Users may have roles in Opencast which are granted from an external system (e.g. LMS)


This describes the use case for which the UserDirectoryProvider interface exists:

As an Opencast system owner, I wish to configure recording series in Opencast so that recordings are accessible by users within an authorization context that exists in an external system (typically an LMS).

This is implemented through mapping external authorization contexts (e.g. LMS courses/sites) to Opencast roles which can be used in series and event ACLs.

When a user accesses Opencast through LTI, roles are set up for the user for the specific context in which the LTI launch originated. The UserDirectoryProvider is consulted (if present) which will potentially grant the user more roles.

When a user logs into Opencast through another method (e.g. LDAP authentication), or is resolved by an Opencast node (e.g. worker node), then the UserDirectoryProvider is again consulted.

These roles should not be persisted by Opencast, as they are essentially dynamic (i.e. the responsibility of the external system, and could change at any time, outside Opencast's control). Likewise they are not manageable through the Admin UI as that would be misleading.

In Opencast 2.x, these external roles are in some cases getting persisted into the db and showing up in the UI in appropriate ways, hence this umbrella issue and some sub-tasks to deal with this integration scenario more cleanly.

Fixed and reviewed




Stephen Marquard