On 10/09/2010 03:11 PM, Dalluege, Pierre (extern) wrote: > Hello xwiki users, > > I reviewed the docs, but I didn't find the right answer, maybe you can help: > > If a user is in two groups A and B, how can I handle the treatment if it is > "allow" in one group and "deny" in the other? > > Imagine B is the group of experts within a company A, so I would like to have > "at least one allow" but I probably have "at least one deny". > > To overcome this situation at the moment, I must provide admin rights for the > experts group, which I am not interested in at all. > > The second option is to have one user per role, this will lead to > inconsistencies and is not preferred too. > > The thrid is to massively increase the number of groups, for each role > combination one own group. This is not an option too. > > Any ideas? Thx a lot in advance Best regards
The current implementation says that Deny always wins when comparing two rights at the same specificity (user rights vs. user rights, group rights vs. group rights). Also, there is no order among groups, so it's impossible to say that the rights for the "Experts" group are more important than the rights for the "General users" group. This is something that causes problems from time to time for admins, and it should be fixed at some point, but it's not planned for the near future. For the moment, you can review the rights you set so that there are fewer Deny rights. One tip: specifying an access right for a group automatically denies that right for those that are not in that group. So, explicitly allowing edit right for the Experts group means that everybody that is not in the Experts group will be denied edit access, even if there's no explicit rule for this. This makes it possible to solve most of the problems. -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
