Forums / Setup & design / User groups of groups management

User groups of groups management

Author Message

Alexandre Abric

Tuesday 22 November 2005 6:51:34 am

Hi,

I am currently designing the security model of a new Internet web site and we need to manage groups of groups.

For instance, let's say a user John Smith works for the company MacDonalds. MacDonalds has purchased the products : Foo and Bar.

Our user accounts administration page looks like this :
- Companies (user group)
- - MacDonalds (user group)
- - - John Smith (user)
- Products (user group)
- - Foo (user group)
- - Bar (user group)

The goal is to grant access to the support pages of the product Foo (that belongs to the section "Foo" of the web site) and the product Bar (that belongs to the section "Bar" of the web site) for John Smith. "Foo" section is accessible for users that belong to user group "Foo" (same for Bar).

In a "eZ-perfect world", I would click "add location" on teh MacDonalds node and add a location bellow teh nodes "Foo" and "Bar" => Users that are in "MacDonalds" user group would also be added to Foo and Bar.

- Companies (user group)
- - MacDonalds (user group)
- - - John Smith (user)
- Products (user group)
- - Foo (user group)
- - - MacDonalds (user group)
- - - - John Smith (user)
- - Bar (user group)
- - - MacDonalds (user group)
- - - - John Smith (user)

<b>In other words, we need a groups of groups functionnality in eZ Publish => is this planned in future releases ?</b>

Now the two possible workarounds I have found :

- Develop a workflow that automatically adds the user to the "MacDonalds" user group, and then adds him to the groups "Foo" and "Bar". (I have already developped such a workflow, but the assignments are statically configured in INI files, so this is not very flexible. I would develop a dynamic assignment workflow this time)

- Use reverse related objects attributes in custom user groups. And then develop a custom Admin interface to recursively fetch reverse related objects.

<b>What do you think of this design ? How do you usually manage this ?</b>

Arran Price

Tuesday 22 November 2005 12:58:06 pm

Hi Alexandre,
I may not have quite understood your situation, but can you not do what you need with roles?
if you have roles (probably as well as groups) for MacDonalds, Foo and Bar
you can assign the group MacDonalds to the the appropriate roles (which in this case would be all 3 roles MacDonalds, Foo and Bar). As ultimately roles define access.

Does that make sense?
In that way, all new members of the group, automatically pick up the correct permissions due to the group being assigned permissions as part of the role definition.

Hope thats of help

Arran