Research and Development

Puavo's Organisation Model

There are many system management tools that provide user and device management for linux systems, but most of tools are built on the assumption that all data belongs to a single organisation like a company or a school district. Managing user databases for two school organisations means having separate installation for both organisations. In the age of cloud services it is quite easy to clone virtual servers, but updating every server separately soon becomes time consuming when there are more than a few servers to support.

Puavo is a web based administration tool designed to support multiple organisations sharing common infrastructure services. This means that a single Puavo instance can be used to manage many education departments for many cities. This could be taken also to country level where a single Puavo installation would manage all schools in the country. The model is the same as for many webapps that serve many customers with their own user databases. One party can take care of the infrastructure services for all and reduce maintenance costs. There's no need to have 50 separate physical or virtual machines to provide services for 50 organisations. Puavo installations can be clustered for better reliability so that loosing one server doesn't affect the service.

In this example there are two LDAP master servers that share three LDAP databases. Puavo is running in two machine cluster that access the LDAP cluster.

In Puavo every organisation has its own data. In the database level this means that every organisation has its own LDAP database. Every organisation can have multiple schools and all users, groups and devices share the same namespace and the same database. This means that there can be one user with username john.doe and one device named laptop001. Users do not have access outside their own organisation.

Every organisation has owner(s) (or superusers) who have access to everything and can create new schools. Schools have school admins who can modify groups and users within the school. Teachers are also allowed to change passwords of pupils in their school. This means that there are four types of users with special rights or responsibilities:

  • Puavo server admins who manage the servers and their configuration
  • Organisation owners who manage schools and groups, users and devices in them
  • School admins who manage groups, users and devices in their schools
  • Teachers who change forgotten passwords
Veli-Matti Lintu