Access rule when user is in two groups on same level

Moderators: mandville, PhilD, General Support Moderators

Locked
dirk80
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Sun Jul 01, 2007 7:40 am

Access rule when user is in two groups on same level

Post by dirk80 » Sat Sep 08, 2012 5:10 am

Hi!

I have 10 user groups all on the same level below the manager.
I have 10 categories for articles.
For each category only one of the user group has the right to create, edit, delete, ... the articles.

In the beginning the users were in one user group only. But now they need to have access for two or more categories. As I add a user to second user group of this 10 user groups which are on the same level having access only to one of the categories, they have access to none of the categories.

For my understanding the users who are part of two user groups should have access to two categories.

To me this looks like an error.
Has somebody an idea how to manage this?

Thanks.
Dirk

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25166
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Access rule when user is in two groups on same level

Post by Per Yngve Berg » Sat Sep 08, 2012 9:19 am

This is exactly how it should work. Is this a clean install of 2.5 or a migrated site?
There may be a broken assets table that prevents it from working.
http://docs.joomla.org/Fixing_the_assets_table

Enable Debug in Global Configuration. In User Manager, an Access Report Button will appear for each user. Use it to check the users effective rights.

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Access rule when user is in two groups on same level

Post by rcarey » Sat Sep 08, 2012 12:49 pm

Dirk80,

When you set the permissions to allow a user group access to just one category, were you setting the permissions on other categories to denied? If a user belongs to a group where a permission is denied and also belongs to another group that allows that same permission, I've found the the permission will be denied.

If using "deny" is not the issue, ignore this next paragraph. But I suspect that you had to use "deny" because these groups share the parent Manager, and Manager sets the edit positions to "allow" forcing you to explicitly "deny" permissions. There is a better approach. Create a new group to replace "Manager" as the parent to these ten groups. Give this new parent group the permission that these ten groups need to share and no additional permissions (admin/site login, and for Articles allow Access Admin Interface, and add the group to the access level Special). Then for each category, grant the needed permissions for its associated group, but leave the permissions on the other groups set to "inherit" - you should not need to set any permission to "deny."

Your approach to using ten sibling groups, one for each category, is the role-based approach I recommend. And your expectations of how it should work is correct (as Per Yngve Berg asserted).
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions

greg-oz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 120
Joined: Tue Jan 18, 2011 2:12 am

Re: Access rule when user is in two groups on same level

Post by greg-oz » Mon Sep 10, 2012 11:43 am

dirk80 wrote:Hi!

I have 10 user groups all on the same level below the manager.
I have 10 categories for articles.
For each category only one of the user group has the right to create, edit, delete, ... the articles.

In the beginning the users were in one user group only. But now they need to have access for two or more categories. As I add a user to second user group of this 10 user groups which are on the same level having access only to one of the categories, they have access to none of the categories.

For my understanding the users who are part of two user groups should have access to two categories.

To me this looks like an error.
Has somebody an idea how to manage this?

Thanks.
Dirk
Move all the access levels to be a child of PUBLIC only and then they are totally separated. When you do this and assuming the category and menu assigns are correct, the problem should sort itself out but if you have other things not set correctly it will be a different set of problems.

I have Genre Editors on my sites that can do the editing and so on of their own and others stuff but limited only to one Genre. I have Site Admin staff who can edit any category but if the one person wants to be able to administer two sections, I just add the tick for the other section to their user access level and they can do those two areas and no others.

So, after you have made your access levels all child of PUBLIC, go to the CATEGORY for the menu under which you want these people to have access to more than one area and click on Set Permissions. Under permissions there only the access levels you want to have access should be ENABLED and as public is not allowed to do a thing, then setting your separate access levels to able to Edit Own and EDIT as OK (and anything else you want as OK) will mean people with the tick beside those access levels in their own account access levels will be able to do those things in multiple categories and still read whatever.

I have one user who is a contribiting author so can post under any area he likes, then also is a Science Fiction and Action & Adventure genre editor. In his own account, his access level ticks are "Author", "Sci-fi" and "Action". He cannot edit in any other category unless he posts in there and thus can edit his own but in those two categories he can edit anything anyone posts and he can read and see what is in there from other authors who arent genre editors as well.

The main thing to clear up this confusion is to ENSURE every single access level is a child of PUBLIC and one you have it all working the way you want, you can then see if you really want to complicate it by moving one on top of another. You should understand the easy way first, though.

Hope it helps.

dirk80
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Sun Jul 01, 2007 7:40 am

Re: Access rule when user is in two groups on same level

Post by dirk80 » Tue Sep 11, 2012 12:10 am

rcarey wrote:Dirk80,

When you set the permissions to allow a user group access to just one category, were you setting the permissions on other categories to denied? If a user belongs to a group where a permission is denied and also belongs to another group that allows that same permission, I've found the the permission will be denied.

If using "deny" is not the issue, ignore this next paragraph. But I suspect that you had to use "deny" because these groups share the parent Manager, and Manager sets the edit positions to "allow" forcing you to explicitly "deny" permissions. There is a better approach. Create a new group to replace "Manager" as the parent to these ten groups. Give this new parent group the permission that these ten groups need to share and no additional permissions (admin/site login, and for Articles allow Access Admin Interface, and add the group to the access level Special). Then for each category, grant the needed permissions for its associated group, but leave the permissions on the other groups set to "inherit" - you should not need to set any permission to "deny."

Your approach to using ten sibling groups, one for each category, is the role-based approach I recommend. And your expectations of how it should work is correct (as Per Yngve Berg asserted).
rcarey,

Yes you were right. Because of the manager I had to set everyone to deny for the other catergories. I moved them to a special group below public as you and greg-oz described and it is working now.

Thanks a lot!!!

User avatar
rcarey
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Sat Apr 25, 2009 9:20 pm
Location: Minnesota (USA)
Contact:

Re: Access rule when user is in two groups on same level

Post by rcarey » Tue Sep 11, 2012 1:55 am

Dirk, Glad my suggestion worked for you, and thanks for confirming my suspicion about the problem.
Randy Carey, the iCue Project http://iCueProject.com : developing an intelligent approach to improving the CMS user experience,
Careytech Studios http://careytech.com custom development for tailored or value-added web solutions


Locked

Return to “Access Control List (ACL) in Joomla! 2.5”