omeszar
New Member Posts:20
|
04/13/2010 2:22 PM |
|
Let's say I ahve the following structure:
Documents
Internal Documents
Americas
Joes Files
Johns Files
Europe
Joes Files
Susans Files
Johns Files
I want to give Joe access to both "Joes Files" under Americas and Europe. I also want to give Susan "Susans Files" under Europe. I don't want any of them to see "Johns Files".
So what I want to do is setup a page that I can give access to Joe and Susan. How do I setup the DMX module so that both Joe and Susan can see their folders and not "Johns Files"?
I don't want to have to setup security all the way the tree for each person. I just want to give Joe access to "Joes Files" and Susan security to "Susans Files".
Thanks Peter for any help.
Oscar |
|
|
|
|
omeszar
New Member Posts:20
|
04/13/2010 2:45 PM |
|
Just to add a bit more...
There will be users of the system who will have access to all the files in the organized way described above. So, it doesn't make sense in my case to add a Joes and Susans folders at a higher level. The folder name are for demonstration only just to make it easy to depict. |
|
|
|
|
Jason Scott
New Member Posts:46
|
04/13/2010 11:26 PM |
|
You're going to have to give "View" permissions by username (or have security roles that only have one member, such as a Role named "Joe"). In doing this, you might give the "Americas" and "Europe" folders view access by "All Users". The sub-folders, however, would be more restrictive. You'd edit the attributes of the Joe folder, and add Joe's username to the "View" rights option.
Now when Joe, John, or Susan log in, they will all see the Americas and Europe folders, but they will only see THEIR sub-folders, since they're secured by username (or single-user security roles).
This is just my opinion. Peter or others might have differing approaches.
Jason |
|
|
|
|
omeszar
New Member Posts:20
|
04/14/2010 6:57 AM |
|
Hi Jason, thanks for your reply and that's pretty much what I have done. However, here is the problem with that solution.
1) I have to give "All Users" access all the way up the tree so I can create a page that covers both America and Europe. Otherwise, I will need two different pages or DMX instances, one for America and one for Europe.
2) When an user decides to add a folder under either America or Europe since the folder inherits permission from the parent "All Users" now have access to the new folder. Sure, they can and should tick that permission off, but the people doing this are not "admins" and they should not have to worry about security, and might not even understand the implications of the security they are setting. That's my job as the admin.
So ideally, I would only want to give access to the folders they need and then be able to have a page with a DMX module that displays anything that I have access to without having to display the entire tree up to the point. |
|
|
|
|
Jason Scott
New Member Posts:46
|
04/15/2010 5:37 PM |
|
I somewhat understand your scenario. However, not knowing your user base, it's a bit tricky to advise on this. On number 1 in your response above, why NOT have separate DMX instances for America and Europe. On our intranet site, I would say we have DOZENS of instances of DMX, all pointed to different root folders for easy access to the documents.
For your point number 2 above, I feel like it's almost a catch-22. For instance, in our user base, anyone who has "Add" rights IS considered an "Admin", and they must be trained on setting correct permissions. It's really a business function, not a software function. If someone doesn't understand the concept of permissions, they they shouldn't have access to add new folders.
Again, depending on your user base, this might not be feasible. |
|
|
|
|
omeszar
New Member Posts:20
|
04/16/2010 4:25 AM |
|
Hi Jason,
I also have different instances of DMX on different pages to better segment the process. Think of this scenario, you have internal people who understand the difference between Europe and Americas. Now think of Joe as an outside consultant who doesn't need to know or understand the internal workings of the company, he only needs to know what the files he has access to are. So he only needs to know of a page and get to his files. That's basically the scenario that I have.
As far as security setting, it is easy for a person to understand that if he/she wants Joe to have access to this folder, then give it access to that folder. But what is harder is for that person to understand is that he/she needs to give Joe access to the entire tree in order to have access to a single folder. Furthermore, since he gave access to the entire tree when he/she creates another folder now Joe has access to that folder by default inherited permission.
Yes, you can train the person to look for that, but let's say the person forgets and it creates a folder meant for Jill that Joe has access to. As I said Joe is an outside consultant who gets paid say $50/hr for his services. Jill is another outside consultant who gets paid $75/hr for similar services. Now, Joe has access to Jill's files and see confidential information. That's a problem. The person who setup the folder knew that he gave Joe access to his files and not Susan's when it was first setup, but he/she didn't realize that he/she also gave Joe access to Jill's files because it was setup later and permission is inherited from a folder above.
And, no I don't agree that the person who adds files and folder should be an "Admin". This is an office worker whose job is to add files and folders not to maintain the integrity of the site. Here is an old fashion analogy. I give the cleaning service keys to all the floors and offices (think of this a tree with folders) in the building to clean them. But I don't give it keys to the cabinets in the offices where confidential information is stored. Joe has access to his cabinet and Susan to hers. And when I give a cabinet to Jill, she gets the key to that cabinet. But niether Joe nor the cleaning service have access to Jill's cabinet.
What I'm trying to do might not be possible and I hope Peter jumps in and give his opinion and knowledge on the subject.
Oscar |
|
|
|
|
Peter Donker
Veteran Member Posts:4536
|
04/16/2010 11:21 AM |
|
Hi guys,
Thanks Jason, for chipping in. Jason's correct in his replies. Your use case departs somewhat from the regular logic in that you want users to have their own folder but not be bothered about setting it up while still remaining within one DMX instance and having it set up multiple folders in different subfolders. Now DMX does offer auto create folders with user based permissions. But this can only be done "per DMX instance" and the created folder becomes the root of that module for that user. So there is no mechanism to create joe's folder under Europe AND Americas at the same time. Instead you'd need to split into 2 instances. Then each DMX can set it up for each geographic region. The auto create sets permissions correctly but you will need to limit the parent's view permission for it to work. So under the page Americas Joe will only see his own files (he doesn't even see any folder structure above). The same happens on the Europe page. An admin can use another instance and see the complete structure.
Anything else will require custom programming.
Peter
|
|
|
|
|
omeszar
New Member Posts:20
|
04/16/2010 1:40 PM |
|
Thanks Peter.
That's what I thought. And as I mentioned in the first reply to Jason that's what I have done, as I said in my second reply, I thought there might not be a way to do this.
When you say custom programming is this something that you would need to do? or can I do it myself?
Oscar |
|
|
|
|
omeszar
New Member Posts:20
|
04/16/2010 1:45 PM |
|
Peter,
One thing that might work for this client better is to not automatically inherit permissions. For this client it would be better to have less than more that way people can't by accident give permission to the wrong folder. Would you consider adding that option as a feature in future releases? |
|
|
|
|
Peter Donker
Veteran Member Posts:4536
|
05/02/2010 10:34 AM |
|
Hi Oscar,
You mean only admins then have access to the subfolder plus the user?
Peter |
|
|
|
|