View on GitHub

equella.github.io

Home

Security Administration Guide

Table of Contents

Security overview

EQUELLA security is designed using Access Control Lists (ACLs) for flexible top-down management, allowing system administrators to manage user access to objects (collection definitions, metadata schemas, etc.), tasks, and resources within the repository. Management of self-contributed objects and resources can be delegated to users.

EQUELLA security enables the definition of suitable security defaults, so that specific settings seldom need to be defined when objects are created.

The purpose of this guide is to provide administrators with an overview of the various security settings available and an understanding of their configuration and use.

Please note that this guide has been developed to best reflect the full capabilities of EQUELLA, and as such may differ in appearance to your own installation.

Where possible the examples in this guide are provided in the EQUELLA Vanilla Institution.

Access control lists

After an EQUELLA installation, the system administrator will implement security settings as required by their institution. This typically requires modification of the default ACLs.

An ACL associates a Grant or Revoke action and a User, Group or Role with an EQUELLA privilege on an object. For example, the EDIT_SCHEMA privilege might be granted to users having the System Administrator role.

ACLs can be configured using the object’s Access Control or Security page or the Administration Console Security Manager.

Roles

To ease management of ACLs and users, it is recommended that ACLs be associated with roles (which have users allocated to them) rather than specific users or groups. This provides a degree of independence from the user management system and avoids the rapidly increasing complexity created by assigning ACLs to individual users.

Roles are defined using the Internal Roles plug-in available from the Administration Console User Management tool.

Privileges

EQUELLA provides a privilege for every system task. Privileges have an associated object (for example, a resource, workflow, collection etc.) and can also have a textual string (e.g. EDIT_SCHEMA=edit this schema). The raw privilege (EDIT_SCHEMA) only is displayed in the Security Manager and the string (edit this schema) is displayed on the object’s Access Control or Security page.

Actions

Each ACL element has an associated Grant or Revoke action.

Security Manager reference

The Security Manager provides access to ACLs for all institution objects. Institution objects are displayed in a tree hierarchy with folders containing groups of objects and child objects.

Security Manager

The Security Manager is accessed through the EQUELLA Administration Console.

To access EQUELLA and open the Administration Console:

  1. Open a browser and enter your EQUELLA URL (e.g. ‘http://equella.myequellainstitution.edu’).
  2. Log in to EQUELLA as an administrator, select Settings then Administration console.
  3. The Administration console displays. Select Security Manager.
  4. The Security Manager page displays The Security Manager hierarchy represents the ACL hierarchy. Object groupings are displayed as folders, and these groupings contain child objects representing institution objects. Each hierarchy node can have zero or more associated ACLs.

The child objects listed in the hierarchy consist of user interface elements, resource items and tasks. They are shown at the lowest level of the hierarchy.

ACL inheritance

The Security Manager shows the ACL inheritance. Any object can inherit an ACL from any of the object groupings above it. ACL privileges are refined per grouping. At the Institution level, all privileges are available, while at the Object level they are limited to those applicable to that object, typically EDIT_OBJECT and DELETE_OBJECT.

Object ACLs

Typically the ACLs for objects can be set at object creation in either the Administration Console tools or the Security Manager, while ACLs for groupings (such as schemas or portlets) can only be set in the Security Manager. This security hierarchy has been developed to minimize the security configuration required by object creators by allowing administrators to specify grouping defaults that are inherited by any created objects.

Determining access using ACLs

Access to an object is determined by analysis of its ACL. Default lists are provided but typically require customization to suit the requirements of individual institutions.

An ACL comprises an ordered list of actions that grant or revoke privileges set on each object, and actions inherited from the parent object. Inherited actions have a lower precedence than actions set on an object unless they are set to override child actions. Example ACLs are shown in the following series of figures.

The security tree is traversed from top to bottom, looking for ACLs that are associated with the user. Important points to note are: For an individual ACL:

Security hierarchy reference

The top two levels of the Security Manager hierarchy are the same for all EQUELLA installations.

These levels are intended to provide the default ACLs configured by the system administrator. Carefully chosen defaults will decrease the work required by object creators during the creation process.

Typical object grouping

Typically groupings will only contain objects that have been created for the EQUELLA instance: Advanced Searches, Schemas, Remote Repositories, Courses, Taxonomies, LTI consumers, HTML editor plugins, User Scripts, Connectors, Hierarchy, External Tools, Stores, EchoSystem servers, Reports, Workflows, OAuth Clients, Dynamic Collections, Hierarchy, Kaltura servers , Harvester Profiles, Custom Links, Regions, Catalogues, Tiers, Payment Gateways, Storefronts and Store Taxes.

Collections, Portlets, Management Pages, Resources and System Settings have further groupings as outlined in the following sections.

Collections object grouping

The Collections grouping contains all the collections created for an institution. Each collection contains two further groups:

These groupings do not provide another level of ACLs for their child objects.

Portlets object grouping

The Portlets grouping contains the portlet types that can be added to a user’s dashboard. ACLs are set on the portlet type, not on the individual portlet itself.

Management Pages object grouping

The Management Pages grouping allows ACLs to be set on the management pages. ACLs set at the grouping level will apply to all child sites. Settings can also be made on the individual pages at the child level.

Resources object grouping

The Resources grouping provides a mechanism for finding actions associated with a resource. The ACLs associated with the objects within this group are inherited by all system resources.

The Resources grouping object is unique; the grouping object provides a mechanism for finding the actions associated with a resource. The ACLs associated with the objects within this group are inherited by all system resources.

Each resource status is treated separately in the Security Manager as statuses represent the state of a resource rather than the resource itself. An override option is provided anywhere a status ACL can be set. Resource statuses have the following inheritance:

System Settings object grouping

The System Settings grouping allows ACLs to be set against each object to restrict what is available on the Settings page accessed from the navigation menu. These settings contain the various configuration options for a wide range of functions across the EQUELLA system, and would normally be restricted to those with administration rights for the relevant functions.

View/Modify ACLs

  1. Select an object from the Security Manager hierarchy to display the ACLs for the selected object (e.g. Schemas) in the View/Modify ACLs pane. This pane lists the ACLs and allows addition, removal and modification.

Elements of the View/Modify ACLs pane are:

Add button

Click + Add to add a new line to the list. The new line is populated with data entered from the previous step. If the ACL pane is blank, the first line added will display the default action Grant - < X >_OBJECT - Everyone.

Remove button

Click - Remove to delete the selected line from the list.

(NOTE: Removing an action from an ACL cannot be undone. Actions removed in error must be recreated manually.)

Movement arrows

Use the up and down arrows to rearrange the order of the list.

Action column

Apply a Grant or Revoke action to the selected privilege. Click on the action to enable a drop-down list and select an option.

Privilege column

Click on an element in this column to enable a drop-down list of applicable privileges (e.g. CREATE_SCHEMA, DELETE_SCHEMA and EDIT_SCHEMA).

Who? column

Select a user, group or role to be associated with the selected privilege. Click on an element in the column to display a Select Recipients dialog.

Override? column

Select the Override? checkbox to give the selected action precedence over other actions in the list.

(NOTE: The override is typically only given to those with System Administrator privileges.)

Save button

Click Save to save changes.

Close button

Click Close to display the Save Changes dialog and exit the Security Manager.

Select Recipients dialog

Elements of the Select Recipients… dialog in the Security Manager can include:

User entity pane

Displays users, groups or roles associated with the selected privilege. New ACLs have the default Everyone displayed in this pane.

It is good security practice to remove this user type when granting privileges to other users. Select Everyone and click < to remove it from the list.

Search tab

The Search page searches the selected user entity (Users, Groups or Roles) for the text entered in the search criteria. A blank search text field is equivalent to a wildcard only search and, in this instance, returns all available users. The only special character recogniZed in this search field is the wildcard: asterisk (*). Multiple users can be selected using the Shift or Control keys. Once selected, the user entity list can be modified using the button controls:

Left Arrow —Add the selected user(s) to the user entity list. Right Arrow —Remove the selected user(s) from the user entity list.

Select an element (e.g. System Administrator Role) from the Results list and move it to the right-hand pane by clicking >.

Browse tab

If a large number of users need to be selected, it can be more effective to use the Browse page rather than the search function.

The search fields have the following properties:

Groups

Search institution groups for names that match the entered text. A blank entry field returns all institution groups. Group search results are returned in the pane immediately below the entry field.

Users

Select a group to search for users in the selected group who match the entered text. A blank search entry field returns:

Multiple users can be selected using the Shift or Control keys. Once selected, the user entity list can be modified using the button controls:

Select an element (e.g. INT - System Administrators) from the results list and move it to the right-hand pane by clicking >.

Network tab

The Network page associates an action with an IP address or referring URL.

Add an IP Address

Enter an IP address in standard 255.255.255.255 format and a subnet mask in CIDR notation, a number between 0–32. The subnet mask represents the number of bits masked from the starting bit of the IP address. An example IP address and mask of 192.168.102.127/24 will allow access from IP addresses in the range 192.168.102.0 to 192.168.102.255.

Add a HTTP Referrer

  1. Enter a text string that will be matched to the URL of the recipient.
    • Only match this exact referrer—the recipient URL must match the entered referrer URL exactly.
    • Match referrers containing this value—the recipient URL must contain the entered referrer text string. The entered text string does not need to be a resolvable URL.

Other tab

The Other page associates generic user entities with an action. These user entities represent groupings that cannot be easily specified using any of the other methods.

Everyone

Represents everyone who can access this instance of EQUELLA. This group includes everyone who can access an EQUELLA URL and comprises Guest and Logged in users.

The owner of the targeted object

Represents object owners, typically object creators.

Logged in users

Represents users who are logged into this instance of EQUELLA.

Guest users

Represents users who can access the EQUELLA URL without logging in.

Single signed on with identifier

Represents users who are logged on using the Shared Secrets plug-in. This option is mainly for use with third-party integrations.

Create advanced user entity lists

User entity lists are expressions whose evaluation for the current user determines access to objects. The user entity list consists of user and groupings (expression operators) that can be combined to create an expression of arbitrary complexity. User entity lists can be created by identifying a user or users to be matched using the default Match Any grouping but occasionally a more sophisticated list is required. Important considerations when creating user entity expressions are:

The available groupings are:

To change a grouping, the grouping drop-down list must be enabled. Enabling the drop-down is linked to the rename folder functionality of the Operating System.

Add Grouping button

Click Add Grouping to add a new user entity grouping with the default Match Any operator.

OK button

Click OK to save changes and close the Select recipients dialog. The Who? Column in the View/Modify ACLs pane is populated with the selection.

Cancel button

Click Close to close the dialog without saving changes.

Access Control reference

Objects with configurable security in the EQUELLA Administration Console have either an Access Control tab or a Security tab that provide multiple methods for configuring ACLs. This sections below describe access control options for individual objects.

Administration Console objects

Administration Console objects with configurable security are:

Access control is configured on the Access Control tab, with the exception of Collection Definitions that have a Security tab. The Collection Definitions—Security tab has three further tabs: Access Control, Resource Status ACLs and Resource Metadata ACLs.

Configure access control

The Access Control page provides a choice of three modes for configuring access: Basic, Advanced and Do not specify.

Elements of the Access Control page are:

Basic mode

The Basic interface provides a simplified interface where users and privileges can be configured.

Elements of the Basic page can include:

Entity list

Determines the user entity that will be associated with the specified privilege and can include:

Select button

Enabled when A limited set of users, groups, and/or roles is selected. Click Select to display the Select Recipients… dialog.

Save button

Click Save to save changes.

Close button

Click Close to return to the Administration Console, or to discard the changes.

To search for user entities:

  1. Select the A limited set of users, groups, and/or roles radio button.
  2. Click Select to display a Select Recipients… dialog. Elements of the Basic mode Select Recipients dialog are:
    • Search tab—searches the selected user entity (Users, Groups or Roles) for the text entered in the search criteria.
    • Browse tab—if a large number of users need to be selected, it can be more effective to use the Browse page rather than the search function.
    • User entity pane—displays users, groups or roles associated with the selected privilege.
  3. Select user entities (e.g. Content Administrator Role and System Administrator Role) from the Results pane.
  4. Click right arrow to move selections to the right-hand pane. Click left arrow to remove individual entities, or «  to remove all entities.
  5. Click OK to add entities to the access list.

Advanced mode

The Advanced interface provides fine-grained access control.

Elements of the Advanced page are:

Action table

Can display actions, user entities and override flags for this privilege. Click on an action in the Action column to enable a drop-down list with Grant and Revoke options. Click on a user entity in the Who? column to display a Select Recipients dialog similar to that in the Security Manager. The Collection Definition Editor—Access Control page can display an Override? column, depending on the selected privilege.

The Override? column is not displayed on the Collection Definition Editor—Access Control page for the following collection privileges:

Add button

Click +Add to add an action to the bottom of the action list. The first action added defaults to a Grant action, while adding further actions creates a clone of the previous action.

Remove button

Click -Remove to remove the selected action from the list.

Movement arrows

Use the up and down arrows to change the position of the selected action.

Show overriding ACLs

Check the Show overriding ACLs checkbox to display inherited ACLs that override actions for this privilege above the action table.

Show default ACLs

Check the Show default ACLs checkbox to display inherited ACLs that do not override actions for this privilege below the action table.

Do not specify mode

The Do not specify interface is not configurable.

User access remains as the default set in the Administration Console Security Manager.

  1. Click the Show inherited privileges that will apply link to display an action list showing users, groups or roles associated with the selected privilege.

Collections Security tab

The Collections object has a Security tab that has four further tabs: Access Control, Resource Status ACLs, Resource Metadata ACLs and Dynamic Metadata ACLs.

Resource Status ACLs tab

The Resource Status ACLs page configures access privileges that depend on the state of resources within the collection. This can be useful for changing user access depending on where the resource is in a workflow. The Resource Status ACLs page provides all the functionality of the Access Control page with an additional control for selecting the resource status that is associated with the action.

For resources that are…

Select a resource status for this action from the drop-down list. Resource statuses include: draft, live, rejected, moderating, archived, suspended, deleted, and review.

Resource Metadata ACLs tab

Resource metadata ACLs control access is based on information (metadata) about a resource. Resource metadata includes status, workflow progress, user role or item schema data. The Resource Metadata ACLs page enables the creation of named scripts that are evaluated to determine user access. Scripts can be arbitrarily complex and include one or all of the metadata types. When a script is evaluated, it will return either true or false. When a true value is returned, the action associated with the script is used to determine user access.

The elements of the Resource Metadata ACLs page are:

Elements of the Script Editor pane are:

Name

Enter or edit the name of the selected script (e.g. Reviewers).

If a resource’s metadata matches… tab

Comprises the Basic and Advanced tabs of the Script Editor. Scripts provide automatic selection of actions based on metadata attributes.

…then apply the following… tab

Associates an action with the script and uses the same access control interface as the Access Control tab.

Dynamic Metadata ACLs

The Resource Metadata ACLs (static) provides a means of setting permissions based on individual metadata values across a collection. Dynamic Metadata ACLs extend this functionality to enable the creation of permissions dynamically based on User, Group or Role Ids stored in the resource metadata.

Once a Dynamic Metadata rule is set up for a collection, and a User, Group or Role ID stored in the metadata (which may be added via a selector during contribution, a Save script, checklists etc.) is found to match a value in the selected ID Type table (User, Group or Role), the ACLs pre-set for the selected objects will be allocated dynamically.

For example, an EQUELLA group could be set up for each course an institution offers, and the users (students) enrolled in that course are added to the group. A dynamic metadata rule is created which sets the path, ID type (in this case, group) and the ACLs (privileges) that will be applied when a match is found during contribution. When the value of the metadata node for the group selector matches the group ID, the ACLs are automatically created.

In the above example, the following steps are completed to configure the dynamic metadata ACLs rule:

Add user, group or role selector control to contribution wizard

From the Collection Definition Editor accessed via the Administration Console, edit a collection (e.g. Learning resources) and go to the Wizard tab. Add one of the new Group, Role or User selector wizard controls.

NOTE: A relevant metadata schema node must be created prior to configuring the wizard control (e.g. /item/itembody/Class).

Create a new Dynamic metadata ACLs rule

  1. In the Collection Definition Editor for the selected collection, go to the Security tab, then select the Dynamic Metadata ACLs tab.
  2. Select Add to add a new Dynamic Metadata ACL rule. Enter the following information:
    • Name – a descriptive name for the rule (e.g. Class view)
    • Path – select the path that matches the path selected in the User, Group or Role selector control (e.g. /item/itembody/Class).
    • ID type – Select User, Group or Role IDs (depending which selector control has been configured) (e.g. Group ID)
  3. Add the ACLs that will be dynamically created for objects matching the rule.
  4. Click Save.

When a resource is contributed to the collection, Users, Groups or Roles are selected from the relevant selector and when a match or matches are found using the configured Dynamic Metadata ACL rule, the rule’s privileges are dynamically applied for that resource.

Privileges

EQUELLA provides a privilege for every system task. Creating an ACL for an institution displays all the available privileges. In the Security Manager, the number of privileges for ACLs in subsequent levels depends on the child objects and associated tasks.

All privileges are listed in alphabetical order below. Privileges have an associated object and most have a textual string; however the raw privilege only, for example EDIT_COLLECTION, is displayed in the Security Manager while the associated string edit this collection is displayed to collection creators when configuring security.

NOTE: All privileges are configurable at Institution level.

ACCESS_SHOPPINGCART

Allows users to browse catalogues, view catalogue resources, select pricing model/subscription duration and add resources to a shopping cart. Also allows users to view the active shopping cart details and submit or pay for it (depending on payment rules). Additionally, allows users to view pending orders (requiring approval, requiring payment and rejected).

This privilege can be granted at an institution or stores level.

ADMINISTER_OAUTH_TOKENS

Allows OAuth client tokens to be viewed and deleted. This privilege can be granted or revoked at an OAuth Clients or Institution level.

ADMINISTER_PORTLETS

Allows for control over all portlets in the institution. Can be granted at Institution level or for the Portlets grouping.

ARCHIVE_ITEM

Allows resources to be moved to a state where they retain their permanent address and can be viewed but cannot be found using a search. It is available in the Collection Definition Editor—Access Control page with the textual strings archive resources in this collection in any state, archive resources in this state (on the Resource Status ACLs page) and archive resources matching this rule (on the Resource Metadata ACLs page).

AUTO_CREATE_COURSE

Allows courses to be created automatically in EQUELLA in the instance where a user is activating a copyright portion for a course from the integration screen and no matching course code from the LMS course can be found in EQUELLA. A course is created in EQUELLA using the course code from the LMS as the Course Name and Code. It is available in the Collection Definition Editor – Access Control page with the textual strings add a course at time of activation from a LMS in any state, add a course at time of activation from a LMS in this state (on the Resource Status ACLs page) and add a course at time of activation from a LMS matching this rule (on the Resource Metadata ACLs page).

BROWSE_STORE

Allows users to access Stores to view catalogue resources at the Store front. This privilege can be granted at an institution or stores level.

CLONE_ITEM

Allows the contribution of resources with identical metadata and attachments to an existing resource. It is available in the Collection Definition Editor—Access Control page with the textual strings clone resources in any state, clone resources in this state (on the Resources Status ACLs page) and clone items matching this rule (on the Resources Metadata ACLs page).

COMMENT_CREATE_ITEM

Allows comments and star ratings to be added to resources from the resource summary Comments section. It is available in the Collection Definition Editor—Access Control page with the textual strings add comments to resources in this collection in any state, add comments to resources in this state (on the Resource Status ACLs page) and add comments to resources matching this rule (on the Resource Metadata ACLs page).

COMMENT_DELETE_ITEM

Allows existing comments to be deleted from resources on the Resources Summary Comments section. It is available in the Collection Definition Editor—Access Control page with the textual strings delete comments on resources in this state (on the Resource Status ACLs page) and delete comments on resources matching this rule (on the Resource Metadata ACLs page).

COMMENT_VIEW_ITEM

Allows for the viewing of comments and star ratings on the resource summary page Comments section. It is available in the Collection Definition Editor—Access Control page with the textual strings view comments on resources in this collection in any state, view comments on resources in this state (on the Resource Status ACLs page) and view comments on resources matching this rule (on the Resource Metadata ACLs page).

Enables the activation of copyright-compliant resources under CAL or CLA copyright restrictions so that they can be viewed. It is available in the Collection Definition Editor—Access Control page with the textual strings edit copyright on resources in this collection in any state, edit copyright on resources in this state (on the Resource Status ACLs page) and edit copyright on resources matching this rule (on the Resource Metadata ACLs page).

Enables users to override the Part VB copyright percentage limit at the time of activation of a portion record. It is available in the Collection Definition Editor – Access Control page with the textual strings allow user to override at time of activation in this collection in any state, allow user to override at time of activation in this collection in this state (on the Resource Status ACLs page) and allow user to override at time of activation matching this rule (on the Resource Metadata ACLs page).

CREATE_CATALOGUE

Enables the creation of new Store catalogues. This privilege can be granted at an institution level or on the Catalogue object.

CREATE_COLLECTION

Enables the creation of new collections in the Administration Console Collection Definition Editor.

CREATE_CONNECTOR

Allows the creation of External system connectors associated with Push to LMS functionality.

CREATE_COURSE_INFO

Allows the creation of courses in the Administration Console Course Editor.

Allows for the creation of custom links in the navigation pane. This privilege can be granted or revoked at Institution level, or on the Custom Links object.

CREATE_DYNA_COLLECTION

Allows the creation of dynamic collections in the Administration Console Dynamic Collection Editor.

CREATE_ECHO

Enables the creation of new EchoSystem servers. This privilege can be granted at an institution level or on the EchoSystem servers object.

CREATE_EXTERNAL_TOOL

Enables the creation of new external tool providers (LTI). This privilege can be granted at an institution level or on the External tool object.

Allows for the creation of remote repositories (previously federated searches) in the Administration Console Remote Repository Editor.

CREATE_HARVESTER_PROFILE

Allows for the creation of harvester profiles in the Administration Console Harvester Profile Editor.

CREATE_HTML_EDITOR_PLUGIN

Enables the creation of new HTML Editor plugins. This privilege can be granted at an institution level or on the HTML Editor object.

CREATE_ITEM

Allows for the contribution of resources into collections. It is available in the Collection Definition Editor—Access Control page with the textual string contribute resources with this collection.

CREATE_KALTURA

Enables the creation of new Kaltura servers. This privilege can be granted at an institution level or on the Kaltura object.

CREATE_LTI_CONSUMER

Allows for the creation of new LTI consumer registrations. This privilege can be granted or revoked at an LTI consumers or Institution level.

CREATE_OAUTH_CLIENT

Allows for the creation of new OAuth client application registrations. This privilege can be granted or revoked at an OAuth Clients or Institution level.

CREATE_PAYMENT_GATEWAY

Enables the creation of new Payment gateways. This privilege can be granted at an institution level or on the Payment gateway object.

CREATE_PORTLET

Allows for the creation of portlets on the user’s Dashboard page. This privilege can be granted or revoked at the Institution level, the Portlets grouping, or on the individual portlet type.

Allows the creation of advanced searches in the Administration Console Advanced Search Editor.

CREATE_REGION

Enables the creation of new Regions. This privilege can be granted at an institution level or on the Regions object.

CREATE_REPORT

Allows the creation of reports in the Administration Console Report Editor.

CREATE_SCHEMA

Allows the creation of metadata schemas in the Administration Console Schema Editor.

CREATE_STORE

Enables the creation of new Store registration on a Store front. This privilege can be granted at an institution level or on the Stores object.

CREATE_STOREFRONT

Enables the creation of new Store front registrations. This privilege can be granted at an institution level or on the Store front object.

CREATE_TAX

Enables the creation of new Store taxes. This privilege can be granted at an institution level or on the Store Taxes object.

CREATE_TAXONOMY

Allows the creation of taxonomies in the Administration Console Taxonomy Editor.

CREATE_TIER

Enables the creation of new Pricing tiers. This privilege can be granted at an institution level or on the Tiers object.

CREATE_USER_SCRIPTS

Enables the creation of new User Scripts. This privilege can be granted at an institution level or on the User scripts object.

CREATE_WORKFLOW

Allows the creation of workflow templates in the Administration Console Workflow Template Editor.

DEACTIVATE_ACTIVATION_ITEM

Allows the deactivation of copyright activation resources. It is available in the Collection Definition Editor—Access Control page with the textual strings deactivate activation requests on resources in this collection in any state, deactivate activation requests on resources in this state (on the Resource Status ACLs page), and deactivate activation requests on resources matching this rule (on the Resource Metadata ACLs page).

DELETE_ACTIVATION_ITEM

Allows the deletion of copyright activation resources. It is available in the Collection Definition Editor—Access Control page with the textual string delete activation requests on resources in this collection in any state, delete activation requests on resources in this state (on the Resource Status ACLs page), and delete activation requests on resources matching this rule (on the Resource Metadata ACLs page).

DELETE_CATALOGUE

Enables the deleting of Store catalogues. This privilege can be granted at an institution level or catalogue level.

DELETE_COLLECTION

Allows collections to be deleted. It is available in the Collections Definitions Editor—Access Control page with the textual string delete this collection.

DELETE_CONNECTOR

Allows external connectors to be deleted. It is available via the External system connectors page accessed from the Settings menu.

DELETE_COURSE_INFO

Allows courses to be deleted. It is available in the Course Editor—Access Control page with the textual string delete this course.

Allows for the removal of custom links from the navigation pane. This privilege can be granted or revoked at Institution level, or on the Custom Links object.

DELETE_DYNA_COLLECTION

Allows the deletion of dynamic collections from the Administration Console.

DELETE_ECHO

Enables the deleting of EchoSystem servers. This privilege can be granted at an institution level or EchoSystem servers object level.

DELETE_EXTERNAL_TOOL

Enables the deleting of external tool providers. This privilege can be granted at an institution level or an external tool provider level.

Allows remote repositories (previously federated searches) to be deleted. It is available in the Remote Repository Editor—Access Control page with the textual string delete this remote repository.

DELETE_HARVESTER_PROFILE

Allows harvester profiles to be deleted. It is available in the Harvester Profile Editor—Access Control page with the textual string delete this harvester profile.

DELETE_HTML_EDITOR_PLUGIN

Enables the deleting of HTML Editor plugins. This privilege can be granted at an institution level or HTML Editor plugin object level.