Mailing List Archive

On 2012-09-18, at 4:28 PM, Clare Parkinson <clare.parkinson@gmail.com> wrote:

> First post

Welcome.


> - apologies if this has already been answered elsewhere. I've
> been reading and rereading the Security docs
> http://bricolagecms.org/docs/2.0/api/Bric/Security.html#Authorization

You may also want to read/watch http://www.phillipadsmith.com/2008/04/bricolage-permissions-101.html

I'm not 100% following what you're hoping to do, but I might recommend having two different browsers open at the same time -- e.g., Firefox logged in as 'Global Admin and Chrome as 'Regional Admin' -- and experiment with the various permissions like that.

Otherwise, it would help if you can explain what you're hoping to achieve a bit more clearly… are the 'Regional Groups' that you're creating User Groups?

Phillip.

--
Phillip Smith
http://phillipadsmith.com
http://twitter.com/phillipadsmith
http://linkedin.com/in/phillipadsmith

If your email inbox is out of control, check out http://sanebox.com/t/s0q7m

Save our in-boxes! http://emailcharter.org

Thanks for the advice, Phillip.

I will try to explain more clearly: I want to create a user who can create
groups and add newly created users to those groups, but who is not a global
admin.

I have these permissions configured:

"Regional admin users" user group has permissions:

- All Groups - Create
- "Regional groups" group - Edit
- All Users - Create
- "Regional users" users group - Edit

Whatever I do, I can't get a member of the "Regional admin users" user
group to create a group and then be able to assign users to it. The
"Regional admin user" member can't assign herself to her newly created
group, so she can't administer it. Having the new group added to the
"Regional groups" group doesn't seem to help.

I've come up with a workaround: having the global admin create a whole
bunch of temporary groups of various types (e.g. "Regional users group temp
1", "Regional workflow group temp 1") and assign a member of "Regional
admin users" to each temporary group. Then the "Regional admin user" member
can rename the groups, add and edit users, etc. I've only done one test,
but I think that might work. The global admin will have to help set up all
the temporary groups, but once they're in the hopper the regional admin can
do whatever she needs to with them.

If that sounds broken and/or ludicrous, let me know.

thanks for the help and moral support!

-clare


On 2012-09-18, at 4:28 PM, Clare Parkinson <clare.parkinson [at] gmail>
wrote:

> First post

Welcome.


> - apologies if this has already been answered elsewhere. I've
> been reading and rereading the Security docs
> http://bricolagecms.org/docs/2.0/api/Bric/Security.html#Authorization

You may also want to read/watch
http://www.phillipadsmith.com/2008/04/bricolage-permissions-101.html

I'm not 100% following what you're hoping to do, but I might recommend
having two different browsers open at the same time -- e.g., Firefox logged
in as 'Global Admin and Chrome as 'Regional Admin' -- and experiment with
the various permissions like that.

Otherwise, it would help if you can explain what you're hoping to achieve a
bit more clearly… are the 'Regional Groups' that you're creating User
Groups?

Phillip.

--
Phillip Smith

Hi Clare,

It doesn't sound as straightforward as it should, but if you have a solution that is working all I can say is "carry on!" :)

Phillip.;

On 2012-09-21, at 3:57 PM, Clare Parkinson <clare.parkinson@gmail.com> wrote:

> Thanks for the advice, Phillip.
>
> I will try to explain more clearly: I want to create a user who can create
> groups and add newly created users to those groups, but who is not a global
> admin.
>
> I have these permissions configured:
>
> "Regional admin users" user group has permissions:
>
> - All Groups - Create
> - "Regional groups" group - Edit
> - All Users - Create
> - "Regional users" users group - Edit
>
> Whatever I do, I can't get a member of the "Regional admin users" user
> group to create a group and then be able to assign users to it. The
> "Regional admin user" member can't assign herself to her newly created
> group, so she can't administer it. Having the new group added to the
> "Regional groups" group doesn't seem to help.
>
> I've come up with a workaround: having the global admin create a whole
> bunch of temporary groups of various types (e.g. "Regional users group temp
> 1", "Regional workflow group temp 1") and assign a member of "Regional
> admin users" to each temporary group. Then the "Regional admin user" member
> can rename the groups, add and edit users, etc. I've only done one test,
> but I think that might work. The global admin will have to help set up all
> the temporary groups, but once they're in the hopper the regional admin can
> do whatever she needs to with them.
>
> If that sounds broken and/or ludicrous, let me know.
>
> thanks for the help and moral support!
>
> -clare
>
>
> On 2012-09-18, at 4:28 PM, Clare Parkinson <clare.parkinson [at] gmail>
> wrote:
>
>> First post
>
> Welcome.
>
>
>> - apologies if this has already been answered elsewhere. I've
>> been reading and rereading the Security docs
>> http://bricolagecms.org/docs/2.0/api/Bric/Security.html#Authorization
>
> You may also want to read/watch
> http://www.phillipadsmith.com/2008/04/bricolage-permissions-101.html
>
> I'm not 100% following what you're hoping to do, but I might recommend
> having two different browsers open at the same time -- e.g., Firefox logged
> in as 'Global Admin and Chrome as 'Regional Admin' -- and experiment with
> the various permissions like that.
>
> Otherwise, it would help if you can explain what you're hoping to achieve a
> bit more clearly… are the 'Regional Groups' that you're creating User
> Groups?
>
> Phillip.
>
> --
> Phillip Smith

--
Phillip Smith
http://phillipadsmith.com
http://twitter.com/phillipadsmith
http://linkedin.com/in/phillipadsmith

If your email inbox is out of control, check out http://sanebox.com/t/s0q7m

Save our in-boxes! http://emailcharter.org

On Sep 21, 2012, at 12:57 PM, Clare Parkinson <clare.parkinson@gmail.com> wrote:

> "Regional admin users" user group has permissions:
>
> - All Groups - Create
> - "Regional groups" group - Edit
> - All Users - Create
> - "Regional users" users group - Edit
>
> Whatever I do, I can't get a member of the "Regional admin users" user
> group to create a group and then be able to assign users to it. The
> "Regional admin user" member can't assign herself to her newly created
> group, so she can't administer it. Having the new group added to the
> "Regional groups" group doesn't seem to help.

One should not be a member of a group to administer it. Sounds vaguely like a bug, though I haven’t looked at permissions in so long that there might be a very good reason for it to be the way it is.

> I've come up with a workaround: having the global admin create a whole
> bunch of temporary groups of various types (e.g. "Regional users group temp
> 1", "Regional workflow group temp 1") and assign a member of "Regional
> admin users" to each temporary group. Then the "Regional admin user" member
> can rename the groups, add and edit users, etc. I've only done one test,
> but I think that might work. The global admin will have to help set up all
> the temporary groups, but once they're in the hopper the regional admin can
> do whatever she needs to with them.
>
> If that sounds broken and/or ludicrous, let me know.

Not broken, certainly ludicrous. Bricolage should not make you have to work so bloody hard to do this. But yeah, as Phillip says, if it works, by all means do it. It definitely sounds like a valid workaround.

Just so this doesn't fall through the cracks, would you mind filing a bug report describing this issue?

http://bricolage.lighthouseapp.com/

Thanks!

David