Quercus 8.0.2. Control Centre User’s Guide<>

Security options and Control Centre access

Access to Control Centre services — how the three dimensions of security interact

In order to use the Control Centre and its various options you must have the correct access permissions.

There are three factors determining which Control Centre functions you can access (see diagram):

1whether you are a member of the LDAP groups which grant access to the Control Centre APPLICATIONS, SERVICES and SET-UP tabs and other functions

» See LDAP groups and access to the Control Centre tabs

2whether you are a member of the LDAP groups required to access specific, restricted, services

» See LDAP groups and access to specific services

3the security model you have implemented (unrestricted, person or organisation)

» See The Quercus access model and visibility of student applications

These factors are described in more detail below.

LDAP groups and access to the Control Centre tabs

You must be a member of the correct LDAP group in order to access to the Control Centre tabs and functions.

To access …

… you must be a member of

the Services tab

OAPL_SERVICE_ADMIN

the Applications tab

OAPL_APPLICATION

the SET-UP tab

QP_SYSTEM_ADMIN

the User Account Management options on the SET-UP tab

QP_SYSTEM_ADMIN or OAPL_USER_MANAGEMENT

» See To associate a user with LDAP groups.

LDAP groups and access to specific services

You can control which users have access to a particular service.

To do this you associate specific LDAP groups with the service. Only users who belong to these groups can access the service. Access here means:

see the service on the Service tab and modify the service settings

see the equivalent application on the Application tab and view the incoming data

see the slice of the pie-chart that represents the service on the Start tab

If no specific LDAP groups are associated with the service then all users who are members of the OAPL_SERVICE_ADMIN and OAPL_APPLICATION LDAP groups can access the service.

In the screen below two LDAP groups (or roles) ADMISSION_TEAM and CUSTOM_ROLE have been associated with the Apply Online service.

This means that only users who are members of:

either, or both, QP_STUDENT_EDIT and OC_EDIT_MODULE

and

ADMISSION_TEAM and CUSTOM_ROLE

Will gain access to all the Apply Online functions.

Note that the function-level OAPL_SERVICE_ADMIN and OAPL_APPLICATION groups (described under LDAP groups and access to the Control Centre tabs) operate in conjunction with this, more specific, service-level access control.

To associate a service with LDAP groups

1Login to Quercus 8 with administrator permissions and select Control Centre.

2Click the Set-Up tab.

3Select Service Administration from the Basic option list.

A list of services opens.

4Select a service from the list and click the edit button.

In the LDAP roles field enter a colon-separated list of the the groups that are to be granted access to the service.

You can look up the names of the groups by going to the User Account Management option on the Set-Up tab.

5Click Save.

Only users who are members of the assigned LDAP groups can now access the services (see below):

1Melanie Hope has been assigned to the ADMISSION_TEAM LDAP group (this LDAP role has been defined as necessary to access the Apply Online service, see step 4).

2Melanie can now access and modify the Apply Online service via the SERVICES tab.

Note: these changes will not affect a user in mid-session. The user will need to log out and log back in before he or she sees the effect of the changes.

Tip: you could set up LDAP groups specifically to control access to these services. For example you could:

for each service, create an LDAP group with a related name (e.g. SER_APPLY_ONLINE, SER_BUILD_CURRICULUM, SER_BROWSE_COURSE)

associate each service with the related LDAP group

associate only users authorised to access the service with the related LDAP group

The Quercus access model and visibility of student applications

The access model you have implemented (unrestricted, person or organisation) will determine which student applications are visible to you when you visit the APPLICATIONS tab.

If you have implemented the unrestricted model then all applications from all students will be visible.

If you have implemented the person or the organisation model then only the applications associated with the courses which you have access to will be visible on the APPLICATIONS tab. In addition, only the courses which you have access to will be visible on the pie-charts on the SET-UP tab.

» See QuercusPlus Menu 8.0.2 User’s Guide — Organisations for more information about the person and organisation access models.

» See the The Quercus access model and visibility of student applications — examples for illustrations of how the access model affects access visibility of applications.

The Quercus access model and visibility of student applications — examples

Access model = INSTANCE_ORGANISATION_NEW

If your organisation is running the INSTANCE_ORGANISATION_NEW access model then, in QuercusPlus, you will see student applications for all the course instances associated with the organisation.

1The Organisations screen allows you to associate courses and modules with an organisation using the Add options in the Tasks panel. Note that Melanie Hope is a staff member of the organisation.

2The Geography course GEO10.1 is added to the organisation’s curriculum. Note that Melanie Hope is NOT a tutor on the course.

3Even though Melanie is not a tutor for GEO10.1 she sees the applications for the course because she is a staff member of the organisation with which the GEO10.1 is associated. She also sees other courses that are associated with the organisation.

Access model = INSTANCE_PERSON

If you are running the INSTANCE_PERSON access model then, in QuercusPlus, you will see only the course or module instances for which you are a tutor.

1Melanie Hope has been assigned as a tutor to the Archaeology ARCH-01 course (highlighted in green)

2Under the INSTANCE_PERSON access model Melanie only sees applications for the ARCH-01 course when she runs a search