Type is the broadest user designation within Sakai. Types can be administrative or non-administrative:
Upon installation, the administrative type is the only account, and is used to create worksites. After adding users to the system (using the User tool), the administrative type can bestow upon non-administrative users the ability to create new sites by giving them the user type "registered" or "maintain" (defined below).
Note: The ability to create a site is derived from the
site.add permission granted in the
!user.template.registered realm. Complicating this,
however, is the fact that a user account type has associated with it
both .auth (authorized) and .anon
(anonymous, i.e., not logged in) roles. Strictly speaking, it is the
site.add permission in the .auth role of
!user.template.registered that grants the permission.
Note: Do not confuse the account type "maintain" with the role of "maintain", which you may grant to a user in a particular site or for a particular tool. Account type and role in a worksite serve different purposes.
Note: Sites can also have types (e.g., course
sites and project sites), which determine what default roles the site
recognizes. For example, a course site might get the
!site.template.course roles (i.e., those defined by the
!site.template.course realm).
The default site roles, which can be changed by the administrative user type, are "maintain" and "access". Each implementation can be tailored differently, with different roles assigned to users. Each of these roles has a different matrix of permitted abilities within the site.
Realms are packages of security grants that determine roles for
accounts within a site. The permissions enabled for roles can be
unique to each site. The defaults are set in the worksite's default
template (e.g., !site.template.course for a course site,
or !site.template.project for a project site).
For non-administrative users, the ability to create sites is outside the scope of a particular worksite, and is determined by the type of account (as described above in the "Types" section). The account type determines which realm template the user has, and within the realm template is the control for ability to create sites, for example:
!user.template.registered, which has the
site.add permission enabled. Therefore, any users with
the "registered" account type will be able to create worksites.!user.template.guest realm, which does not have the
site.add permission enabled. Therefore, any users with
the "guest" account type will not be able to create worksites.
When "registered" users create worksites, they automatically become a member of the site, and have (by default) roles that enable full permissions. By specifying roles for new users, site creators have the ability to control how participants use and/or interact with tools in the worksite. The role can be one of the default roles ("maintain" and "access"), or it can be a role that the administrator has created with the Realm tool.
All users have the broadest permissions (i.e., the ability create, edit, and delete) in their respective My Workspace tabs.
In general, the default "maintain" role has full permission to create, edit, and delete within a worksite. The default "access" role has fewer permissions, and cannot create or delete content in every tool (i.e., by default, the "access" role cannot upload files into Resources, but it can create Chat messages and Discussion replies).
Roles that have worksite edit capabilities (e.g., the default "maintain" role) can change the permissions for tools, determining how participants can use them.
For a more information about permissions, see the Sakaipedia's Permissions list at:
http://bugs.sakaiproject.org/confluence/display/ENC/Permissions+list