At U Chicago, we’ve gotten to the first step in permissions, which is assigning our testers all permissions. Now we need to look at the next step, where we find permissions to restrict. Our instance is working on the notion that we won’t have to restrict much in terms of the permissions in the modules the Library staff will use, but there will be things we’ll have to restrict from most of the staff. I hope to use this post to create a list over time of the permissions that ought to be restricted, and to whom.
As a start, I believe we can restrict the okapi permissions without harming our testers’ ability to test. They show in the clients that I’ve looked at as okapi.all. They have individual permissions like okapi.deployment.delete, okapi.deployment.post, okapi.env.delete, and okapi.env.get. I’m not certain what these individual permissions do yet, but it’s the first set of permissions that I can restrict and see if it has any effect on our testers.
If anybody else sees permissions that ought to be restricted, I would be very interested in seeing more of them here.