale, MA 01229 _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Michael Feldstein-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Will we see the LIS publicly released as part of 'LIS Alliance will be launched in October 2009'? Perhaps LIS already addresses this broader functionality? The LIS working group has set the end of the calendar year as our (latest) goal for releasing a public draft. The main hurdle we have to overcome right now is documentation. There's a kind of release readiness process in the IMS, where documentation is obviously one of the requirements. We have the base specification documents done, but these are massive--over 800 pages, I think--and the vast majority of the information is irrelevant to anyone who just wants to implement a typical SIS-to-LMS integration. (LIS has a lot of forward-looking stuff in it and some formalisms that make it more extensible, testable, etc., at the cost of being long and dense.) We're in the process of documenting a conformance profile which will be the small subset (maybe 5% to 10%) of the base specification that's necessary for LMS/SIS integration. LIS is intended to provide two things: Data that must be shared (and persisted) between the SIS and the the learning system (e.g., who is in which courses, identified in a way such that the LMS can provision course sites and then later return final grades to the SIS in a way that the SIS can understand) Semantic information the SIS possesses that may be useful to users of the LMS (e.g., the meeting times of the class) It is not meant to be a comprehensive model of academic roles and groups. Does LIS provision membership of course groups? Yes, this is one of the main things that it does. If so I think the Group System would interact with the SIS directly. Ray Davis attended the IMS meeting at Oracle HQ this week, in part to explore this idea explicitly. LMS - SIS interaction would include provisioning sites. Perhaps sakai 3 could have an LIS aware site provisioner where LIS identified the groups to include in ACLs and created them in the group management system? Yeah, that's roughly the idea, I think. Again, though, the roles provided by the SIS should be viewed as semantic hints in the learning system and not necessarily determinative of ACLs in the group management system. For example, it may or may not be appropriate to give a teaching assistant different permissions than an instructor (as the SIS understands these roles) in a given course site. Ideally, your roles UI would see the role information sent from the SIS and offer the user a default mapping with an option to override. But your course site could still display that a particular user is a "teaching assistant" because this could be useful information to the humans using the system even if the permissions are unaffected. Something similar could be done with LIS section association, where the SIS tells the LMS "these two course sections are related to each other". The Sakai instructor could be given the default that these sections would be merged into one course site with the option to override. - m Bristow, Paul wrote: Yes, this whole field is full of ambiguous terms so we ideally need a reference glossary with clearly defined terms and meanings. I think a Groups System may (and will) be provisioned with human sense roles for groups (common or separate) associated with teaching roles eg student, instructor via the LMS through LIS or from the SIS directly, perhaps through LIS. LMS services may associate those roles with permissions also possibly accessing the role semantics through LIS. But a Groups System should not need to be confined in scope to the LMS (even assuming sakai 3 scope is limited to LMS functionality) and roles within the LMS should not be confined to roles from the SIS. Ideally a group management system should be whole of enterprise and cooperating with group and identity systems external to the enterprise. New groups and new roles should be able to be defined as required and not necessarily together. Groups and roles may be sourced from other systems within and outside the LMS, the SIS and the enterprise. There are more groups and more roles than our SISs know about and more group use cases than just our LMSs. I think groups and identity are fundamental to the activities and relationships on which our organisations are built and should be able to be integrated, leveraged and reused across all our systems. While I don't expect to get there tomorrow I don't want new systems requiring limited functionality as a feature. This is why I'd prefer generic interfaces with included implementations that can be replaced or extended as we mature. It's also why I'd prefer to try to keep clean interfaces with clearly defined linkages between groups, roles and permissions as far as is practical. So we can define basic group and group management functionality. We can overlay human sense role information as attributes on group membership which 'functionality' that's aware of the semantics of that role information can use to customise behaviour according to how it understands the role. We can have authorisation or permission systems that use this role information at the cost of limiting them to known role semantics. We can have authorisation or permission systems that just link groups to permissions without needing to know anything about these roles. We can use the 'template role' concept to drive provisioning services to provision groups and ACLs for services based on standard 'template roles' for the service. And we can link any group to any ACL for any resource. I think it's important that UI designs simplify possibilities to support ease of use. I think it's important that back end designs be generic enough to support changing use. UI designs should limit functionality according to context. Will we see the LIS publicly released as part of 'LIS Alliance will be launched in October 2009'? Perhaps LIS already addresses this broader functionality? Does LIS provision membership of course groups? If so I think the Group System would interact with the SIS directly. LMS - SIS interaction would include provisioning sites. Perhaps sakai 3 could have an LIS aware site provisioner where LIS identified the groups to include in ACLs and created them in the group management system? Paul ________________________________________ From: sakai-ux-bounces@... [sakai-ux-bounces@...] On Behalf Of Michael Feldstein [michael.feldstein@...] Sent: Tuesday, October 27, 2009 12:55 AM To: Bristow, Paul Cc: sakai-ux UX Subject: Re: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality Two comments here. First, on the difference between the technical sense and the human sense, the LMS will be given information about the "human sense" roles (e.g., student, instructor, teaching assistant, administrator, etc.) from the SIS via the LIS standard. This information maps to permissions in many but not all cases. In some cases it may be important to provide this data in human readable form but less important for the system to represent these roles as distinct permissions structures. So it will be important for us to develop language that makes it easy for us to know which sense we are discussing whenever we are talking about roles. Second, when Paul talks about defining separate groups for a resource or service and then using them for the appropriate ACLs, this sounds to me a bit like Bodington. (I could easily be wrong here.) Bodington's system has very powerful affordances but at a cost of usability. My sense is that Moodle also implemented a (possibly piecemeal) approach to to roles and permissions that may approximate this scheme, at least from a functional perspective. It may be helpful to get comments from folks on list who know more about these systems than I do. It's worth noting that Sakai 2's more flexible roles and permissions system was frequently cited by users as a big advantage over Blackboard in UNC's recent evaluation, I'm not sure exactly what this means, in part because I lack recent hands-on experience with Sakai's roles and permissions, but it may be worth looking at closely. I'd like to understand exactly where the locus of value is and what kinds of complexity were seen to be useful and not confusing. - m Bristow, Paul wrote: Clay, I think there are typically two senses in which we talk of roles. In a technical sense we bundle a set of permissions into a role for ease of management - your simplification for the UX (although it's equally helpful at the backend). In it's simplest sense this is like granting a dba role in a database - the role grants the same permissions to all members globally. In a more sophisticated usage the role is a template for the application of a set of meta permissions to create permissions in the context of a specific resource or activity. In a more human sense people fulfil roles in the context of activities of groups. So in an academic sense we have teachers and students. In clubs we have presidents, secretaries, etc. The two definitions blend when we use a templated set of permissions to give members of a group the permissions they need to fulfil their role in a group activity. It is quite possible for members of a group to change roles over time and also to have multiple simultaneous roles. If we manage roles within groups we need agreement on the semantics of the roles between the groups system and the activity or resource where the permissions have meaning. Also we need a set of methods to manage roles in the context of a user's membership of a group (and the context of the resource or activity). My suggested group model could accommodate roles as metadata on the membership objects. But I don't think this is appropriate for the k2 authorisation model. The JCR ACL as I understand it allows us to add a group to a 'role' for a resource but does not have the functionality or the expectation of assigning different roles or permissions according to attributes of individual's membership within the group. More importantly in the long term, k2 should be generic to meet future needs and should not have today's role semantics built into its core functionality. The alternative is to define separate groups for each role for a resource or service and use them for the appropriate ACLs. We can create a supergroup of all members of a site or service just by creating a group and adding the 'role groups' as members . Within k2 we should have separate groups for each role for 'sites' and similar services, along with a group which is the union of these groups. (This is how I interpret Ian's site group diagrams). In the set of templates used to create sites and other resources there should be templates of permissions associated with the resource and templates for the definition of groups to align with expected usage roles and permission requirements. This keeps the 'role' expectations in the data rather than the code and hopefully avoids building today's limitations into the kernel. Roles within groups may be useful for other aspects of membership and can still be supported subject to functionality to manage the extended attributes to support them. But we should consider that there may uses for group functionality which don't relate to permissions and where role is irrelevant - we should be cautious about requiring them in groups Paul ________________________________________ From: sakai-ux-bounces@...sakai-ux-bounces@... [sakai-ux-bounces@...sakai-ux-bounces@...] On Behalf Of Clay Fenlason [khomotso@...khomotso@...] Sent: Monday, October 26, 2009 8:32 PM To: sakai-ux UX Subject: Re: User Experience] [Using Sakai] Some thoughts on group functionality The first thing that strikes me, something I've ventured tentatively in the past (it's good to not feel alone), is the idea that roles are a secondary and optional feature of groups. Something about that just seems right to me in concept, though I won't claim to have thought through whether this is ultimately a helpful shift in practice. I think the value of the role is primarily as a simplification for the UX, a metaphorical shortcut to help the user achieve sensible intuitions about a potentially complicated set of permissions. It can be a valuable design artifact, in other words, in many contexts. But it need not be assumed for all group contexts. In cases where the likely intuition might be misleading and harmful, the role might be an active hindrance and might need to be explicitly set aside in favor of a specific permission choice in a particular workflow. Again, that seems to me a design choice in context, and not an inextricable feature of the technical design. What's more, baking the role deeply into the technical design may lead to brittleness where role intuitions are misleading. ~Clay On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul PBristow@...PBristow@... wrote: http://docs.google.com/View?id=dcshzgr2_1c892k2pt Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. Comments, suggestions, criticism welcome ---------------------------------------------------- Paul Bristow Applications Architect Division of Information Technology Charles Sturt University Ph: 02 6051 9959 Fax: 02 6051 9919 pbristow@...pbristow@... www.csu.edu.au <http://www.csu.edu.au> ---------------------------------------------------- YOU MUST READ THIS NOTICE This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery to you. The views expressed in this email are not necessarily those of Charles Sturt University. It is very important that before opening any attachments to this email you check them for viruses and defects. CSU does not accept liability for any corruption or viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read by its intended recipient at CSU. Please tell us if you have concerns about this automatic filtering. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt University. ---------------------------------------------------- _______________________________________________ sakai-user mailing list sakai-user@...sakai-user@... http://collab.sakaiproject.org/mailman/listinfo/sakai-user TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@...sakai-user-unsubscribe@... with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@...sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@...sakai-ux-unsubscribe@... with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@...sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@...sakai-ux-unsubscribe@... with a subject of "unsubscribe" -- [cid:part1.03050208.04040101@...]<http://www.oracle.com> Michael Feldstein \| Principal Product Manager \| +1.818.817.2925 Oracle Academic Enterprise Solutions Group 23A Glendale Road, Glendale, MA 01229 -- Michael Feldstein \| Principal Product Manager \| +1.818.817.2925 Oracle Academic Enterprise Solutions Group 23A Glendale Road, Glendale, MA 01229 _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] Some thoughts on group functionality by Ray Davis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Lots of good stuff to go through here, but very quickly before I plunge into the details: * One of the reasons to model "roles" is to translate between contexts. A wiki or a discussion board or chat room has some basic ideas of "different sorts of people"; a large intro course at UC Berkeley has its own basic ideas; a college at Oxford has its own; a student organization has its own.... Since we've learned that we can't enforce a single conceptual mapping on all pieces of software or on all Sakai communities, we need to support flexible mappings. I agree with Paul that in the short term, as we build from 3akai-demo functionality, "site templates" look like a great spot to start abstracting all this. Templatable contextual roles is a concept that Sakai 1 and 2 got right, IMO. Unfortunately, it wasn't exposed in a way that made it usable by average human beings. * Michael, I still owe you and Linda some comments from the IMS meeting but it may be a couple of days. :) Best, Ray On 10/26/09 8:44 AM, Michael Feldstein wrote: >> >> Will we see the LIS publicly released as part of 'LIS Alliance will be launched in October 2009'? Perhaps LIS already addresses this broader functionality? >> > > The LIS working group has set the end of the calendar year as our > (latest) goal for releasing a public draft. The main hurdle we have to > overcome right now is documentation. There's a kind of release readiness > process in the IMS, where documentation is obviously one of the > requirements. We have the base specification documents done, but these > are massive--over 800 pages, I think--and the vast majority of the > information is irrelevant to anyone who just wants to implement a > typical SIS-to-LMS integration. (LIS has a lot of forward-looking stuff > in it and some formalisms that make it more extensible, testable, etc., > at the cost of being long and dense.) We're in the process of > documenting a conformance profile which will be the small subset (maybe > 5% to 10%) of the base specification that's necessary for LMS/SIS > integration. > > LIS is intended to provide two things: > > * Data that must be shared (and persisted) between the SIS and the > the learning system (e.g., who is in which courses, identified in > a way such that the LMS can provision course sites and then later > return final grades to the SIS in a way that the SIS can understand) > * Semantic information the SIS possesses that may be useful to users > of the LMS (e.g., the meeting times of the class) > > It is not meant to be a comprehensive model of academic roles and groups. >> Does LIS provision membership of course groups? > Yes, this is one of the main things that it does. >> If so I think the Group System would interact with the SIS directly. > Ray Davis attended the IMS meeting at Oracle HQ this week, in part to > explore this idea explicitly. >> LMS - SIS interaction would include provisioning sites. Perhaps sakai 3 could have an LIS aware site provisioner where LIS identified the groups to include in ACLs and created them in the group management system? > Yeah, that's roughly the idea, I think. Again, though, the roles > provided by the SIS should be viewed as semantic hints in the learning > system and not necessarily determinative of ACLs in the group management > system. For example, it may or may not be appropriate to give a teaching > assistant different permissions than an instructor (as the SIS > understands these roles) in a given course site. Ideally, your roles UI > would see the role information sent from the SIS and offer the user a > default mapping with an option to override. But your course site could > still display that a particular user is a "teaching assistant" because > this could be useful information to the humans using the system even if > the permissions are unaffected. > > Something similar could be done with LIS section association, where the > SIS tells the LMS "these two course sections are related to each other". > The Sakai instructor could be given the default that these sections > would be merged into one course site with the option to override. > > - m > > > Bristow, Paul wrote: >> Yes, this whole field is full of ambiguous terms so we ideally need a reference glossary with clearly defined terms and meanings. >> >> I think a Groups System may (and will) be provisioned with human sense roles for groups (common or separate) associated with teaching roles eg student, instructor via the LMS through LIS or from the SIS directly, perhaps through LIS. LMS services may associate those roles with permissions also possibly accessing the role semantics through LIS. >> >> But a Groups System should not need to be confined in scope to the LMS (even assuming sakai 3 scope is limited to LMS functionality) and roles within the LMS should not be confined to roles from the SIS. Ideally a group management system should be whole of enterprise and cooperating with group and identity systems external to the enterprise. New groups and new roles should be able to be defined as required and not necessarily together. Groups and roles may be sourced from other systems within and outside the LMS, the SIS and the enterprise. There are more groups and more roles than our SISs know about and more group use cases than just our LMSs. >> >> I think groups and identity are fundamental to the activities and relationships on which our organisations are built and should be able to be integrated, leveraged and reused across all our systems. While I don't expect to get there tomorrow I don't want new systems requiring limited functionality as a feature. This is why I'd prefer generic interfaces with included implementations that can be replaced or extended as we mature. It's also why I'd prefer to try to keep clean interfaces with clearly defined linkages between groups, roles and permissions as far as is practical. >> >> So we can define basic group and group management functionality. We can overlay human sense role information as attributes on group membership which 'functionality' that's aware of the semantics of that role information can use to customise behaviour according to how it understands the role. We can have authorisation or permission systems that use this role information at the cost of limiting them to known role semantics. We can have authorisation or permission systems that just link groups to permissions without needing to know anything about these roles. We can use the 'template role' concept to drive provisioning services to provision groups and ACLs for services based on standard 'template roles' for the service. And we can link any group to any ACL for any resource. >> >> I think it's important that UI designs simplify possibilities to support ease of use. I think it's important that back end designs be generic enough to support changing use. UI designs should limit functionality according to context. >> >> Will we see the LIS publicly released as part of 'LIS Alliance will be launched in October 2009'? Perhaps LIS already addresses this broader functionality? >> >> Does LIS provision membership of course groups? If so I think the Group System would interact with the SIS directly. LMS - SIS interaction would include provisioning sites. Perhaps sakai 3 could have an LIS aware site provisioner where LIS identified the groups to include in ACLs and created them in the group management system? >> >> Paul >> ________________________________________ >> From: sakai-ux-bounces@... [sakai-ux-bounces@...] On Behalf Of Michael Feldstein [michael.feldstein@...] >> Sent: Tuesday, October 27, 2009 12:55 AM >> To: Bristow, Paul >> Cc: sakai-ux UX >> Subject: Re: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality >> >> Two comments here. First, on the difference between the technical sense and the human sense, the LMS will be given information about the "human sense" roles (e.g., student, instructor, teaching assistant, administrator, etc.) from the SIS via the LIS standard. This information maps to permissions in many but not all cases. In some cases it may be important to provide this data in human readable form but less important for the system to represent these roles as distinct permissions structures. So it will be important for us to develop language that makes it easy for us to know which sense we are discussing whenever we are talking about roles. >> >> Second, when Paul talks about defining separate groups for a resource or service and then using them for the appropriate ACLs, this sounds to me a bit like Bodington. (I could easily be wrong here.) Bodington's system has very powerful affordances but at a cost of usability. My sense is that Moodle also implemented a (possibly piecemeal) approach to to roles and permissions that may approximate this scheme, at least from a functional perspective. It may be helpful to get comments from folks on list who know more about these systems than I do. >> >> It's worth noting that Sakai 2's more flexible roles and permissions system was frequently cited by users as a big advantage over Blackboard in UNC's recent evaluation, I'm not sure exactly what this means, in part because I lack recent hands-on experience with Sakai's roles and permissions, but it may be worth looking at closely. I'd like to understand exactly where the locus of value is and what kinds of complexity were seen to be useful and not confusing. >> >> - m >> >> >> Bristow, Paul wrote: >> >> Clay, >> >> I think there are typically two senses in which we talk of roles. >> >> In a technical sense we bundle a set of permissions into a role for ease of management - your simplification for the UX (although it's equally helpful at the backend). In it's simplest sense this is like granting a dba role in a database - the role grants the same permissions to all members globally. In a more sophisticated usage the role is a template for the application of a set of meta permissions to create permissions in the context of a specific resource or activity. >> >> In a more human sense people fulfil roles in the context of activities of groups. So in an academic sense we have teachers and students. In clubs we have presidents, secretaries, etc. >> >> The two definitions blend when we use a templated set of permissions to give members of a group the permissions they need to fulfil their role in a group activity. >> >> It is quite possible for members of a group to change roles over time and also to have multiple simultaneous roles. >> >> If we manage roles within groups we need agreement on the semantics of the roles between the groups system and the activity or resource where the permissions have meaning. Also we need a set of methods to manage roles in the context of a user's membership of a group (and the context of the resource or activity). >> >> My suggested group model could accommodate roles as metadata on the membership objects. But I don't think this is appropriate for the k2 authorisation model. The JCR ACL as I understand it allows us to add a group to a 'role' for a resource but does not have the functionality or the expectation of assigning different roles or permissions according to attributes of individual's membership within the group. More importantly in the long term, k2 should be generic to meet future needs and should not have today's role semantics built into its core functionality. >> >> The alternative is to define separate groups for each role for a resource or service and use them for the appropriate ACLs. We can create a supergroup of all members of a site or service just by creating a group and adding the 'role groups' as members . >> >> Within k2 we should have separate groups for each role for 'sites' and similar services, along with a group which is the union of these groups. (This is how I interpret Ian's site group diagrams). >> >> In the set of templates used to create sites and other resources there should be templates of permissions associated with the resource and templates for the definition of groups to align with expected usage roles and permission requirements. This keeps the 'role' expectations in the data rather than the code and hopefully avoids building today's limitations into the kernel. >> >> Roles within groups may be useful for other aspects of membership and can still be supported subject to functionality to manage the extended attributes to support them. >> >> But we should consider that there may uses for group functionality which don't relate to permissions and where role is irrelevant - we should be cautious about requiring them in groups >> >> Paul >> ________________________________________ >> From: sakai-ux-bounces@...<mailto:sakai-ux-bounces@...> [sakai-ux-bounces@...<mailto:sakai-ux-bounces@...>] On Behalf Of Clay Fenlason [khomotso@...<mailto:khomotso@...>] >> Sent: Monday, October 26, 2009 8:32 PM >> To: sakai-ux UX >> Subject: Re: User Experience] [Using Sakai] Some thoughts on group functionality >> >> The first thing that strikes me, something I've ventured tentatively >> in the past (it's good to not feel alone), is the idea that roles are >> a secondary and optional feature of groups. Something about that just >> seems right to me in concept, though I won't claim to have thought >> through whether this is ultimately a helpful shift in practice. >> >> I think the value of the role is primarily as a simplification for the >> UX, a metaphorical shortcut to help the user achieve sensible >> intuitions about a potentially complicated set of permissions. It can >> be a valuable design artifact, in other words, in many contexts. But >> it need not be assumed for all group contexts. In cases where the >> likely intuition might be misleading and harmful, the role might be an >> active hindrance and might need to be explicitly set aside in favor of >> a specific permission choice in a particular workflow. Again, that >> seems to me a design choice in context, and not an inextricable >> feature of the technical design. What's more, baking the role deeply >> into the technical design may lead to brittleness where role >> intuitions are misleading. >> >> ~Clay >> >> On Sun, Oct 25, 2009 at 11:55 PM, Bristow, Paul <PBristow@...><mailto:PBristow@...> wrote: >> >> >> http://docs.google.com/View?id=dcshzgr2_1c892k2pt >> >> Some conceptual thoughts about group functionality, required functions and a possible approach. Rough thoughts at the moment, could be expanded if there's value in them. >> >> >From what I can see from the sidelines of the Sakai 3 groups initiative it seems focused on the client side of how users use a group management system. I've tried to coalesce the functionality of the requirements identified here and elsewhere along with our local experience and expectations into a possible system and API for back end functionality. >> >> Comments, suggestions, criticism welcome >> >> ---------------------------------------------------- >> Paul Bristow >> Applications Architect >> Division of Information Technology >> Charles Sturt University >> Ph: 02 6051 9959 >> Fax: 02 6051 9919 >> pbristow@...<mailto:pbristow@...> >> www.csu.edu.au<http://www.csu.edu.au> >> ---------------------------------------------------- >> >> YOU MUST READ THIS NOTICE >> >> This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email >> (and any attachment) is confidential and is intended for the use of the addressee(s) >> only. If you are not the intended recipient of this email you must not copy, >> distribute, take any action in reliance on it or disclose it to anyone. Any >> confidentiality is not waived or lost by reason of mistaken delivery to you. The >> views expressed in this email are not necessarily those of Charles Sturt University. >> It is very important that before opening any attachments to this email you check them >> for viruses and defects. CSU does not accept liability for any corruption or viruses >> or any consequence which arise as a result of this email transmission. Email >> communications with CSU may be subject to automated email filtering, which could result >> in the delay or deletion of a legitimate email before it is read by its intended >> recipient at CSU. Please tell us if you have concerns about this automatic filtering. >> The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) >> Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt >> University. >> ---------------------------------------------------- >> _______________________________________________ >> sakai-user mailing list >> sakai-user@...<mailto:sakai-user@...> >> http://collab.sakaiproject.org/mailman/listinfo/sakai-user _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by jrnorman :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Paul It seems to me this is the critical paragraph in your paper: "A group management system such as this would be useful across (and beyond) the enterprise. I see no reason why it has to be part of the sakai kernel, part of the same JVM or part of the same service. My preference would be an API for sakai 3 along with a reference implementation which may be outside the kernel but in the sakai instance" It goes to the scope question: Are we solving the Enterprise Groups problem, or some subset of the problem? If we are solving a subset, what are the integration points with the Enterprise Groups solution and what do we do if no Enterprise Groups solution is available? If we solve the Enterprise Groups problem, what does deployment look like in an institution with another Enterprise Groups solution in place? In general, the approach I believe you are proposing - that the UI to manage groups interacts with code outside the kernel but then is expressed in terms of JCR groups inside the kernel through an api - is appealing. It offers performance for questions the code needs answered (like: can this user access this information?) and it seems to offer flexibility for educationally-important group use-cases that are not strictly Sakai-only information. But as I try to think this through I get stuck in a couple of places 1. How do we create a UI that is meaningful both outside and inside Sakai 2. How can we design a user experience that works equally well for institutions that have Enterprise Groups and institutions that do not? John PS This is for me the main area of ambiguity in the documents to which Ray keeps referring. I can't find where the questions are addressed and I keep imagining that Ray is in fact trying to write the Enterprise Groups application of which Sakai would then be a client. In supposing that Sakai would be able to manage some of the information in an Enterprise Groups store, one makes assumptions about what the owners of that store will accept from other systems. Those assumptions may not be universally valid. PPS The problem is exacerbated by Enterprise Groups currently being an unsolved problem (as far as I know) and different institutions having very different political contexts in which any solution might be deployed and operated. Each of us is likely making assumptions about how an Enterprise Groups future might be realised and that is likely colouring our expectations of how this might impact Sakai. I think the emergence of LDAP as an intermediate step in one profile (?) of the IMS SIS/LMS integration work both illustrates the dilemma and one possible response to the dilemma. PPPS If I think of the problem as an Enterprise Integration problem, I am tempted to come over all SOA and say Sakai should have a means of being aware (and kept up to date) of relevant information sources outside Sakai and should be able to determine what it does with that external information. If Sakai manages/processes the information it should be able to do what it likes, but should emit events that notify the external system of Sakai's manipulations and allows the external system to decide what notice it takes of those manipulations. This points to a more tightly scoped set of user interactions with groups data. Scope is everything in this discussion. On 25 Oct 2009, at 23:55, Bristow, Paul wrote: > http://docs.google.com/View?id=dcshzgr2_1c892k2pt > > Some conceptual thoughts about group functionality, required > functions and a possible approach. Rough thoughts at the moment, > could be expanded if there's value in them. > >> From what I can see from the sidelines of the Sakai 3 groups >> initiative it seems focused on the client side of how users use a >> group management system. I've tried to coalesce the functionality >> of the requirements identified here and elsewhere along with our >> local experience and expectations into a possible system and API >> for back end functionality. > > Comments, suggestions, criticism welcome > > ---------------------------------------------------- > Paul Bristow > Applications Architect > Division of Information Technology > Charles Sturt University > Ph: 02 6051 9959 > Fax: 02 6051 9919 > pbristow@... > www.csu.edu.au > ---------------------------------------------------- > > YOU MUST READ THIS NOTICE > > This email has been sent by Charles Sturt University (ABN 83 878 708 > 551). This email > (and any attachment) is confidential and is intended for the use of > the addressee(s) > only. If you are not the intended recipient of this email you must > not copy, > distribute, take any action in reliance on it or disclose it to > anyone. Any > confidentiality is not waived or lost by reason of mistaken delivery > to you. The > views expressed in this email are not necessarily those of Charles > Sturt University. > It is very important that before opening any attachments to this > email you check them > for viruses and defects. CSU does not accept liability for any > corruption or viruses > or any consequence which arise as a result of this email > transmission. Email > communications with CSU may be subject to automated email filtering, > which could result > in the delay or deletion of a legitimate email before it is read by > its intended > recipient at CSU. Please tell us if you have concerns about this > automatic filtering. > The Commonwealth Register of Institutions and Courses for Overseas > Students (CRICOS) > Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for > Charles Sturt > University. > ---------------------------------------------------- > _______________________________________________ > sakai-user mailing list > sakai-user@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-user > > TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... > with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by Ray Davis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 10/26/09 10:38 AM, John Norman wrote: > Paul > > It seems to me this is the critical paragraph in your paper: > "A group management system such as this would be useful across (and > beyond) the enterprise. I see no reason why it has to be part of the > sakai kernel, part of the same JVM or part of the same service. My > preference would be an API for sakai 3 along with a reference > implementation which may be outside the kernel but in the sakai > instance" > > It goes to the scope question: > Are we solving the Enterprise Groups problem, or some subset of the > problem? Neither, AFAIK, if I'm part of the "we". :) What we need to solve is more your question 2 than your question 1. * Sakai needs to support use cases that use a variety of approaches to "enterprise groups", including multiple sources and including "no sources at all." We can't dictate those. But we _can_ be prepared for particular testable real-world use cases, and we _should_ support the most common ones (possible candidates include IMS LIS, Kuali SIS, some LDAP configurations, some SAML configurations, OpenSocial as both producer and consumer) out of the box. * Sakai needs to combine integration with externally managed communities (including "enterprise groups") with the flexibility our users expect of decent collaborative software. That means not ONLY supporting internally-managed memberships, roles, and permissions, and not ONLY supporting externally-dictated memberships, roles, and permissions. The hardest task (or at least the task on which Sakai 2 fell apart most painfully) is supporting both in a way that normal human beings can understand. So I talk a lot about integration approaches because I know we need to understand them (and sometimes hook up to them) to meet Sakai user needs. And I spend some time pressing for standardization of integration sources (so that, for example, Google Apps Education, Moodle, Sakai, and Blackboard can all work from the same feeds) because that will ultimately reduce the amount of duplicated work Sakai customers need to do. But they're basically a side issue to the problem that really preoccupies us. In terms of integrating with a single all-in-one group-management solution, see: http://confluence.sakaiproject.org/display/GROUPS/Potential+service+integrations Best, Ray > If we are solving a subset, what are the integration points > with the Enterprise Groups solution and what do we do if no Enterprise > Groups solution is available? If we solve the Enterprise Groups > problem, what does deployment look like in an institution with another > Enterprise Groups solution in place? > > In general, the approach I believe you are proposing - that the UI to > manage groups interacts with code outside the kernel but then is > expressed in terms of JCR groups inside the kernel through an api - is > appealing. It offers performance for questions the code needs answered > (like: can this user access this information?) and it seems to offer > flexibility for educationally-important group use-cases that are not > strictly Sakai-only information. But as I try to think this through I > get stuck in a couple of places > 1. How do we create a UI that is meaningful both outside and inside > Sakai > 2. How can we design a user experience that works equally well for > institutions that have Enterprise Groups and institutions that do not? > > John > > PS This is for me the main area of ambiguity in the documents to which > Ray keeps referring. I can't find where the questions are addressed > and I keep imagining that Ray is in fact trying to write the > Enterprise Groups application of which Sakai would then be a client. > In supposing that Sakai would be able to manage some of the > information in an Enterprise Groups store, one makes assumptions about > what the owners of that store will accept from other systems. Those > assumptions may not be universally valid. > > PPS The problem is exacerbated by Enterprise Groups currently being an > unsolved problem (as far as I know) and different institutions having > very different political contexts in which any solution might be > deployed and operated. Each of us is likely making assumptions about > how an Enterprise Groups future might be realised and that is likely > colouring our expectations of how this might impact Sakai. I think the > emergence of LDAP as an intermediate step in one profile (?) of the > IMS SIS/LMS integration work both illustrates the dilemma and one > possible response to the dilemma. > > PPPS If I think of the problem as an Enterprise Integration problem, I > am tempted to come over all SOA and say Sakai should have a means of > being aware (and kept up to date) of relevant information sources > outside Sakai and should be able to determine what it does with that > external information. If Sakai manages/processes the information it > should be able to do what it likes, but should emit events that notify > the external system of Sakai's manipulations and allows the external > system to decide what notice it takes of those manipulations. This > points to a more tightly scoped set of user interactions with groups > data. > > Scope is everything in this discussion. > > On 25 Oct 2009, at 23:55, Bristow, Paul wrote: > >> http://docs.google.com/View?id=dcshzgr2_1c892k2pt >> >> Some conceptual thoughts about group functionality, required >> functions and a possible approach. Rough thoughts at the moment, >> could be expanded if there's value in them. >> >>> From what I can see from the sidelines of the Sakai 3 groups >>> initiative it seems focused on the client side of how users use a >>> group management system. I've tried to coalesce the functionality >>> of the requirements identified here and elsewhere along with our >>> local experience and expectations into a possible system and API >>> for back end functionality. >> Comments, suggestions, criticism welcome >> >> ---------------------------------------------------- >> Paul Bristow >> Applications Architect >> Division of Information Technology >> Charles Sturt University >> Ph: 02 6051 9959 >> Fax: 02 6051 9919 >> pbristow@... >> www.csu.edu.au >> ---------------------------------------------------- >> >> YOU MUST READ THIS NOTICE >> >> This email has been sent by Charles Sturt University (ABN 83 878 708 >> 551). This email >> (and any attachment) is confidential and is intended for the use of >> the addressee(s) >> only. If you are not the intended recipient of this email you must >> not copy, >> distribute, take any action in reliance on it or disclose it to >> anyone. Any >> confidentiality is not waived or lost by reason of mistaken delivery >> to you. The >> views expressed in this email are not necessarily those of Charles >> Sturt University. >> It is very important that before opening any attachments to this >> email you check them >> for viruses and defects. CSU does not accept liability for any >> corruption or viruses >> or any consequence which arise as a result of this email >> transmission. Email >> communications with CSU may be subject to automated email filtering, >> which could result >> in the delay or deletion of a legitimate email before it is read by >> its intended >> recipient at CSU. Please tell us if you have concerns about this >> automatic filtering. >> The Commonwealth Register of Institutions and Courses for Overseas >> Students (CRICOS) >> Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for >> Charles Sturt >> University. >> ---------------------------------------------------- >> _______________________________________________ >> sakai-user mailing list >> sakai-user@... >> http://collab.sakaiproject.org/mailman/listinfo/sakai-user >> >> TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... >> with a subject of "unsubscribe" > > _______________________________________________ > sakai-user mailing list > sakai-user@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-user > > TO UNSUBSCRIBE: send email to sakai-user-unsubscribe@... with a subject of "unsubscribe" > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by Bristow, Paul :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message What do we want for the scope of sakai 3? Is it just an LMS? Is it a closed system? My view of Sakai 2 is that it is essentially closed (Cambridge have some Facebook integration there may be other exceptions). Sakai 2 resources are accessed through Sakai 2 sites within the Sakai 2 portal. The impression I've received is that Sakai 3 is intended to be far more participatory. There is far more focus on sharing information across groups and sites. I also had the impression we wanted Sakai 3 resources and activities to be integrated into interfaces outside a Sakai 3 'portal'. Our resources, accessible through restful addresses are now mashable in the browser. To me this means identity, groups and authorisation are enterprise concerns, we can no longer make the same assumptions about limited ways in which our users will interact with us. It seems to me that 1. there is probably no available enterprise system that will meet all our use cases 2. a group system that meets all our use cases would be superior to any existing enterprise system 3. there may be other more sophisticated enterprise group systems in the future 4. there are likely to be use cases for having one enterprise's groups system cooperating with another I think this means 1. we're likely to need to build something for this functionality anyway 2. we could benefit from having this functionality available more broadly 3. use cases and requirements will continue to evolve 4. group systems need to be able to cooperate My suggestion would be to 1. design an extendable API for group membership 2. design an implementation which meets our most important needs 3. expose that implementation to other systems requiring group functionality through its API 4. support and encourage other implementations which can be plugged in instead of or as well as the base implementation Those without enterprise group systems could implement the base sakai 3 implementation and optionally extend its use into integrating groups into other systems which would facilitate seamlessly integrating sakai 3 into the broader information architecture. Those with enterprise group systems could choose to create an implementation which maps aspects of their group system to the API. Assuming that preexisting group systems will have less functionality they may want to merge their functionality into a custom implementation. >From our (CSU) perspective we need to be able to dynamically manage groups based on student enrolments. Other dynamic use cases are more in the nice to have area but I would see the ability to facilitate optional subgroup provisioning for tutorials, workshops, study and assignment groups as very attractive if not compelling. I can't see any reason having this group functionality should conflict with more basic manually managed groups. Our existing in house system mixes manual groups with dynamic groups populated according to enrolment, employment status and level, and parent-child inheritance. For me it's not either/or we need to support both. I also think all the functionality I suggested in my document is necessary to support use cases which have already been identified. My general rule based approach to dynamic groups may be substituted with hard coded rules supporting specific use cases eg enrolment. LIS would presumably remove the need for customising these hard coded rules for every SIS. But a rule based approach allows us to add rules declaratively in a rules system to extend our use cases without recoding. The document http://confluence.sakaiproject.org/display/GROUPS/Roles+and+permissions has a section called The hard problem of permissions. Ray talks about his hubris in being comfortable with groups roles and resources but not with permissions. I kind of agree with this but I've got even more hubris, I think I'm ok with the permissions too provided we don't let them compromise the core group functionality. This is why I'd like the permission side to be implemented in a separate permission (or ACL) system that links all members of a group to specific permissions. The ACL asks 'is the user a member of the group' and gets a simple reply. If you put roles affecting permissions in the groups the question becomes 'is the user a member of the group with a specific role'. This isn't too bad until you want a list of members for a specific role when you need to get the members and then check the roles of all the members before returning a subset. The resource ACL also needs to be aware of what roles the group system knows about. Where a role has a non permission use case - the purely human roles - I have no problem with roles being stored as attributes of membership. Fuzziness can be taken for granted for these :) My main concern about the do-ability of a general purpose groups system is the computational cost of maintaining currency of dynamic groups. The rules for their membership will depend on attributes maintained in other systems. I think the groups system will need to subscribe to change events from these systems and rerun affected rules for each change. In a large system the number of permutations is scary. But I think we need this functionality, even if it means having a system somewhere constantly processing these events. But I don't want this event processing to have to be on a system that's also serving sakai. (This is the real limitation of our in house system which manages these roles on a transactional system) I also want the update processing to be as simple as possible. One reason I prefer not to model roles and permissions within groups is to simplify membership resolution. I think it's probably faster to have lots of simple groups than fewer complex groups (I may be wrong though). So we build a simple but flexible back end system optimised for simple processing with extendability. We design context specific user interfaces to this which optimise user workflows for identified use cases. We don't need to provide users with all supportable options all the time. If the sakai 3 groups system is integrated then it doesn't matter to users whether memberships are 'internal' or external to sakai. They are treated the same, through a common API. Both the 'sakai' group and the 'external' group belong to the group system. There may be business rules limiting what a user can do with a specific membership and there may be externally provided attributes driving membership but how these are treated should be consistent across both 'internal' and 'external'. (We actually do this with sakai 2 at CSU now through an extended group provider interface and patched site info code) Ray are your group categories sort of like patterns for groups. Something like we have roles as permission patterns for members these are rule patterns for groups. They could provide patterns for provisioning groups? I think of both these as within the template space controlling a provisioning process although they could also influence group management. Actually Ray I agree with most of your doco :) (and I had read it before but I've read most of it again) (and I've been interested in the MACE activities for some time) ---------------------------------------------------- Paul Bristow Applications Architect Division of Information Technology Charles Sturt University Ph: 02 6051 9959 Fax: 02 6051 9919 pbristow@... www.csu.edu.au ---------------------------------------------------- > -----Original Message----- > From: Ray Davis [mailto:ray@...] > Sent: Tuesday, 27 October 2009 5:34 AM > To: John Norman > Cc: Bristow, Paul; sakai-user; sakai-ux UX > Subject: Re: [Using Sakai] [DG: User Experience] Some thoughts on group > functionality > > On 10/26/09 10:38 AM, John Norman wrote: > > Paul > > > > It seems to me this is the critical paragraph in your paper: > > "A group management system such as this would be useful across (and > > beyond) the enterprise. I see no reason why it has to be part of the > > sakai kernel, part of the same JVM or part of the same service. My > > preference would be an API for sakai 3 along with a reference > > implementation which may be outside the kernel but in the sakai > > instance" > > > > It goes to the scope question: > > Are we solving the Enterprise Groups problem, or some subset of the > > problem? > > Neither, AFAIK, if I'm part of the "we". :) What we need to solve is > more your question 2 than your question 1. > > * Sakai needs to support use cases that use a variety of approaches to > "enterprise groups", including multiple sources and including "no > sources at all." We can't dictate those. But we _can_ be prepared for > particular testable real-world use cases, and we _should_ support the > most common ones (possible candidates include IMS LIS, Kuali SIS, some > LDAP configurations, some SAML configurations, OpenSocial as both > producer and consumer) out of the box. > > * Sakai needs to combine integration with externally managed > communities > (including "enterprise groups") with the flexibility our users expect > of > decent collaborative software. That means not ONLY supporting > internally-managed memberships, roles, and permissions, and not ONLY > supporting externally-dictated memberships, roles, and permissions. The > hardest task (or at least the task on which Sakai 2 fell apart most > painfully) is supporting both in a way that normal human beings can > understand. > > So I talk a lot about integration approaches because I know we need to > understand them (and sometimes hook up to them) to meet Sakai user > needs. And I spend some time pressing for standardization of > integration > sources (so that, for example, Google Apps Education, Moodle, Sakai, > and > Blackboard can all work from the same feeds) because that will > ultimately reduce the amount of duplicated work Sakai customers need to > do. But they're basically a side issue to the problem that really > preoccupies us. > > In terms of integrating with a single all-in-one group-management > solution, see: > http://confluence.sakaiproject.org/display/GROUPS/Potential+service+int > egrations > > Best, > Ray > > > If we are solving a subset, what are the integration points > > with the Enterprise Groups solution and what do we do if no > Enterprise > > Groups solution is available? If we solve the Enterprise Groups > > problem, what does deployment look like in an institution with > another > > Enterprise Groups solution in place? > > > > In general, the approach I believe you are proposing - that the UI to > > manage groups interacts with code outside the kernel but then is > > expressed in terms of JCR groups inside the kernel through an api - > is > > appealing. It offers performance for questions the code needs > answered > > (like: can this user access this information?) and it seems to offer > > flexibility for educationally-important group use-cases that are not > > strictly Sakai-only information. But as I try to think this through I > > get stuck in a couple of places > > 1. How do we create a UI that is meaningful both outside and inside > > Sakai > > 2. How can we design a user experience that works equally well for > > institutions that have Enterprise Groups and institutions that do > not? > > > > John > > > > PS This is for me the main area of ambiguity in the documents to > which > > Ray keeps referring. I can't find where the questions are addressed > > and I keep imagining that Ray is in fact trying to write the > > Enterprise Groups application of which Sakai would then be a client. > > In supposing that Sakai would be able to manage some of the > > information in an Enterprise Groups store, one makes assumptions > about > > what the owners of that store will accept from other systems. Those > > assumptions may not be universally valid. > > > > PPS The problem is exacerbated by Enterprise Groups currently being > an > > unsolved problem (as far as I know) and different institutions having > > very different political contexts in which any solution might be > > deployed and operated. Each of us is likely making assumptions about > > how an Enterprise Groups future might be realised and that is likely > > colouring our expectations of how this might impact Sakai. I think > the > > emergence of LDAP as an intermediate step in one profile (?) of the > > IMS SIS/LMS integration work both illustrates the dilemma and one > > possible response to the dilemma. > > > > PPPS If I think of the problem as an Enterprise Integration problem, > I > > am tempted to come over all SOA and say Sakai should have a means of > > being aware (and kept up to date) of relevant information sources > > outside Sakai and should be able to determine what it does with that > > external information. If Sakai manages/processes the information it > > should be able to do what it likes, but should emit events that > notify > > the external system of Sakai's manipulations and allows the external > > system to decide what notice it takes of those manipulations. This > > points to a more tightly scoped set of user interactions with groups > > data. > > > > Scope is everything in this discussion. > > > > On 25 Oct 2009, at 23:55, Bristow, Paul wrote: > > > >> http://docs.google.com/View?id=dcshzgr2_1c892k2pt > >> > >> Some conceptual thoughts about group functionality, required > >> functions and a possible approach. Rough thoughts at the moment, > >> could be expanded if there's value in them. > >> > >>> From what I can see from the sidelines of the Sakai 3 groups > >>> initiative it seems focused on the client side of how users use a > >>> group management system. I've tried to coalesce the functionality > >>> of the requirements identified here and elsewhere along with our > >>> local experience and expectations into a possible system and API > >>> for back end functionality. > >> Comments, suggestions, criticism welcome > >> > >> ---------------------------------------------------- > >> Paul Bristow > >> Applications Architect > >> Division of Information Technology > >> Charles Sturt University > >> Ph: 02 6051 9959 > >> Fax: 02 6051 9919 > >> pbristow@... > >> www.csu.edu.au > >> ---------------------------------------------------- > >> > >> YOU MUST READ THIS NOTICE > >> > >> This email has been sent by Charles Sturt University (ABN 83 878 708 > >> 551). This email > >> (and any attachment) is confidential and is intended for the use of > >> the addressee(s) > >> only. If you are not the intended recipient of this email you must > >> not copy, > >> distribute, take any action in reliance on it or disclose it to > >> anyone. Any > >> confidentiality is not waived or lost by reason of mistaken delivery > >> to you. The > >> views expressed in this email are not necessarily those of Charles > >> Sturt University. > >> It is very important that before opening any attachments to this > >> email you check them > >> for viruses and defects. CSU does not accept liability for any > >> corruption or viruses > >> or any consequence which arise as a result of this email > >> transmission. Email > >> communications with CSU may be subject to automated email filtering, > >> which could result > >> in the delay or deletion of a legitimate email before it is read by > >> its intended > >> recipient at CSU. Please tell us if you have concerns about this > >> automatic filtering. > >> The Commonwealth Register of Institutions and Courses for Overseas > >> Students (CRICOS) > >> Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for > >> Charles Sturt > >> University. > >> ---------------------------------------------------- > >> _______________________________________________ > >> sakai-user mailing list > >> sakai-user@... > >> http://collab.sakaiproject.org/mailman/listinfo/sakai-user > >> > >> TO UNSUBSCRIBE: send email to sakai-user- > unsubscribe@... > >> with a subject of "unsubscribe" > > > > _______________________________________________ > > sakai-user mailing list > > sakai-user@... > > http://collab.sakaiproject.org/mailman/listinfo/sakai-user > > > > TO UNSUBSCRIBE: send email to sakai-user- > unsubscribe@... with a subject of "unsubscribe" > > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by Ray Davis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks for the thoughtful reply, Paul. It's great to have you working this territory. I think most of our apparent disagreements may come down to how we're labeling conceptual boundaries in human workflows and system architecture. Others may best be worked out through the effort/experiment of testing scenarios with end users and delivering working software -- they seem to center in areas where I don't see a rabbit waiting in the hat. On 10/26/09 11:04 PM, Bristow, Paul wrote: > What do we want for the scope of sakai 3? Is it just an LMS? Is it a closed system? > > My view of Sakai 2 is that it is essentially closed (Cambridge have some Facebook integration there may be other exceptions). Sakai 2 resources are accessed through Sakai 2 sites within the Sakai 2 portal. Viewed abstractly, the Sakai 2 kernel design allowed for richer and more open integrations and practices. At the implementation and application layers, the product effectively turned rigid. Going through that experience is why we've been so insistent about keeping groups-and-roles a key concern from early on. > The impression I've received is that Sakai 3 is intended to be far more participatory. There is far more focus on sharing information across groups and sites. I also had the impression we wanted Sakai 3 resources and activities to be integrated into interfaces outside a Sakai 3 'portal'. Our resources, accessible through restful addresses are now mashable in the browser. > > To me this means identity, groups and authorisation are enterprise concerns, we can no longer make the same assumptions about limited ways in which our users will interact with us. > > It seems to me that > 1. there is probably no available enterprise system that will meet all our use cases > 2. a group system that meets all our use cases would be superior to any existing enterprise system I agree with all your suggestions and all your numbered points except possibly this one (number 2). But we may be envisioning different things by "a group system that meets all our use cases." I'm pretty certain that a Sakai team won't write a software library with UX components that can take the place of all the existing approaches to group-and-role management throughout all departments of higher education. (At least I'm pretty certain that _I_ won't. :) I guess it's possible that some team working partly on Sakai would eventually come up with something that rules the space somewhat as JA-SIG CAS and Spring Security rule the authentication space.) On the other hand, if by "a group system" you mean only what you suggest below (we need to meet our needs both in terms of integration and in terms of inside-the-LMS flexibility; no software project meeting those needs currently exists; therefore we need to build it ourselves), then, yes, I reluctantly came to the same conclusion a couple of months ago. > 3. there may be other more sophisticated enterprise group systems in the future > 4. there are likely to be use cases for having one enterprise's groups system cooperating with another > > I think this means > 1. we're likely to need to build something for this functionality anyway > 2. we could benefit from having this functionality available more broadly > 3. use cases and requirements will continue to evolve > 4. group systems need to be able to cooperate > > My suggestion would be to > 1. design an extendable API for group membership > 2. design an implementation which meets our most important needs > 3. expose that implementation to other systems requiring group functionality through its API > 4. support and encourage other implementations which can be plugged in instead of or as well as the base implementation > > Those without enterprise group systems could implement the base sakai 3 implementation and optionally extend its use into integrating groups into other systems which would facilitate seamlessly integrating sakai 3 into the broader information architecture. Those with enterprise group systems could choose to create an implementation which maps aspects of their group system to the API. Assuming that preexisting group systems will have less functionality they may want to merge their functionality into a custom implementation. > >>From our (CSU) perspective we need to be able to dynamically manage groups based on student enrolments. Other dynamic use cases are more in the nice to have area but I would see the ability to facilitate optional subgroup provisioning for tutorials, workshops, study and assignment groups as very attractive if not compelling. > > I can't see any reason having this group functionality should conflict with more basic manually managed groups. Our existing in house system mixes manual groups with dynamic groups populated according to enrolment, employment status and level, and parent-child inheritance. For me it's not either/or we need to support both. > > I also think all the functionality I suggested in my document is necessary to support use cases which have already been identified. My general rule based approach to dynamic groups may be substituted with hard coded rules supporting specific use cases eg enrolment. LIS would presumably remove the need for customising these hard coded rules for every SIS. But a rule based approach allows us to add rules declaratively in a rules system to extend our use cases without recoding. > > The document http://confluence.sakaiproject.org/display/GROUPS/Roles+and+permissions has a section called The hard problem of permissions. Ray talks about his hubris in being comfortable with groups roles and resources but not with permissions. I kind of agree with this but I've got even more hubris, I think I'm ok with the permissions too provided we don't let them compromise the core group functionality. > > This is why I'd like the permission side to be implemented in a separate permission (or ACL) system that links all members of a group to specific permissions. The ACL asks 'is the user a member of the group' and gets a simple reply. If you put roles affecting permissions in the groups the question becomes 'is the user a member of the group with a specific role'. This isn't too bad until you want a list of members for a specific role when you need to get the members and then check the roles of all the members before returning a subset. The resource ACL also needs to be aware of what roles the group system knows about. A couple of comments here: * I'm (again, reluctantly) certain from past experience that a Sakai permission system will need to venture into vocabulary outside standard JCR ACE rights. You don't say anything that contradicts that, but I wanted to emphasize it since you mentioned "ACLs". * We know from analyzing our use cases that group-instances exist within specific contexts and have sources (and other properties). We also know that cross-group role assignments exist within contexts and have sources (and other properties). Finally, we know that contextually-scoped role assignments often get treated as group-instances get treated (e.g., "send message to these people"). But I'm not yet prepared to say "All group memberships have roles attributes" or "All contextually-scoped role assignments are stored as JCR authz groups." I feel we need to leave some room for the UX design and service design efforts to experiment with different approaches, particularly around the relatively unexplored UX issues of flexible integration (where roles are especially important). > Where a role has a non permission use case - the purely human roles - I have no problem with roles being stored as attributes of membership. Fuzziness can be taken for granted for these :) > > My main concern about the do-ability of a general purpose groups system is the computational cost of maintaining currency of dynamic groups. The rules for their membership will depend on attributes maintained in other systems. I think the groups system will need to subscribe to change events from these systems and rerun affected rules for each change. In a large system the number of permutations is scary. > > But I think we need this functionality, even if it means having a system somewhere constantly processing these events. But I don't want this event processing to have to be on a system that's also serving sakai. (This is the real limitation of our in house system which manages these roles on a transactional system) > > I also want the update processing to be as simple as possible. One reason I prefer not to model roles and permissions within groups is to simplify membership resolution. I think it's probably faster to have lots of simple groups than fewer complex groups (I may be wrong though). > > So we build a simple but flexible back end system optimised for simple processing with extendability. We design context specific user interfaces to this which optimise user workflows for identified use cases. We don't need to provide users with all supportable options all the time. > > If the sakai 3 groups system is integrated then it doesn't matter to users whether memberships are 'internal' or external to sakai. They are treated the same, through a common API. Both the 'sakai' group and the 'external' group belong to the group system. There may be business rules limiting what a user can do with a specific membership and there may be externally provided attributes driving membership but how these are treated should be consistent across both 'internal' and 'external'. Strongly agree. > (We actually do this with sakai 2 at CSU now through an extended group provider interface and patched site info code) > > Ray are your group categories sort of like patterns for groups. Something like we have roles as permission patterns for members these are rule patterns for groups. They could provide patterns for provisioning groups? I think of both these as within the template space controlling a provisioning process although they could also influence group management. Yes, you could think of them as easily customizable (or specified) patterns that attach to a clump of groups. Eli says he's most comfortable at this point thinking of them as a named quasi-group with rules and built-in operations that operate on a set of dependent subgroups. At the UX / client-side component level, I'm beginning to suspect that capabilities like "section categories" and "context-specific role assignments" may end up being modeled this way. I don't yet have any particular theory about how far down into core services such a shared model might extend. > Actually Ray I agree with most of your doco :) > (and I had read it before but I've read most of it again) > (and I've been interested in the MACE activities for some time) Cool! Glad someone's reading that stuff besides me. :) Best, Ray > > ---------------------------------------------------- > Paul Bristow > Applications Architect > Division of Information Technology > Charles Sturt University > Ph: 02 6051 9959 > Fax: 02 6051 9919 > pbristow@... > www.csu.edu.au > ---------------------------------------------------- > >> -----Original Message----- >> From: Ray Davis [mailto:ray@...] >> Sent: Tuesday, 27 October 2009 5:34 AM >> To: John Norman >> Cc: Bristow, Paul; sakai-user; sakai-ux UX >> Subject: Re: [Using Sakai] [DG: User Experience] Some thoughts on group >> functionality >> >> On 10/26/09 10:38 AM, John Norman wrote: >>> Paul >>> >>> It seems to me this is the critical paragraph in your paper: >>> "A group management system such as this would be useful across (and >>> beyond) the enterprise. I see no reason why it has to be part of the >>> sakai kernel, part of the same JVM or part of the same service. My >>> preference would be an API for sakai 3 along with a reference >>> implementation which may be outside the kernel but in the sakai >>> instance" >>> >>> It goes to the scope question: >>> Are we solving the Enterprise Groups problem, or some subset of the >>> problem? >> Neither, AFAIK, if I'm part of the "we". :) What we need to solve is >> more your question 2 than your question 1. >> >> * Sakai needs to support use cases that use a variety of approaches to >> "enterprise groups", including multiple sources and including "no >> sources at all." We can't dictate those. But we _can_ be prepared for >> particular testable real-world use cases, and we _should_ support the >> most common ones (possible candidates include IMS LIS, Kuali SIS, some >> LDAP configurations, some SAML configurations, OpenSocial as both >> producer and consumer) out of the box. >> >> * Sakai needs to combine integration with externally managed >> communities >> (including "enterprise groups") with the flexibility our users expect >> of >> decent collaborative software. That means not ONLY supporting >> internally-managed memberships, roles, and permissions, and not ONLY >> supporting externally-dictated memberships, roles, and permissions. The >> hardest task (or at least the task on which Sakai 2 fell apart most >> painfully) is supporting both in a way that normal human beings can >> understand. >> >> So I talk a lot about integration approaches because I know we need to >> understand them (and sometimes hook up to them) to meet Sakai user >> needs. And I spend some time pressing for standardization of >> integration >> sources (so that, for example, Google Apps Education, Moodle, Sakai, >> and >> Blackboard can all work from the same feeds) because that will >> ultimately reduce the amount of duplicated work Sakai customers need to >> do. But they're basically a side issue to the problem that really >> preoccupies us. >> >> In terms of integrating with a single all-in-one group-management >> solution, see: >> http://confluence.sakaiproject.org/display/GROUPS/Potential+service+int >> egrations >> >> Best, >> Ray >> >>> If we are solving a subset, what are the integration points >>> with the Enterprise Groups solution and what do we do if no >> Enterprise >>> Groups solution is available? If we solve the Enterprise Groups >>> problem, what does deployment look like in an institution with >> another >>> Enterprise Groups solution in place? >>> >>> In general, the approach I believe you are proposing - that the UI to >>> manage groups interacts with code outside the kernel but then is >>> expressed in terms of JCR groups inside the kernel through an api - >> is >>> appealing. It offers performance for questions the code needs >> answered >>> (like: can this user access this information?) and it seems to offer >>> flexibility for educationally-important group use-cases that are not >>> strictly Sakai-only information. But as I try to think this through I >>> get stuck in a couple of places >>> 1. How do we create a UI that is meaningful both outside and inside >>> Sakai >>> 2. How can we design a user experience that works equally well for >>> institutions that have Enterprise Groups and institutions that do >> not? >>> John >>> >>> PS This is for me the main area of ambiguity in the documents to >> which >>> Ray keeps referring. I can't find where the questions are addressed >>> and I keep imagining that Ray is in fact trying to write the >>> Enterprise Groups application of which Sakai would then be a client. >>> In supposing that Sakai would be able to manage some of the >>> information in an Enterprise Groups store, one makes assumptions >> about >>> what the owners of that store will accept from other systems. Those >>> assumptions may not be universally valid. >>> >>> PPS The problem is exacerbated by Enterprise Groups currently being >> an >>> unsolved problem (as far as I know) and different institutions having >>> very different political contexts in which any solution might be >>> deployed and operated. Each of us is likely making assumptions about >>> how an Enterprise Groups future might be realised and that is likely >>> colouring our expectations of how this might impact Sakai. I think >> the >>> emergence of LDAP as an intermediate step in one profile (?) of the >>> IMS SIS/LMS integration work both illustrates the dilemma and one >>> possible response to the dilemma. >>> >>> PPPS If I think of the problem as an Enterprise Integration problem, >> I >>> am tempted to come over all SOA and say Sakai should have a means of >>> being aware (and kept up to date) of relevant information sources >>> outside Sakai and should be able to determine what it does with that >>> external information. If Sakai manages/processes the information it >>> should be able to do what it likes, but should emit events that >> notify >>> the external system of Sakai's manipulations and allows the external >>> system to decide what notice it takes of those manipulations. This >>> points to a more tightly scoped set of user interactions with groups >>> data. >>> >>> Scope is everything in this discussion. >>> >>> On 25 Oct 2009, at 23:55, Bristow, Paul wrote: >>> >>>> http://docs.google.com/View?id=dcshzgr2_1c892k2pt >>>> >>>> Some conceptual thoughts about group functionality, required >>>> functions and a possible approach. Rough thoughts at the moment, >>>> could be expanded if there's value in them. >>>> >>>>> From what I can see from the sidelines of the Sakai 3 groups >>>>> initiative it seems focused on the client side of how users use a >>>>> group management system. I've tried to coalesce the functionality >>>>> of the requirements identified here and elsewhere along with our >>>>> local experience and expectations into a possible system and API >>>>> for back end functionality. >>>> Comments, suggestions, criticism welcome >>>> >>>> ---------------------------------------------------- >>>> Paul Bristow >>>> Applications Architect >>>> Division of Information Technology >>>> Charles Sturt University >>>> Ph: 02 6051 9959 >>>> Fax: 02 6051 9919 >>>> pbristow@... >>>> www.csu.edu.au >>>> ---------------------------------------------------- >>>> >>>> YOU MUST READ THIS NOTICE >>>> >>>> This email has been sent by Charles Sturt University (ABN 83 878 708 >>>> 551). This email >>>> (and any attachment) is confidential and is intended for the use of >>>> the addressee(s) >>>> only. If you are not the intended recipient of this email you must >>>> not copy, >>>> distribute, take any action in reliance on it or disclose it to >>>> anyone. Any >>>> confidentiality is not waived or lost by reason of mistaken delivery >>>> to you. The >>>> views expressed in this email are not necessarily those of Charles >>>> Sturt University. >>>> It is very important that before opening any attachments to this >>>> email you check them >>>> for viruses and defects. CSU does not accept liability for any >>>> corruption or viruses >>>> or any consequence which arise as a result of this email >>>> transmission. Email >>>> communications with CSU may be subject to automated email filtering, >>>> which could result >>>> in the delay or deletion of a legitimate email before it is read by >>>> its intended >>>> recipient at CSU. Please tell us if you have concerns about this >>>> automatic filtering. >>>> The Commonwealth Register of Institutions and Courses for Overseas >>>> Students (CRICOS) >>>> Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for >>>> Charles Sturt >>>> University. >>>> ---------------------------------------------------- >>>> _______________________________________________ >>>> sakai-user mailing list >>>> sakai-user@... >>>> http://collab.sakaiproject.org/mailman/listinfo/sakai-user _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Bristow, Paul :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Ray, > I think most of our apparent disagreements may come down to how we're > labeling conceptual boundaries in human workflows and system > architecture. Others may best be worked out through the > effort/experiment of testing scenarios with end users and delivering > working software -- they seem to center in areas where I don't see a > rabbit waiting in the hat. Agreed (and your glossary is good). But my first IT boss had an annoying expectation for generic solutions - a specific solution was never acceptable (he's a Professor which may explain this approach). It's become a habit that's hard to shake. So I'm looking for a unified model that supports today's user scenarios and maybe some of tomorrow's. Working software for identified use cases may be adequate but I'm greedier than that :) Defining the conceptual boundaries is a key part of this. > I agree with all your suggestions and all your numbered points except > possibly this one (number 2). But we may be envisioning different > things > by "a group system that meets all our use cases." > > I'm pretty certain that a Sakai team won't write a software library > with > UX components that can take the place of all the existing approaches to > group-and-role management throughout all departments of higher > education. (At least I'm pretty certain that _I_ won't. :) I guess it's > possible that some team working partly on Sakai would eventually come > up > with something that rules the space somewhat as JA-SIG CAS and Spring > Security rule the authentication space.) > > On the other hand, if by "a group system" you mean only what you > suggest > below (we need to meet our needs both in terms of integration and in > terms of inside-the-LMS flexibility; no software project meeting those > needs currently exists; therefore we need to build it ourselves), then, > yes, I reluctantly came to the same conclusion a couple of months ago. I'm talking mainly at the back end here. I don't expect us to have UIs supporting every possible context for groups but I'd like to have back end services which support them as far as possible. My expectation for the Brave New World of Sakai 3 is that UX components will be easy to build and add as new use cases emerge. As far as possible we don't want them to need new back end services as this hurts agility. > * I'm (again, reluctantly) certain from past experience that a Sakai > permission system will need to venture into vocabulary outside standard > JCR ACE rights. You don't say anything that contradicts that, but I > wanted to emphasize it since you mentioned "ACLs". I tend to agree with this. But I'm still hoping we can design systems where sakai 3 JCR authorisation can support our authz needs with its native ACLs + the extension for dynamic membership resolution. I hope we can have group and permission functionality pushing more static groups and memberships into JCR groups and provide pull hooks for dynamic resolution. If we can move our more sophisticated group, role and permission functionality into separate (sub)systems and intercept group, role and permission management calls and run them through our own APIs I hope this can support our needs while leaving the JCR authz relatively untouched. I'm not convinced we can get away with this but if we can't it throws a large spanner into the k2 works. We need to try to make this work or we require major rethinks of some core k2 functionality. On this I'm pragmatic (you may say it's the only place I'm being pragmatic). > * We know from analyzing our use cases that group-instances exist > within > specific contexts and have sources (and other properties). We also know > that cross-group role assignments exist within contexts and have > sources > (and other properties). Finally, we know that contextually-scoped role > assignments often get treated as group-instances get treated (e.g., > "send message to these people"). But I'm not yet prepared to say "All > group memberships have roles attributes" or "All contextually-scoped > role assignments are stored as JCR authz groups." I feel we need to > leave some room for the UX design and service design efforts to > experiment with different approaches, particularly around the > relatively > unexplored UX issues of flexible integration (where roles are > especially > important). I'm not sure I'm getting what you're saying here. I'll think about it some more. Thanks... ---------------------------------------------------- Paul Bristow Applications Architect Division of Information Technology Charles Sturt University Ph: 02 6051 9959 Fax: 02 6051 9919 pbristow@... www.csu.edu.au ---------------------------------------------------- YOU MUST READ THIS NOTICE This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery to you. The views expressed in this email are not necessarily those of Charles Sturt University. It is very important that before opening any attachments to this email you check them for viruses and defects. CSU does not accept liability for any corruption or viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read by its intended recipient at CSU. Please tell us if you have concerns about this automatic filtering. The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt University. ---------------------------------------------------- _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by jrnorman :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message So if we accept that 'the Sakai Community' believes Enterprise Groups is a poorly addressed space for the present and we don't expect good solutions in the near future, then it makes sense for Sakai to stray outside a narrow definition of scope in terms of groups support. One consequence of this IMHO is that we need to consider use cases where Sakai is a provider of group information to external systems. Moving on to think about such a system, I'm not sure I agree with one of Ray's assertions about what we should expect to flow across the Sakai/External boundary. At first sight, I can imagine an argument that says we only expect to receive and supply groups and memberships. Roles and permissions in an external system have no constraint that means they have to conform to Sakai expectations/standards/norms. I'm curious about use cases that would make the translation (and translation maintenance) task worthwhile. If they exist, it feels like a case for SOA, but I can imagine that we deliberately support selected exceptions such as LIS. When it comes to implementation of 'broad' support for groups. I have 3 main concerns; navigation, authority and accountability 1. Navigation: Free creation of groups can lead to a plethora of groups. If it becomes harder to find a group than to create a new group, the problem will get worse. Issues below suggest that there will need to be at least one hierarchy, but that may not be the most logical structure for browsing and discovery. I believe we will need similar tagging concepts to content to allow flexible 'organisations' of groups. If we are going to use a tagging mental model for users, it would be desirable that the model work in consistent ways between groups and content. I assume this might be what Ray refers to in terms of conversations with Eli about needing groupings of groups. 2. Authority: Probably easiest to address this with an example. Lets say I set up a group and I call it St John's College Choir (I am nothing to do with the Choir). Lets imagine the Choir has a group already, but for historic reasons they named it Lady Mary Choir. How would someone browsing groups to find the 'official' membership of St John's College Choir, know that they should use the Lady Mary Choir group? This is the part where I think the minimum hierarchy comes in. There will probably want to be 'group domains' that enjoy delegated administration to named admins. The 'official' group could be identified as official because it visibly belongs to the delegated/ administered 'domain' of St John's College. My group would be identifiable as potentially bogus because it belongs to the 'freeforall' domain. In branding terms it could be like a subsidiary business: "Mini Motors, a proud division of All American Automotive", or in this case "Lady Mary Choir" an official group of St John's College". 3. Accountability: If something goes wrong (e.g. someone establishes the Vice Chancellors Finance Group and sells the University to a gullible American - I leave the reader to judge the likelihood of that example). Who is responsible for allowing it to happen so they can be alerted to the need to tighten up oversight. Naturally this is less of an issue for a strongly hierarchical institution, but for a highly delegated federal organisation like Cambridge it is a real issue. I see a strong argument for this 'organising people' function to be a broad and central part of Sakai. If we take it on, we need to make the 'organisations' available for non-Sakai uses (even if only as a csv file, but preferably as a data api). At present, beyond general intuition of both Ray and Paul, I don't think we have evidence that K2/ JCR models are inadequate. I think there are good performance reasons for implementing things like permission checks that depend on group information internally in K2/Sling/JCR so I hope we will pursue K2/JCR as the preferred implementation until real use cases force us to compromise. John On 28 Oct 2009, at 01:39, Bristow, Paul wrote: > Ray, > >> I think most of our apparent disagreements may come down to how we're >> labeling conceptual boundaries in human workflows and system >> architecture. Others may best be worked out through the >> effort/experiment of testing scenarios with end users and delivering >> working software -- they seem to center in areas where I don't see a >> rabbit waiting in the hat. > > Agreed (and your glossary is good). > > But my first IT boss had an annoying expectation for generic > solutions - a specific solution was never acceptable (he's a > Professor which may explain this approach). It's become a habit > that's hard to shake. So I'm looking for a unified model that > supports today's user scenarios and maybe some of tomorrow's. > Working software for identified use cases may be adequate but I'm > greedier than that :) > > Defining the conceptual boundaries is a key part of this. > >> I agree with all your suggestions and all your numbered points except >> possibly this one (number 2). But we may be envisioning different >> things >> by "a group system that meets all our use cases." >> >> I'm pretty certain that a Sakai team won't write a software library >> with >> UX components that can take the place of all the existing >> approaches to >> group-and-role management throughout all departments of higher >> education. (At least I'm pretty certain that _I_ won't. :) I guess >> it's >> possible that some team working partly on Sakai would eventually come >> up >> with something that rules the space somewhat as JA-SIG CAS and Spring >> Security rule the authentication space.) >> >> On the other hand, if by "a group system" you mean only what you >> suggest >> below (we need to meet our needs both in terms of integration and in >> terms of inside-the-LMS flexibility; no software project meeting >> those >> needs currently exists; therefore we need to build it ourselves), >> then, >> yes, I reluctantly came to the same conclusion a couple of months >> ago. > > I'm talking mainly at the back end here. I don't expect us to have > UIs supporting every possible context for groups but I'd like to > have back end services which support them as far as possible. My > expectation for the Brave New World of Sakai 3 is that UX components > will be easy to build and add as new use cases emerge. As far as > possible we don't want them to need new back end services as this > hurts agility. > >> * I'm (again, reluctantly) certain from past experience that a Sakai >> permission system will need to venture into vocabulary outside >> standard >> JCR ACE rights. You don't say anything that contradicts that, but I >> wanted to emphasize it since you mentioned "ACLs". > > I tend to agree with this. But I'm still hoping we can design > systems where sakai 3 JCR authorisation can support our authz needs > with its native ACLs + the extension for dynamic membership > resolution. I hope we can have group and permission functionality > pushing more static groups and memberships into JCR groups and > provide pull hooks for dynamic resolution. If we can move our more > sophisticated group, role and permission functionality into separate > (sub)systems and intercept group, role and permission management > calls and run them through our own APIs I hope this can support our > needs while leaving the JCR authz relatively untouched. > > I'm not convinced we can get away with this but if we can't it > throws a large spanner into the k2 works. We need to try to make > this work or we require major rethinks of some core k2 > functionality. On this I'm pragmatic (you may say it's the only > place I'm being pragmatic). > >> * We know from analyzing our use cases that group-instances exist >> within >> specific contexts and have sources (and other properties). We also >> know >> that cross-group role assignments exist within contexts and have >> sources >> (and other properties). Finally, we know that contextually-scoped >> role >> assignments often get treated as group-instances get treated (e.g., >> "send message to these people"). But I'm not yet prepared to say "All >> group memberships have roles attributes" or "All contextually-scoped >> role assignments are stored as JCR authz groups." I feel we need to >> leave some room for the UX design and service design efforts to >> experiment with different approaches, particularly around the >> relatively >> unexplored UX issues of flexible integration (where roles are >> especially >> important). > > I'm not sure I'm getting what you're saying here. I'll think about > it some more. > > Thanks... > > ---------------------------------------------------- > Paul Bristow > Applications Architect > Division of Information Technology > Charles Sturt University > Ph: 02 6051 9959 > Fax: 02 6051 9919 > pbristow@... > www.csu.edu.au > ---------------------------------------------------- > > YOU MUST READ THIS NOTICE > > This email has been sent by Charles Sturt University (ABN 83 878 708 > 551). This email > (and any attachment) is confidential and is intended for the use of > the addressee(s) > only. If you are not the intended recipient of this email you must > not copy, > distribute, take any action in reliance on it or disclose it to > anyone. Any > confidentiality is not waived or lost by reason of mistaken delivery > to you. The > views expressed in this email are not necessarily those of Charles > Sturt University. > It is very important that before opening any attachments to this > email you check them > for viruses and defects. CSU does not accept liability for any > corruption or viruses > or any consequence which arise as a result of this email > transmission. Email > communications with CSU may be subject to automated email filtering, > which could result > in the delay or deletion of a legitimate email before it is read by > its intended > recipient at CSU. Please tell us if you have concerns about this > automatic filtering. > The Commonwealth Register of Institutions and Courses for Overseas > Students (CRICOS) > Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for > Charles Sturt > University. > ---------------------------------------------------- > _______________________________________________ > sakai-ux mailing list > sakai-ux@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-ux > > TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... > with a subject of "unsubscribe" _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Michael Feldstein-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message John Norman wrote: At first sight, I can imagine an argument that says we only expect to receive and supply groups and memberships. Roles and permissions in an external system have no constraint that means they have to conform to Sakai expectations/standards/norms. I'm curious about use cases that would make the translation (and translation maintenance) task worthwhile. If they exist, it feels like a case for SOA, but I can imagine that we deliberately support selected exceptions such as LIS. LIS is SOA. It's SOAP-based with well defined service operations, and it is explicitly designed to translate from SIS expectations/standards/norms to those of the LMS, though there's more work in that regard on groups translation than on roles. The information LIS supplies about "roles" is not really identity management information in the sense that it doesn't map directly and predictably to permissions. We're talking about two distinct (though related) meanings of the word "role." So LIS is an example of your point, not an exception to it. - m -- Michael Feldstein \| Principal Product Manager \| +1.818.817.2925 Oracle Academic Enterprise Solutions Group 23A Glendale Road, Glendale, MA 01229 _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality by Ray Davis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'll just have a go at clarifying the murkiest part of my earlier message before getting back to pragmatics. :) There are two big stumbling blocks I always have to keep in mind when working on this stuff. One is a byproduct of human evolution. We unconsciously focus on the smallest social context we're in, and we're trained to switch social contexts pretty easily. When I walk out of a lecture hall and walk into a bar, even if I'm with the same people our expectations about each other's behavior normally shift. (When they don't shift as expected, there are usually unpleasant consequences.) Working on something like Sakai forces me to keep _explicitly defined and multiple_ social contexts in mind. The other is just a standard software development stumbling block. We want to simplify the task we're faced with, and one way of doing that is by taking more constraints for granted: fewer variables = less complexity. Unfortunately, I've learned that UX design and code architecture go rotten in a hurry if I make too many assumptions too early. In the particular case of "integrating multiple existing social contexts with multiple online social contexts in an intuitive flexible fashion," I feel as if we're still comparatively early in the process. So I'm trying to distinguish between the constraints I'm pretty sure of and the constraints that are just discardable "working hypotheses." I know that the social context of an introductory course at UC Berkeley, the social context of a college at Oxford, the social context of a grant-funded research group, the social context of a student organization, and the social context of a multifunctional collaborative web application all have lists of people associated with them. Most of them also ascribe roles to distinguish some people from others in that context. Some of them have some built-in sets of people that can be named; all of them might need to form and disband new subsets of people for particular tasks. And for all of them we need to be able to say "Here are the people who meet such-and-such criteria". But if I then say "well, all group memberships have role metadata", that might prejudice my ideas of how to present these things ("so we just display a table of groups with rows of people and roles in the columns") and how to implement them. My sense from having worked on Sakai 2 is that this will trip us up when we try to make it easy for people to translate from one social context (say an Italian class with tutorial sections, enrolled students, discussion leaders, and official instructors) to a different social context (say a collaborate web suite with chat rooms, discussion boards, wikis, and group blogs which include contributions from librarians and outside-the-campus scholars). Phew! Sorry to be so long winded -- I hope that helps... Best, Ray >> * We know from analyzing our use cases that group-instances exist >> within >> specific contexts and have sources (and other properties). We also know >> that cross-group role assignments exist within contexts and have >> sources >> (and other properties). Finally, we know that contextually-scoped role >> assignments often get treated as group-instances get treated (e.g., >> "send message to these people"). But I'm not yet prepared to say "All >> group memberships have roles attributes" or "All contextually-scoped >> role assignments are stored as JCR authz groups." I feel we need to >> leave some room for the UX design and service design efforts to >> experiment with different approaches, particularly around the >> relatively >> unexplored UX issues of flexible integration (where roles are >> especially >> important). > On 10/27/09 6:39 PM, Bristow, Paul wrote: > Ray, > >> I think most of our apparent disagreements may come down to how we're >> labeling conceptual boundaries in human workflows and system >> architecture. Others may best be worked out through the >> effort/experiment of testing scenarios with end users and delivering >> working software -- they seem to center in areas where I don't see a >> rabbit waiting in the hat. > > Agreed (and your glossary is good). > > But my first IT boss had an annoying expectation for generic solutions - a specific solution was never acceptable (he's a Professor which may explain this approach). It's become a habit that's hard to shake. So I'm looking for a unified model that supports today's user scenarios and maybe some of tomorrow's. Working software for identified use cases may be adequate but I'm greedier than that :) > > Defining the conceptual boundaries is a key part of this. > >> I agree with all your suggestions and all your numbered points except >> possibly this one (number 2). But we may be envisioning different >> things >> by "a group system that meets all our use cases." >> >> I'm pretty certain that a Sakai team won't write a software library >> with >> UX components that can take the place of all the existing approaches to >> group-and-role management throughout all departments of higher >> education. (At least I'm pretty certain that _I_ won't. :) I guess it's >> possible that some team working partly on Sakai would eventually come >> up >> with something that rules the space somewhat as JA-SIG CAS and Spring >> Security rule the authentication space.) >> >> On the other hand, if by "a group system" you mean only what you >> suggest >> below (we need to meet our needs both in terms of integration and in >> terms of inside-the-LMS flexibility; no software project meeting those >> needs currently exists; therefore we need to build it ourselves), then, >> yes, I reluctantly came to the same conclusion a couple of months ago. > > I'm talking mainly at the back end here. I don't expect us to have UIs supporting every possible context for groups but I'd like to have back end services which support them as far as possible. My expectation for the Brave New World of Sakai 3 is that UX components will be easy to build and add as new use cases emerge. As far as possible we don't want them to need new back end services as this hurts agility. > >> * I'm (again, reluctantly) certain from past experience that a Sakai >> permission system will need to venture into vocabulary outside standard >> JCR ACE rights. You don't say anything that contradicts that, but I >> wanted to emphasize it since you mentioned "ACLs". > > I tend to agree with this. But I'm still hoping we can design systems where sakai 3 JCR authorisation can support our authz needs with its native ACLs + the extension for dynamic membership resolution. I hope we can have group and permission functionality pushing more static groups and memberships into JCR groups and provide pull hooks for dynamic resolution. If we can move our more sophisticated group, role and permission functionality into separate (sub)systems and intercept group, role and permission management calls and run them through our own APIs I hope this can support our needs while leaving the JCR authz relatively untouched. > > I'm not convinced we can get away with this but if we can't it throws a large spanner into the k2 works. We need to try to make this work or we require major rethinks of some core k2 functionality. On this I'm pragmatic (you may say it's the only place I'm being pragmatic). > >> * We know from analyzing our use cases that group-instances exist >> within >> specific contexts and have sources (and other properties). We also know >> that cross-group role assignments exist within contexts and have >> sources >> (and other properties). Finally, we know that contextually-scoped role >> assignments often get treated as group-instances get treated (e.g., >> "send message to these people"). But I'm not yet prepared to say "All >> group memberships have roles attributes" or "All contextually-scoped >> role assignments are stored as JCR authz groups." I feel we need to >> leave some room for the UX design and service design efforts to >> experiment with different approaches, particularly around the >> relatively >> unexplored UX issues of flexible integration (where roles are >> especially >> important). > > I'm not sure I'm getting what you're saying here. I'll think about it some more. > > Thanks... > > ---------------------------------------------------- > Paul Bristow > Applications Architect > Division of Information Technology > Charles Sturt University > Ph: 02 6051 9959 > Fax: 02 6051 9919 > pbristow@... > www.csu.edu.au > ---------------------------------------------------- > > YOU MUST READ THIS NOTICE > > This email has been sent by Charles Sturt University (ABN 83 878 708 551). This email > (and any attachment) is confidential and is intended for the use of the addressee(s) > only. If you are not the intended recipient of this email you must not copy, > distribute, take any action in reliance on it or disclose it to anyone. Any > confidentiality is not waived or lost by reason of mistaken delivery to you. The > views expressed in this email are not necessarily those of Charles Sturt University. > It is very important that before opening any attachments to this email you check them > for viruses and defects. CSU does not accept liability for any corruption or viruses > or any consequence which arise as a result of this email transmission. Email > communications with CSU may be subject to automated email filtering, which could result > in the delay or deletion of a legitimate email before it is read by its intended > recipient at CSU. Please tell us if you have concerns about this automatic filtering. > The Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) > Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for Charles Sturt > University. > ---------------------------------------------------- > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by Ray Davis :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Not sure, but there may be some disconnect here due to the vagueness of "group". Do these proposals make sense? * We'll continue to need contextual scoping of memberships, groups, and roles. That's true in virtually any collaborative or social networking application: administrators inside one Confluence space don't see all the administrator groups of other Confluence spaces; I see my friends on Facebook but I don't see the friends of every other Facebook user. When you send a message from within Sakai 3, you don't want to be faced with ten thousand possible addressees in a pop-up window. * We need to provide better support for subgrouping within a given context of memberships and roles. Some of those sets of people will have a parent-child dependency relationship. Some of them will be supplied from outside our application's control; some of them will be managed within our applications. * We need to provide better support for tracking, displaying, and dealing with _sources_ of memberships, roles, and subgroups. That includes your issues of authority and accountability. * What you call "organisations", I've mostly been calling "communities" (mostly because I see "community space" mentioned more often than "organization space"). Regardless, yes, we need to support multiple top-level social contexts. Some of those organisations will not be managed within Sakai 3, however: Sakai should be able to provide a bounded collaborative space for them (a la Liferay or Beehive) without controlling them. Best, Ray On 10/28/09 4:35 AM, John Norman wrote: > So if we accept that 'the Sakai Community' believes Enterprise Groups is > a poorly addressed space for the present and we don't expect good > solutions in the near future, then it makes sense for Sakai to stray > outside a narrow definition of scope in terms of groups support. One > consequence of this IMHO is that we need to consider use cases where > Sakai is a provider of group information to external systems. > > Moving on to think about such a system, I'm not sure I agree with one of > Ray's assertions about what we should expect to flow across the > Sakai/External boundary. At first sight, I can imagine an argument that > says we only expect to receive and supply groups and memberships. Roles > and permissions in an external system have no constraint that means they > have to conform to Sakai expectations/standards/norms. I'm curious about > use cases that would make the translation (and translation maintenance) > task worthwhile. If they exist, it feels like a case for SOA, but I can > imagine that we deliberately support selected exceptions such as LIS. > > When it comes to implementation of 'broad' support for groups. I have 3 > main concerns; navigation, authority and accountability > 1. Navigation: Free creation of groups can lead to a plethora of groups. > If it becomes harder to find a group than to create a new group, the > problem will get worse. Issues below suggest that there will need to be > at least one hierarchy, but that may not be the most logical structure > for browsing and discovery. I believe we will need similar tagging > concepts to content to allow flexible 'organisations' of groups. If we > are going to use a tagging mental model for users, it would be desirable > that the model work in consistent ways between groups and content. I > assume this might be what Ray refers to in terms of conversations with > Eli about needing groupings of groups. > 2. Authority: Probably easiest to address this with an example. Lets say > I set up a group and I call it St John's College Choir (I am nothing to > do with the Choir). Lets imagine the Choir has a group already, but for > historic reasons they named it Lady Mary Choir. How would someone > browsing groups to find the 'official' membership of St John's College > Choir, know that they should use the Lady Mary Choir group? This is the > part where I think the minimum hierarchy comes in. There will probably > want to be 'group domains' that enjoy delegated administration to named > admins. The 'official' group could be identified as official because it > visibly belongs to the delegated/administered 'domain' of St John's > College. My group would be identifiable as potentially bogus because > it belongs to the 'freeforall' domain. In branding terms it could be > like a subsidiary business: "Mini Motors, a proud division of All > American Automotive", or in this case "Lady Mary Choir" an official > group of St John's College". > 3. Accountability: If something goes wrong (e.g. someone establishes the > Vice Chancellors Finance Group and sells the University to a gullible > American - I leave the reader to judge the likelihood of that example). > Who is responsible for allowing it to happen so they can be alerted to > the need to tighten up oversight. Naturally this is less of an issue for > a strongly hierarchical institution, but for a highly delegated federal > organisation like Cambridge it is a real issue. > > I see a strong argument for this 'organising people' function to be a > broad and central part of Sakai. If we take it on, we need to make the > 'organisations' available for non-Sakai uses (even if only as a csv > file, but preferably as a data api). At present, beyond general > intuition of both Ray and Paul, I don't think we have evidence that > K2/JCR models are inadequate. I think there are good performance reasons > for implementing things like permission checks that depend on group > information internally in K2/Sling/JCR so I hope we will pursue K2/JCR > as the preferred implementation until real use cases force us to > compromise. > > John > > On 28 Oct 2009, at 01:39, Bristow, Paul wrote: > >> Ray, >> >>> I think most of our apparent disagreements may come down to how we're >>> labeling conceptual boundaries in human workflows and system >>> architecture. Others may best be worked out through the >>> effort/experiment of testing scenarios with end users and delivering >>> working software -- they seem to center in areas where I don't see a >>> rabbit waiting in the hat. >> >> Agreed (and your glossary is good). >> >> But my first IT boss had an annoying expectation for generic solutions >> - a specific solution was never acceptable (he's a Professor which may >> explain this approach). It's become a habit that's hard to shake. So >> I'm looking for a unified model that supports today's user scenarios >> and maybe some of tomorrow's. Working software for identified use >> cases may be adequate but I'm greedier than that :) >> >> Defining the conceptual boundaries is a key part of this. >> >>> I agree with all your suggestions and all your numbered points except >>> possibly this one (number 2). But we may be envisioning different >>> things >>> by "a group system that meets all our use cases." >>> >>> I'm pretty certain that a Sakai team won't write a software library >>> with >>> UX components that can take the place of all the existing approaches to >>> group-and-role management throughout all departments of higher >>> education. (At least I'm pretty certain that _I_ won't. :) I guess it's >>> possible that some team working partly on Sakai would eventually come >>> up >>> with something that rules the space somewhat as JA-SIG CAS and Spring >>> Security rule the authentication space.) >>> >>> On the other hand, if by "a group system" you mean only what you >>> suggest >>> below (we need to meet our needs both in terms of integration and in >>> terms of inside-the-LMS flexibility; no software project meeting those >>> needs currently exists; therefore we need to build it ourselves), then, >>> yes, I reluctantly came to the same conclusion a couple of months ago. >> >> I'm talking mainly at the back end here. I don't expect us to have UIs >> supporting every possible context for groups but I'd like to have back >> end services which support them as far as possible. My expectation for >> the Brave New World of Sakai 3 is that UX components will be easy to >> build and add as new use cases emerge. As far as possible we don't >> want them to need new back end services as this hurts agility. >> >>> * I'm (again, reluctantly) certain from past experience that a Sakai >>> permission system will need to venture into vocabulary outside standard >>> JCR ACE rights. You don't say anything that contradicts that, but I >>> wanted to emphasize it since you mentioned "ACLs". >> >> I tend to agree with this. But I'm still hoping we can design systems >> where sakai 3 JCR authorisation can support our authz needs with its >> native ACLs + the extension for dynamic membership resolution. I hope >> we can have group and permission functionality pushing more static >> groups and memberships into JCR groups and provide pull hooks for >> dynamic resolution. If we can move our more sophisticated group, role >> and permission functionality into separate (sub)systems and intercept >> group, role and permission management calls and run them through our >> own APIs I hope this can support our needs while leaving the JCR authz >> relatively untouched. >> >> I'm not convinced we can get away with this but if we can't it throws >> a large spanner into the k2 works. We need to try to make this work or >> we require major rethinks of some core k2 functionality. On this I'm >> pragmatic (you may say it's the only place I'm being pragmatic). >> >>> * We know from analyzing our use cases that group-instances exist >>> within >>> specific contexts and have sources (and other properties). We also know >>> that cross-group role assignments exist within contexts and have >>> sources >>> (and other properties). Finally, we know that contextually-scoped role >>> assignments often get treated as group-instances get treated (e.g., >>> "send message to these people"). But I'm not yet prepared to say "All >>> group memberships have roles attributes" or "All contextually-scoped >>> role assignments are stored as JCR authz groups." I feel we need to >>> leave some room for the UX design and service design efforts to >>> experiment with different approaches, particularly around the >>> relatively >>> unexplored UX issues of flexible integration (where roles are >>> especially >>> important). >> >> I'm not sure I'm getting what you're saying here. I'll think about it >> some more. >> >> Thanks... >> >> ---------------------------------------------------- >> Paul Bristow >> Applications Architect >> Division of Information Technology >> Charles Sturt University >> Ph: 02 6051 9959 >> Fax: 02 6051 9919 >> pbristow@... >> www.csu.edu.au >> ---------------------------------------------------- >> >> YOU MUST READ THIS NOTICE >> >> This email has been sent by Charles Sturt University (ABN 83 878 708 >> 551). This email >> (and any attachment) is confidential and is intended for the use of >> the addressee(s) >> only. If you are not the intended recipient of this email you must not >> copy, >> distribute, take any action in reliance on it or disclose it to >> anyone. Any >> confidentiality is not waived or lost by reason of mistaken delivery >> to you. The >> views expressed in this email are not necessarily those of Charles >> Sturt University. >> It is very important that before opening any attachments to this email >> you check them >> for viruses and defects. CSU does not accept liability for any >> corruption or viruses >> or any consequence which arise as a result of this email transmission. >> Email >> communications with CSU may be subject to automated email filtering, >> which could result >> in the delay or deletion of a legitimate email before it is read by >> its intended >> recipient at CSU. Please tell us if you have concerns about this >> automatic filtering. >> The Commonwealth Register of Institutions and Courses for Overseas >> Students (CRICOS) >> Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for >> Charles Sturt >> University. >> ---------------------------------------------------- >> _______________________________________________ >> sakai-ux mailing list >> sakai-ux@... >> http://collab.sakaiproject.org/mailman/listinfo/sakai-ux >> >> TO UNSUBSCRIBE: send email to >> sakai-ux-unsubscribe@... with a subject of >> "unsubscribe" > > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"
	Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality by clayf :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I need to re-read everything a third time myself, but I think where I'm most ready to disagree is with that third bullet point where it talks about sources of roles, if that means trying to produce Sakai representations of externally defined roles. That approach seems to me common-sensical but quixotic and unnecessary, and again I don't think the membership question and the role question are on the same level. I wonder if the disagreement might boil down to a philosophical dispute over whether a strong group model or a weak one is a better fit for the uncertainty and variability of our use cases. ~Clay On Wed, Oct 28, 2009 at 5:18 PM, Ray Davis <ray@...> wrote: > Not sure, but there may be some disconnect here due to the vagueness of > "group". Do these proposals make sense? > > * We'll continue to need contextual scoping of memberships, groups, and > roles. That's true in virtually any collaborative or social networking > application: administrators inside one Confluence space don't see all > the administrator groups of other Confluence spaces; I see my friends on > Facebook but I don't see the friends of every other Facebook user. When > you send a message from within Sakai 3, you don't want to be faced with > ten thousand possible addressees in a pop-up window. > > * We need to provide better support for subgrouping within a given > context of memberships and roles. Some of those sets of people will have > a parent-child dependency relationship. Some of them will be supplied > from outside our application's control; some of them will be managed > within our applications. > > * We need to provide better support for tracking, displaying, and > dealing with _sources_ of memberships, roles, and subgroups. That > includes your issues of authority and accountability. > > * What you call "organisations", I've mostly been calling "communities" > (mostly because I see "community space" mentioned more often than > "organization space"). Regardless, yes, we need to support multiple > top-level social contexts. Some of those organisations will not be > managed within Sakai 3, however: Sakai should be able to provide a > bounded collaborative space for them (a la Liferay or Beehive) without > controlling them. > > Best, > Ray > > On 10/28/09 4:35 AM, John Norman wrote: >> So if we accept that 'the Sakai Community' believes Enterprise Groups is >> a poorly addressed space for the present and we don't expect good >> solutions in the near future, then it makes sense for Sakai to stray >> outside a narrow definition of scope in terms of groups support. One >> consequence of this IMHO is that we need to consider use cases where >> Sakai is a provider of group information to external systems. >> >> Moving on to think about such a system, I'm not sure I agree with one of >> Ray's assertions about what we should expect to flow across the >> Sakai/External boundary. At first sight, I can imagine an argument that >> says we only expect to receive and supply groups and memberships. Roles >> and permissions in an external system have no constraint that means they >> have to conform to Sakai expectations/standards/norms. I'm curious about >> use cases that would make the translation (and translation maintenance) >> task worthwhile. If they exist, it feels like a case for SOA, but I can >> imagine that we deliberately support selected exceptions such as LIS. >> >> When it comes to implementation of 'broad' support for groups. I have 3 >> main concerns; navigation, authority and accountability >> 1. Navigation: Free creation of groups can lead to a plethora of groups. >> If it becomes harder to find a group than to create a new group, the >> problem will get worse. Issues below suggest that there will need to be >> at least one hierarchy, but that may not be the most logical structure >> for browsing and discovery. I believe we will need similar tagging >> concepts to content to allow flexible 'organisations' of groups. If we >> are going to use a tagging mental model for users, it would be desirable >> that the model work in consistent ways between groups and content. I >> assume this might be what Ray refers to in terms of conversations with >> Eli about needing groupings of groups. >> 2. Authority: Probably easiest to address this with an example. Lets say >> I set up a group and I call it St John's College Choir (I am nothing to >> do with the Choir). Lets imagine the Choir has a group already, but for >> historic reasons they named it Lady Mary Choir. How would someone >> browsing groups to find the 'official' membership of St John's College >> Choir, know that they should use the Lady Mary Choir group? This is the >> part where I think the minimum hierarchy comes in. There will probably >> want to be 'group domains' that enjoy delegated administration to named >> admins. The 'official' group could be identified as official because it >> visibly belongs to the delegated/administered 'domain' of St John's >> College. My group would be identifiable as potentially bogus because >> it belongs to the 'freeforall' domain. In branding terms it could be >> like a subsidiary business: "Mini Motors, a proud division of All >> American Automotive", or in this case "Lady Mary Choir" an official >> group of St John's College". >> 3. Accountability: If something goes wrong (e.g. someone establishes the >> Vice Chancellors Finance Group and sells the University to a gullible >> American - I leave the reader to judge the likelihood of that example). >> Who is responsible for allowing it to happen so they can be alerted to >> the need to tighten up oversight. Naturally this is less of an issue for >> a strongly hierarchical institution, but for a highly delegated federal >> organisation like Cambridge it is a real issue. >> >> I see a strong argument for this 'organising people' function to be a >> broad and central part of Sakai. If we take it on, we need to make the >> 'organisations' available for non-Sakai uses (even if only as a csv >> file, but preferably as a data api). At present, beyond general >> intuition of both Ray and Paul, I don't think we have evidence that >> K2/JCR models are inadequate. I think there are good performance reasons >> for implementing things like permission checks that depend on group >> information internally in K2/Sling/JCR so I hope we will pursue K2/JCR >> as the preferred implementation until real use cases force us to >> compromise. >> >> John >> >> On 28 Oct 2009, at 01:39, Bristow, Paul wrote: >> >>> Ray, >>> >>>> I think most of our apparent disagreements may come down to how we're >>>> labeling conceptual boundaries in human workflows and system >>>> architecture. Others may best be worked out through the >>>> effort/experiment of testing scenarios with end users and delivering >>>> working software -- they seem to center in areas where I don't see a >>>> rabbit waiting in the hat. >>> >>> Agreed (and your glossary is good). >>> >>> But my first IT boss had an annoying expectation for generic solutions >>> - a specific solution was never acceptable (he's a Professor which may >>> explain this approach). It's become a habit that's hard to shake. So >>> I'm looking for a unified model that supports today's user scenarios >>> and maybe some of tomorrow's. Working software for identified use >>> cases may be adequate but I'm greedier than that :) >>> >>> Defining the conceptual boundaries is a key part of this. >>> >>>> I agree with all your suggestions and all your numbered points except >>>> possibly this one (number 2). But we may be envisioning different >>>> things >>>> by "a group system that meets all our use cases." >>>> >>>> I'm pretty certain that a Sakai team won't write a software library >>>> with >>>> UX components that can take the place of all the existing approaches to >>>> group-and-role management throughout all departments of higher >>>> education. (At least I'm pretty certain that _I_ won't. :) I guess it's >>>> possible that some team working partly on Sakai would eventually come >>>> up >>>> with something that rules the space somewhat as JA-SIG CAS and Spring >>>> Security rule the authentication space.) >>>> >>>> On the other hand, if by "a group system" you mean only what you >>>> suggest >>>> below (we need to meet our needs both in terms of integration and in >>>> terms of inside-the-LMS flexibility; no software project meeting those >>>> needs currently exists; therefore we need to build it ourselves), then, >>>> yes, I reluctantly came to the same conclusion a couple of months ago. >>> >>> I'm talking mainly at the back end here. I don't expect us to have UIs >>> supporting every possible context for groups but I'd like to have back >>> end services which support them as far as possible. My expectation for >>> the Brave New World of Sakai 3 is that UX components will be easy to >>> build and add as new use cases emerge. As far as possible we don't >>> want them to need new back end services as this hurts agility. >>> >>>> * I'm (again, reluctantly) certain from past experience that a Sakai >>>> permission system will need to venture into vocabulary outside standard >>>> JCR ACE rights. You don't say anything that contradicts that, but I >>>> wanted to emphasize it since you mentioned "ACLs". >>> >>> I tend to agree with this. But I'm still hoping we can design systems >>> where sakai 3 JCR authorisation can support our authz needs with its >>> native ACLs + the extension for dynamic membership resolution. I hope >>> we can have group and permission functionality pushing more static >>> groups and memberships into JCR groups and provide pull hooks for >>> dynamic resolution. If we can move our more sophisticated group, role >>> and permission functionality into separate (sub)systems and intercept >>> group, role and permission management calls and run them through our >>> own APIs I hope this can support our needs while leaving the JCR authz >>> relatively untouched. >>> >>> I'm not convinced we can get away with this but if we can't it throws >>> a large spanner into the k2 works. We need to try to make this work or >>> we require major rethinks of some core k2 functionality. On this I'm >>> pragmatic (you may say it's the only place I'm being pragmatic). >>> >>>> * We know from analyzing our use cases that group-instances exist >>>> within >>>> specific contexts and have sources (and other properties). We also know >>>> that cross-group role assignments exist within contexts and have >>>> sources >>>> (and other properties). Finally, we know that contextually-scoped role >>>> assignments often get treated as group-instances get treated (e.g., >>>> "send message to these people"). But I'm not yet prepared to say "All >>>> group memberships have roles attributes" or "All contextually-scoped >>>> role assignments are stored as JCR authz groups." I feel we need to >>>> leave some room for the UX design and service design efforts to >>>> experiment with different approaches, particularly around the >>>> relatively >>>> unexplored UX issues of flexible integration (where roles are >>>> especially >>>> important). >>> >>> I'm not sure I'm getting what you're saying here. I'll think about it >>> some more. >>> >>> Thanks... >>> >>> ---------------------------------------------------- >>> Paul Bristow >>> Applications Architect >>> Division of Information Technology >>> Charles Sturt University >>> Ph: 02 6051 9959 >>> Fax: 02 6051 9919 >>> pbristow@... >>> www.csu.edu.au >>> ---------------------------------------------------- >>> >>> YOU MUST READ THIS NOTICE >>> >>> This email has been sent by Charles Sturt University (ABN 83 878 708 >>> 551). This email >>> (and any attachment) is confidential and is intended for the use of >>> the addressee(s) >>> only. If you are not the intended recipient of this email you must not >>> copy, >>> distribute, take any action in reliance on it or disclose it to >>> anyone. Any >>> confidentiality is not waived or lost by reason of mistaken delivery >>> to you. The >>> views expressed in this email are not necessarily those of Charles >>> Sturt University. >>> It is very important that before opening any attachments to this email >>> you check them >>> for viruses and defects. CSU does not accept liability for any >>> corruption or viruses >>> or any consequence which arise as a result of this email transmission. >>> Email >>> communications with CSU may be subject to automated email filtering, >>> which could result >>> in the delay or deletion of a legitimate email before it is read by >>> its intended >>> recipient at CSU. Please tell us if you have concerns about this >>> automatic filtering. >>> The Commonwealth Register of Institutions and Courses for Overseas >>> Students (CRICOS) >>> Provider Number is 00005F (NSW), 025973E (QLD), and 01947G (VIC) for >>> Charles Sturt >>> University. >>> ---------------------------------------------------- >>> _______________________________________________ >>> sakai-ux mailing list >>> sakai-ux@... >>> http://collab.sakaiproject.org/mailman/listinfo/sakai-ux >>> >>> TO UNSUBSCRIBE: send email to >>> sakai-ux-unsubscribe@... with a subject of >>> "unsubscribe" >> >> > > _______________________________________________ > sakai-ux mailing list > sakai-ux@... > http://collab.sakaiproject.org/mailman/listinfo/sakai-ux > > TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe" > _______________________________________________ sakai-ux mailing list sakai-ux@... http://collab.sakaiproject.org/mailman/listinfo/sakai-ux TO UNSUBSCRIBE: send email to sakai-ux-unsubscribe@... with a subject of "unsubscribe"

Re: [DG: User Experience] Randomly assigning students to groups

Re: [DG: User Experience] Randomly assigning students to groups

Re: [DG: User Experience] [Using Sakai] Randomly assigning students to groups

Re: [DG: User Experience] [Using Sakai] Randomly assigning students to groups

[DG: User Experience] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality

Re: [DG: User Experience] [Using Sakai] Some thoughts on group functionality