We have two classes, Class A and Class B, and we want to restrict access to the class apps so that only Class A users can access the app for Class A, and only Class B users can access the app for Class B. We would like to implement App Access Control in Open OnDemand, ensuring that the menu item for each class app is only visible to members of the corresponding user groups. Could you please provide a detailed procedure for implementing this? Thank you.
The first approach is likely simpler, but would require a new file for each class.
Basically you have an application, let’s call it jupyter just for the sake of simplicity. So you deploy the application jupyter that everyone can see and that’s all fine.
What you do is - you configure sub app for each class. Specify everything you need in the sub app, and set a FACL on the file such that only members of Class A can see it (I assume members of Class A are a part of a Unix group for that class).
So you’d have one app that has everything, but the users use the variants you’ve supplied as sub apps. This is how bc_desktop works. We supply the application bc_desktop but you’re providing different variants (sub apps) of that original application.
Here’s a snippet of what ours looks like. The key is the app type, classroom name plus additional fields that specify different customizations and options to provide to that class. The value is the accounting ID we use for the class (a UNIX group)
Then in the application you read and interpret this YAML. Here’s our classroom app for jupyter where it reads this YAML and configures the form based off of that data (again, you have to know a little Ruby to see what’s going on here)