SlideShare una empresa de Scribd logo

Role Based ACL

Descargar como PPTX, PDF
Randy Carey
Randy Carey

A review of the mechanics behind Joomla's ACL, then a discussion as to how one can leverage a role-based access control system through Joomla - to improve the user experience for those managing the website and its content. Please open the tab below to view my NOTES PER SLIDE.

Tecnología
1 de 102
Role-Based ACL to improve content management Randy Carey iCueProject.com
This is the revised 2014 version of my presentation Role-Based ACL. Many of the slides here have been slightly changed to accommodate annotations. This helps to convey meaning beyond the pictures.
My current work is with the iCueProject.com. Here we see the problem of the CMS is that it provides only one interface to be used by two different types of users…
A better approach is to provide a separate CMS interface to each of the two user types. Actually, we can do better yet to provide personalized user experiences for each user group. The starting point of doing this is with the ACL – and setting up the ACL with roles.
I’ll start by explaining the ‘mechanics’ of Joomla’s ACL.
Then I’ll explain how permissions are calculated.
Then we can move on to Role-Based. What is it? How is it set up?
I’ll show how roles allow to create a personalized user experience
Then I’ll show how to set it up in Joomla.
Then I’ll reference a few tools that make this process easier
ACL Mechanics
Groups are the foundation of Joomla’s ACL. They know only their name and which other group is its parent. They don’t know about any other parts of the ACL or of Joomla. Simple. Yet this allow us to create a rich expression of roles through custom hierarchies.
Users are connected to the ACL by assigning them to groups. This is the only direct connection they have with the ACL. Each user can be associated to any number of groups and in any combination.
Next we look at what I call “resources.” These are the other parts of Joomla that connect to the ACL. Technically, these are not part of the ACL – they connect to the ACL system only by referencing it.
Currently, permissions are provided only by the site configuration, by components (and their categories/items), and by modules. Menu items and plugins do not implement permissions. Permissions are part of the ACL, but it is the responsibility of the resource to provide a list of “actions” for which the ACL can assign permissions. Unfortunately, in some cases, developers don’t do this.
Another thing to note… For each resource, the permissions screen automatically presents us with the set of user groups currently held by the ACL. And within each of these user groups is the set of actions that the resource declares. So permissions are always within the context of the resource first, then within each of the groups, and finally (within each group) assigned per action.
In contrast to permissions, all resources reference access levels. Also in contrast to permissions, each resource references one-and-only-one access level.
Each access level simply defines some set of groups. If any person belongs to any of the groups selected by that access level item, Then that person is included by this access item. So for any resource, the ACL evaluates if the current user is included by that Resource’s access level. If so, then the user has access to the resource. If not, then the user does not have access.
Note: a better term for this item is access list – as its role is to provide a formula that determines which users that are included (having access). These do not confer “level,” and that term is an unfortunate carry-over from the ACL in 1.5.
One more look at the ACL diagram.
ACL permissions personalization When we think of ACL we probably think “permissions.” but “permissions is Just one side of the coin. The other side is “personalization.” Next we’ll discuss permissions. But later we will talk about personalization.
Permissions (& actions)
Permissions (& actions) Permissions are managed by the ACL, but for logical reasons, the component is responsible for three things. Let’s look at those…
Permissions (& actions) 1 For permissions to apply to a component, that component must declare a list of actions relevant for it and its data. Below you see the traditional/core actions (create, delete, edit, etc.)
Permissions (& actions) 1 But many developers can do better by offering actions specific to the component’s type and data. Shown to the left here are the rich set of actions provided by EasyBlog.
Permissions (& actions) 1 2 The component is responsible for offering ACL at the desired level of granularity: component, category, and item. The ACL cannot force a component to implement permissions – even at the component level. Frustratingly, some developers don’t offer any permissions on their extension!
Permissions (& actions)rc 1 2 3 enforce result It is the component’s responsibility to enforce permissions and to enforce them correctly. The ACL can only respond as to whether or not the current user has permission, but the ACL itself cannot enforce the permission.
calculating permission Now we look at how the ACL calculates a permission.
1. for a particular action
1. for a particular action 2. Each of the user’s groups The ACL considers each group to which the user belongs. Keep in mind that if a user belongs to a group with a parent, then the ACL assumes the user belongs to each parent group tracing back to Public. In this example, belonging to B1 also includes user group B.
The formula is simple. FIRST: Consider the permission settings for each group to which the user belongs – without considering where that group falls within the group hierarchy.
THEN: Evaluate the set of permission settings (in any order) • If all the permissions are set to Inherit, the result is deny. • If at least one permission is Allow but none are Deny, the result is allow. • If any one of the permissions is Deny, the result is deny – regardless of any other Allows that might be present. A single Deny anywhere results in deny.
1. for a particular action 2. Each of the user’s groups 3. For extension, category, & object The same applies to when we need to include the permissions on categories and objects. Just look at the permission settings of each of the user’s groups at each level: component, category, and object.
1. for a particular action 2. Each of the user’s groups 3. For extension, category, & object Rely on the same formula: • All Inherits is deny. • One or more Allow is allow • A single Deny cancels all Allows and results in deny
So let’s look a permission calculcations from a different data model…
If the component level is set to Allow and nothing is set on the category or object… All items are allowed. All new items are allowed. All new items in a new category will be allowed.
If the component level is not set… All items allowed – even new items within this category. No items are allowed – new items will not be allowed. Selected items are allowed – other are not allowed and new items will not be allowed
All items denied – even new items within this category. The Denied items are denied, but All other items and those that are created later will be allowed All items denyed – even new items within this category. Even an Allow on the item will not undo the Deny on the category. When the component is allowed by a Deny is set inside it…
ACL Manager is a great tool for helping you see the results of your ACL settings.
RBAC1 Let’s look at how Role-based ACL looks
RBAC1 Users can be assigned to one or more roles. The thin lines denote these connections are easily made or changed Users Roles Permissions The ACL Rules assigns permissions to each role. The thick arrows denote that these do not change often and can demand more technical knowledge to set up.
RBAC1 Joomla accommodates this. If we treat a user group as a role, then we have what we need to implement role-based access control. Users are assigned to one or more roles. Each role is assigned to a set of permissions
1.5 vs 2.5/3.x
1.5 vs 2.5/3.x 1.5 delivered a totem-pole approach to groups. 2.5 allows for sibling groups.
1.5 vs 2.5/3.x 1.5 has a fixed set of groups 2.5 allows us to create groups as we need them… …and to place them wherever we want within the group hierarchy.
1.5 vs 2.5/3.x In 1.5 a user belonged to one place on the ‘totem pole’ of groups. In 2.5 we can assign any user to any combination of groups
1.5 vs 2.5/3.x In 1.5 the permission were pre-assigned are rather fixed for each group In 2.5 a component can declare the actions, and each actin can have its own permissions settings. We can set a permission as we want: on whichever actions for whichever groups.
1.5 vs 2.5/3.x Since 2.5 we can set permissions at the category and object levels.
1.5 vs 2.5/3.x And the new ACL allows developers to declare a rich set of actions that are specific to the component.
1.5 vs 2.5/3.x Whereas the old ACL gave us only 3 access levels …that imposed levels (no sibling items) ...and we could not change In the new ACL we have real access lists …we create as many as we want …each item is a sibling (no imposed levels) …we can configure each as we want/need
The new ACL offers so much more than the old one did. So why does the 2.5 and 3.x ACL look so similar!?!
1.5 2.5/3.x The new ACL offers so much more than the old one did. But to help users understand the ACL, the out-of-the-box configuration mimicked what users knew from 1.5. …The unintended consequence is that many 2.5 users maintained their 1.5 mindset about the new ACL. But the new ACL was not meant to be limited to that!
1.5 2.5/3.x role-based The role-based approach exploits the new features of Joomla’s ACL and it leads us to a different look.
What does a role-based system look like just enough
What does a role-based system look like isolated and typically non-overlapping
What does a role-based system look like assigned to more than one role
What does a role-based system look like share the same role
What does a role-based system look like business concept of its roles name, capabilities
Each user can be assigned his own set of roles.
What does a role-based system look like easily added, removed, or transferred among users
What does role-based buy us?
What does role-based buy us? Security – for the client and stake holders principle of least privileges
What does role-based buy us? Usability – for those using the CMS
What does role-based buy us? Flexibility – as staff and staff assignments change over time
What does role-based buy us? Ease of Comprehension – for business people using the CMS A staff person does not have to understand ACL and permissions to quickly and easily assign a person to a role.
Setting up a role-based system
roles permissions personalization Now its time to look at the other side of the coin – using roles to reflect personalization of the user’s experience with the CMS.
Role-Based Joomla! We can leverage roles to reflect what the user sees when logging in to the backend
County Auditor’s dashboard I built a site for a county that had over 20 departments. Each department was represented by a role (user group). When a staff member logged in, she would see the quick links for the department to which she belonged. Here is what the staff for the Auditor/Treasurer would see.
Auditor’s department pages And each link led to a list of items with the filter preset to those of that department’s category.
Auditor’s JCE settings The JCE editor was preset so that its image manager and document manager would give that user access only to the directory dedicated to that department. A user could not add or delete assets only for any department but his own.
County Sheriff’s dashboard Here is the view of the Sheriff’s department, which contains two additional roles.
County Webmaster’s dashboard The person who is a site’s webmaster usually includes multiple administrative roles – including access to site reports.
before after HikaShop product pageOne can use roles to show only the form fields that a user needs to access. This usually takes a little bit of code in a layout override. I am developing a tool that allows a site integrator to configure this per role, without having to code the solution.
Setting up Roles
I first create a base usergroup that grants nothing but access to the backend. All backend roles will extend from this.
Role-based implies: Then I create a user group (white) for each role, and an access level item (red) for each of these role-based user groups. Each of these access level items includes only it’s associated user group.
Typically, a role will be associated with only one component. Set the permissions on this role only for that component and for that role’s user group. Leave all other permissions as inherit.
Create an access level item for each role. For each of these access level items, assign it to include only the corresponding user group.
My preference is to prefix each role-based access level with a tilde ~. It helps me navigate the dropdown list when assigning an access level.
Then I create an admin module of quick links for each role. The access level for each of these access levels is set accordingly.
The admin template uses module positions, so identify the position to use for each of your role-based admin modules.
As a result, one sees only the quick links modules for the roles to which she is assigned.
assignment Often overlooked is the important role of user manager. This itself should be a role, and whoever is assigned it has the power of your ACL in his hands.
User ManagerLet’s make a role for User Manager…
Now, anyone assigned to just the role of User Manager will see this
…and have access to set things like password, a changed email address, user groups, the backend template that a user should see, etc.
Personalization of the client’s user experience is a major part of the work that I’m exploring and developing through the iCue Project.
Areas to personalize  dashboard: personalized links  pre-filtered list  edit screen  edit toolbar  media manager
Dashboard - links
Pre-filtered lists
tailored edit form
tailored edit form This is Form Field Manager, a tool being developed through the iCue Project
Edit Toolbar
iCueProject.com a suite of extentions to provide role-based personalization. to be available through the iCue Project
Role-Based ACL to improve content management Randy Carey iCueProject.com

Recomendados

Improving the CMS User Experience
Improving the CMS User Experience Improving the CMS User Experience
Improving the CMS User Experience Randy Carey
 
How a centralized audit management system transformed our team
How a centralized audit management system transformed our teamHow a centralized audit management system transformed our team
How a centralized audit management system transformed our teamACL Services
 
Data Scientist: The Sexiest Job in the 21st Century
Data Scientist: The Sexiest Job in the 21st CenturyData Scientist: The Sexiest Job in the 21st Century
Data Scientist: The Sexiest Job in the 21st CenturyLyn Fenex
 
data scientist the sexiest job of the 21st century
data scientist the sexiest job of the 21st centurydata scientist the sexiest job of the 21st century
data scientist the sexiest job of the 21st centuryFrank Kienle
 
Powerofwords1
Powerofwords1Powerofwords1
Powerofwords1susanashley
 
10 tips from 4 years of freelancing
10 tips from 4 years of freelancing10 tips from 4 years of freelancing
10 tips from 4 years of freelancingkeithdevon
 
Internet
InternetInternet
Internetyulymar_arambulo_23
 
Hl psychosocial aspects & counseling
Hl psychosocial aspects & counselingHl psychosocial aspects & counseling
Hl psychosocial aspects & counselingLynn Royer
 

Recomendados

Improving the CMS User Experience
Improving the CMS User Experience Improving the CMS User Experience
Improving the CMS User Experience Randy Carey
 
How a centralized audit management system transformed our team
How a centralized audit management system transformed our teamHow a centralized audit management system transformed our team
How a centralized audit management system transformed our teamACL Services
 
Data Scientist: The Sexiest Job in the 21st Century
Data Scientist: The Sexiest Job in the 21st CenturyData Scientist: The Sexiest Job in the 21st Century
Data Scientist: The Sexiest Job in the 21st CenturyLyn Fenex
 
data scientist the sexiest job of the 21st century
data scientist the sexiest job of the 21st centurydata scientist the sexiest job of the 21st century
data scientist the sexiest job of the 21st centuryFrank Kienle
 
Powerofwords1
Powerofwords1Powerofwords1
Powerofwords1susanashley
 
10 tips from 4 years of freelancing
10 tips from 4 years of freelancing10 tips from 4 years of freelancing
10 tips from 4 years of freelancingkeithdevon
 
Internet
InternetInternet
Internetyulymar_arambulo_23
 
Hl psychosocial aspects & counseling
Hl psychosocial aspects & counselingHl psychosocial aspects & counseling
Hl psychosocial aspects & counselingLynn Royer
 
Java coding-conventions
Java coding-conventionsJava coding-conventions
Java coding-conventionsVenky Racha
 
Diana Khandzhyan Speech 104 power point
Diana Khandzhyan Speech 104 power pointDiana Khandzhyan Speech 104 power point
Diana Khandzhyan Speech 104 power pointdianakhandzhyan
 
UDL at Sovereign Avenue
UDL at Sovereign AvenueUDL at Sovereign Avenue
UDL at Sovereign Avenuecj serdy
 
Wahyu widya
Wahyu widyaWahyu widya
Wahyu widyaNan3d_tp05
 
【官方正版】红米发布会精华版Ppt
【官方正版】红米发布会精华版Ppt【官方正版】红米发布会精华版Ppt
【官方正版】红米发布会精华版PptGina Gu
 
Motivational
MotivationalMotivational
Motivationaljimart4694
 
橙色精美销售模板Ppt
橙色精美销售模板Ppt橙色精美销售模板Ppt
橙色精美销售模板PptGina Gu
 
Becoming familiar with the middle ear
Becoming familiar with the middle earBecoming familiar with the middle ear
Becoming familiar with the middle earLynn Royer
 
Lista de cuentas Kubbu / Intermedio 1 B
Lista de cuentas Kubbu / Intermedio 1 BLista de cuentas Kubbu / Intermedio 1 B
Lista de cuentas Kubbu / Intermedio 1 Blepanto77
 
Shubham
ShubhamShubham
Shubhamdepeshsharmax1
 
Curso gestión avanzada de la Innovación I+D+I 2016
Curso gestión avanzada de la Innovación I+D+I 2016Curso gestión avanzada de la Innovación I+D+I 2016
Curso gestión avanzada de la Innovación I+D+I 2016Fernando García García
 
Assignment 11 similar products, conventions and channel- my part
Assignment 11 similar products, conventions and channel- my partAssignment 11 similar products, conventions and channel- my part
Assignment 11 similar products, conventions and channel- my partdebbie14
 
Uu tambang dan perburuhan materi 3
Uu tambang dan perburuhan materi 3Uu tambang dan perburuhan materi 3
Uu tambang dan perburuhan materi 3Sylvester Saragih
 
Manajemen tambang materi 3
Manajemen tambang materi 3Manajemen tambang materi 3
Manajemen tambang materi 3Sylvester Saragih
 
ISLAS CANARIAS
ISLAS CANARIASISLAS CANARIAS
ISLAS CANARIASiberiawklasie
 
5. pengujian hipotesis deskriptif
5. pengujian hipotesis deskriptif5. pengujian hipotesis deskriptif
5. pengujian hipotesis deskriptifSylvester Saragih
 
Eidn 7-siseidn
Eidn 7-siseidnEidn 7-siseidn
Eidn 7-siseidnliviacalmeida
 
Fantastic trip(t)
Fantastic trip(t)Fantastic trip(t)
Fantastic trip(t)Rejeti Venkateswarlu
 
Shaft plumbing
Shaft plumbingShaft plumbing
Shaft plumbingSylvester Saragih
 
Assignment 4 a2
Assignment 4 a2Assignment 4 a2
Assignment 4 a2debbie14
 
6 Elements_Permissions.pdf
6 Elements_Permissions.pdf6 Elements_Permissions.pdf
6 Elements_Permissions.pdfJeff Smith
 
Elements_Permissions.pdf
Elements_Permissions.pdfElements_Permissions.pdf
Elements_Permissions.pdfJeff Smith
 

Más contenido relacionado

Destacado

Java coding-conventions
Java coding-conventionsJava coding-conventions
Java coding-conventionsVenky Racha
 
Diana Khandzhyan Speech 104 power point
Diana Khandzhyan Speech 104 power pointDiana Khandzhyan Speech 104 power point
Diana Khandzhyan Speech 104 power pointdianakhandzhyan
 
UDL at Sovereign Avenue
UDL at Sovereign AvenueUDL at Sovereign Avenue
UDL at Sovereign Avenuecj serdy
 
【官方正版】红米发布会精华版Ppt
【官方正版】红米发布会精华版Ppt【官方正版】红米发布会精华版Ppt
【官方正版】红米发布会精华版PptGina Gu
 
橙色精美销售模板Ppt
橙色精美销售模板Ppt橙色精美销售模板Ppt
橙色精美销售模板PptGina Gu
 
Becoming familiar with the middle ear
Becoming familiar with the middle earBecoming familiar with the middle ear
Becoming familiar with the middle earLynn Royer
 
Lista de cuentas Kubbu / Intermedio 1 B
Lista de cuentas Kubbu / Intermedio 1 BLista de cuentas Kubbu / Intermedio 1 B
Lista de cuentas Kubbu / Intermedio 1 Blepanto77
 
Curso gestión avanzada de la Innovación I+D+I 2016
Curso gestión avanzada de la Innovación I+D+I 2016Curso gestión avanzada de la Innovación I+D+I 2016
Curso gestión avanzada de la Innovación I+D+I 2016Fernando García García
 
Assignment 11 similar products, conventions and channel- my part
Assignment 11 similar products, conventions and channel- my partAssignment 11 similar products, conventions and channel- my part
Assignment 11 similar products, conventions and channel- my partdebbie14
 
Uu tambang dan perburuhan materi 3
Uu tambang dan perburuhan materi 3Uu tambang dan perburuhan materi 3
Uu tambang dan perburuhan materi 3Sylvester Saragih
 
5. pengujian hipotesis deskriptif
5. pengujian hipotesis deskriptif5. pengujian hipotesis deskriptif
5. pengujian hipotesis deskriptifSylvester Saragih
 
Assignment 4 a2
Assignment 4 a2Assignment 4 a2
Assignment 4 a2debbie14
 

Destacado (20)

Java coding-conventions
Java coding-conventionsJava coding-conventions
Java coding-conventions
 
Diana Khandzhyan Speech 104 power point
Diana Khandzhyan Speech 104 power pointDiana Khandzhyan Speech 104 power point
Diana Khandzhyan Speech 104 power point
 
UDL at Sovereign Avenue
UDL at Sovereign AvenueUDL at Sovereign Avenue
UDL at Sovereign Avenue
 
Wahyu widya
Wahyu widyaWahyu widya
Wahyu widya
 
【官方正版】红米发布会精华版Ppt
【官方正版】红米发布会精华版Ppt【官方正版】红米发布会精华版Ppt
【官方正版】红米发布会精华版Ppt
 
Motivational
MotivationalMotivational
Motivational
 
橙色精美销售模板Ppt
橙色精美销售模板Ppt橙色精美销售模板Ppt
橙色精美销售模板Ppt
 
Becoming familiar with the middle ear
Becoming familiar with the middle earBecoming familiar with the middle ear
Becoming familiar with the middle ear
 
Lista de cuentas Kubbu / Intermedio 1 B
Lista de cuentas Kubbu / Intermedio 1 BLista de cuentas Kubbu / Intermedio 1 B
Lista de cuentas Kubbu / Intermedio 1 B
 
Shubham
ShubhamShubham
Shubham
 
Curso gestión avanzada de la Innovación I+D+I 2016
Curso gestión avanzada de la Innovación I+D+I 2016Curso gestión avanzada de la Innovación I+D+I 2016
Curso gestión avanzada de la Innovación I+D+I 2016
 
Assignment 11 similar products, conventions and channel- my part
Assignment 11 similar products, conventions and channel- my partAssignment 11 similar products, conventions and channel- my part
Assignment 11 similar products, conventions and channel- my part
 
Uu tambang dan perburuhan materi 3
Uu tambang dan perburuhan materi 3Uu tambang dan perburuhan materi 3
Uu tambang dan perburuhan materi 3
 
Manajemen tambang materi 3
Manajemen tambang materi 3Manajemen tambang materi 3
Manajemen tambang materi 3
 
ISLAS CANARIAS
ISLAS CANARIASISLAS CANARIAS
ISLAS CANARIAS
 
5. pengujian hipotesis deskriptif
5. pengujian hipotesis deskriptif5. pengujian hipotesis deskriptif
5. pengujian hipotesis deskriptif
 
Eidn 7-siseidn
Eidn 7-siseidnEidn 7-siseidn
Eidn 7-siseidn
 
Fantastic trip(t)
Fantastic trip(t)Fantastic trip(t)
Fantastic trip(t)
 
Shaft plumbing
Shaft plumbingShaft plumbing
Shaft plumbing
 
Assignment 4 a2
Assignment 4 a2Assignment 4 a2
Assignment 4 a2
 

Similar a Role Based ACL

6 Elements_Permissions.pdf
6 Elements_Permissions.pdf6 Elements_Permissions.pdf
6 Elements_Permissions.pdfJeff Smith
 
Elements_Permissions.pdf
Elements_Permissions.pdfElements_Permissions.pdf
Elements_Permissions.pdfJeff Smith
 
Wellrailed - Be9's Acl9
Wellrailed - Be9's Acl9Wellrailed - Be9's Acl9
Wellrailed - Be9's Acl9breccan
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Lucidworks
 
Elements_Users_and_Groups.pdf
Elements_Users_and_Groups.pdfElements_Users_and_Groups.pdf
Elements_Users_and_Groups.pdfJeff Smith
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part twoisaaczfoster
 
Apolicy achieving least privilege access in kubernetes - https://apolicy.io/
Apolicy achieving least privilege access in kubernetes - https://apolicy.io/Apolicy achieving least privilege access in kubernetes - https://apolicy.io/
Apolicy achieving least privilege access in kubernetes - https://apolicy.io/joanwlevin
 
Attribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAttribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAdam Elsodaney
 
Fastman Permissions Manager
Fastman Permissions ManagerFastman Permissions Manager
Fastman Permissions ManagerFastman
 
Access Control Facilities in Oracle Database 11g r2
Access Control Facilities in Oracle Database 11g r2Access Control Facilities in Oracle Database 11g r2
Access Control Facilities in Oracle Database 11g r2Amin Saqi
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infosapdocs. info
 
MOSS2007 Security
MOSS2007 SecurityMOSS2007 Security
MOSS2007 Securitydropkic
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxjuancusa
 
Interview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRMInterview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRMKumari Warsha Goel
 
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records vraopolisetti
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management worldRed Hat
 

Similar a Role Based ACL (20)

6 Elements_Permissions.pdf
6 Elements_Permissions.pdf6 Elements_Permissions.pdf
6 Elements_Permissions.pdf
 
Elements_Permissions.pdf
Elements_Permissions.pdfElements_Permissions.pdf
Elements_Permissions.pdf
 
TrackStudio Permissions
TrackStudio PermissionsTrackStudio Permissions
TrackStudio Permissions
 
Wellrailed - Be9's Acl9
Wellrailed - Be9's Acl9Wellrailed - Be9's Acl9
Wellrailed - Be9's Acl9
 
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
Solr Security: Tips and Tricks and Things You Really Ought to Know - Kevin Co...
 
Elements_Users_and_Groups.pdf
Elements_Users_and_Groups.pdfElements_Users_and_Groups.pdf
Elements_Users_and_Groups.pdf
 
Roles
RolesRoles
Roles
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part two
 
Tableau powerpoint
Tableau powerpointTableau powerpoint
Tableau powerpoint
 
Apolicy achieving least privilege access in kubernetes - https://apolicy.io/
Apolicy achieving least privilege access in kubernetes - https://apolicy.io/Apolicy achieving least privilege access in kubernetes - https://apolicy.io/
Apolicy achieving least privilege access in kubernetes - https://apolicy.io/
 
Attribute-Based Access Control in Symfony
Attribute-Based Access Control in SymfonyAttribute-Based Access Control in Symfony
Attribute-Based Access Control in Symfony
 
Trigger in DBMS
Trigger in DBMSTrigger in DBMS
Trigger in DBMS
 
Fastman Permissions Manager
Fastman Permissions ManagerFastman Permissions Manager
Fastman Permissions Manager
 
Access Control Facilities in Oracle Database 11g r2
Access Control Facilities in Oracle Database 11g r2Access Control Facilities in Oracle Database 11g r2
Access Control Facilities in Oracle Database 11g r2
 
Authorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.infoAuthorisation Concept In SAP | http://sapdocs.info
Authorisation Concept In SAP | http://sapdocs.info
 
MOSS2007 Security
MOSS2007 SecurityMOSS2007 Security
MOSS2007 Security
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docx
 
Interview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRMInterview Questions For Microsoft Dynamics CRM
Interview Questions For Microsoft Dynamics CRM
 
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
Who Sees What When? Using Dynamic Sharing Rules To Manage Access To Records
 
Opa in the api management world
Opa in the api management worldOpa in the api management world
Opa in the api management world
 

Más de Randy Carey

How Joomla! builds a webpage (annotated)
How Joomla! builds a webpage (annotated)How Joomla! builds a webpage (annotated)
How Joomla! builds a webpage (annotated)Randy Carey
 
Site Migration and Content Strategy
Site Migration and Content StrategySite Migration and Content Strategy
Site Migration and Content StrategyRandy Carey
 
Streamlining the Client's Workflows (in Joomla)
Streamlining the Client's Workflows (in Joomla)Streamlining the Client's Workflows (in Joomla)
Streamlining the Client's Workflows (in Joomla)Randy Carey
 
The 'Client' Template - Illustrated!
The 'Client' Template - Illustrated!The 'Client' Template - Illustrated!
The 'Client' Template - Illustrated!Randy Carey
 
Joomla Modules with Permissions and Front-End Editing
Joomla Modules with Permissions and Front-End EditingJoomla Modules with Permissions and Front-End Editing
Joomla Modules with Permissions and Front-End EditingRandy Carey
 
Improving the Client's User Experience - JAB 2012
Improving the Client's User Experience - JAB 2012Improving the Client's User Experience - JAB 2012
Improving the Client's User Experience - JAB 2012Randy Carey
 
Improving Joomla’s Backend User Experience
Improving Joomla’s Backend User ExperienceImproving Joomla’s Backend User Experience
Improving Joomla’s Backend User ExperienceRandy Carey
 

Más de Randy Carey (7)

How Joomla! builds a webpage (annotated)
How Joomla! builds a webpage (annotated)How Joomla! builds a webpage (annotated)
How Joomla! builds a webpage (annotated)
 
Site Migration and Content Strategy
Site Migration and Content StrategySite Migration and Content Strategy
Site Migration and Content Strategy
 
Streamlining the Client's Workflows (in Joomla)
Streamlining the Client's Workflows (in Joomla)Streamlining the Client's Workflows (in Joomla)
Streamlining the Client's Workflows (in Joomla)
 
The 'Client' Template - Illustrated!
The 'Client' Template - Illustrated!The 'Client' Template - Illustrated!
The 'Client' Template - Illustrated!
 
Joomla Modules with Permissions and Front-End Editing
Joomla Modules with Permissions and Front-End EditingJoomla Modules with Permissions and Front-End Editing
Joomla Modules with Permissions and Front-End Editing
 
Improving the Client's User Experience - JAB 2012
Improving the Client's User Experience - JAB 2012Improving the Client's User Experience - JAB 2012
Improving the Client's User Experience - JAB 2012
 
Improving Joomla’s Backend User Experience
Improving Joomla’s Backend User ExperienceImproving Joomla’s Backend User Experience
Improving Joomla’s Backend User Experience
 

Último

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Último (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Role Based ACL

  • 1. Role-Based ACL to improve content management Randy Carey iCueProject.com
  • 2. This is the revised 2014 version of my presentation Role-Based ACL. Many of the slides here have been slightly changed to accommodate annotations. This helps to convey meaning beyond the pictures.
  • 3. My current work is with the iCueProject.com. Here we see the problem of the CMS is that it provides only one interface to be used by two different types of users…
  • 4. A better approach is to provide a separate CMS interface to each of the two user types. Actually, we can do better yet to provide personalized user experiences for each user group. The starting point of doing this is with the ACL – and setting up the ACL with roles.
  • 5. I’ll start by explaining the ‘mechanics’ of Joomla’s ACL.
  • 6. Then I’ll explain how permissions are calculated.
  • 7. Then we can move on to Role-Based. What is it? How is it set up?
  • 8. I’ll show how roles allow to create a personalized user experience
  • 9. Then I’ll show how to set it up in Joomla.
  • 10. Then I’ll reference a few tools that make this process easier
  • 12.
  • 13. Groups are the foundation of Joomla’s ACL. They know only their name and which other group is its parent. They don’t know about any other parts of the ACL or of Joomla. Simple. Yet this allow us to create a rich expression of roles through custom hierarchies.
  • 14. Users are connected to the ACL by assigning them to groups. This is the only direct connection they have with the ACL. Each user can be associated to any number of groups and in any combination.
  • 15. Next we look at what I call “resources.” These are the other parts of Joomla that connect to the ACL. Technically, these are not part of the ACL – they connect to the ACL system only by referencing it.
  • 16. Currently, permissions are provided only by the site configuration, by components (and their categories/items), and by modules. Menu items and plugins do not implement permissions. Permissions are part of the ACL, but it is the responsibility of the resource to provide a list of “actions” for which the ACL can assign permissions. Unfortunately, in some cases, developers don’t do this.
  • 17. Another thing to note… For each resource, the permissions screen automatically presents us with the set of user groups currently held by the ACL. And within each of these user groups is the set of actions that the resource declares. So permissions are always within the context of the resource first, then within each of the groups, and finally (within each group) assigned per action.
  • 18. In contrast to permissions, all resources reference access levels. Also in contrast to permissions, each resource references one-and-only-one access level.
  • 19. Each access level simply defines some set of groups. If any person belongs to any of the groups selected by that access level item, Then that person is included by this access item. So for any resource, the ACL evaluates if the current user is included by that Resource’s access level. If so, then the user has access to the resource. If not, then the user does not have access.
  • 20. Note: a better term for this item is access list – as its role is to provide a formula that determines which users that are included (having access). These do not confer “level,” and that term is an unfortunate carry-over from the ACL in 1.5.
  • 21. One more look at the ACL diagram.
  • 22. ACL permissions personalization When we think of ACL we probably think “permissions.” but “permissions is Just one side of the coin. The other side is “personalization.” Next we’ll discuss permissions. But later we will talk about personalization.
  • 24. Permissions (& actions) Permissions are managed by the ACL, but for logical reasons, the component is responsible for three things. Let’s look at those…
  • 25. Permissions (& actions) 1 For permissions to apply to a component, that component must declare a list of actions relevant for it and its data. Below you see the traditional/core actions (create, delete, edit, etc.)
  • 26. Permissions (& actions) 1 But many developers can do better by offering actions specific to the component’s type and data. Shown to the left here are the rich set of actions provided by EasyBlog.
  • 27. Permissions (& actions) 1 2 The component is responsible for offering ACL at the desired level of granularity: component, category, and item. The ACL cannot force a component to implement permissions – even at the component level. Frustratingly, some developers don’t offer any permissions on their extension!
  • 28. Permissions (& actions)rc 1 2 3 enforce result It is the component’s responsibility to enforce permissions and to enforce them correctly. The ACL can only respond as to whether or not the current user has permission, but the ACL itself cannot enforce the permission.
  • 29. calculating permission Now we look at how the ACL calculates a permission.
  • 30. 1. for a particular action
  • 31. 1. for a particular action 2. Each of the user’s groups The ACL considers each group to which the user belongs. Keep in mind that if a user belongs to a group with a parent, then the ACL assumes the user belongs to each parent group tracing back to Public. In this example, belonging to B1 also includes user group B.
  • 32. The formula is simple. FIRST: Consider the permission settings for each group to which the user belongs – without considering where that group falls within the group hierarchy.
  • 33. THEN: Evaluate the set of permission settings (in any order) • If all the permissions are set to Inherit, the result is deny. • If at least one permission is Allow but none are Deny, the result is allow. • If any one of the permissions is Deny, the result is deny – regardless of any other Allows that might be present. A single Deny anywhere results in deny.
  • 34. 1. for a particular action 2. Each of the user’s groups 3. For extension, category, & object The same applies to when we need to include the permissions on categories and objects. Just look at the permission settings of each of the user’s groups at each level: component, category, and object.
  • 35. 1. for a particular action 2. Each of the user’s groups 3. For extension, category, & object Rely on the same formula: • All Inherits is deny. • One or more Allow is allow • A single Deny cancels all Allows and results in deny
  • 36. So let’s look a permission calculcations from a different data model…
  • 37. If the component level is set to Allow and nothing is set on the category or object… All items are allowed. All new items are allowed. All new items in a new category will be allowed.
  • 38. If the component level is not set… All items allowed – even new items within this category. No items are allowed – new items will not be allowed. Selected items are allowed – other are not allowed and new items will not be allowed
  • 39. All items denied – even new items within this category. The Denied items are denied, but All other items and those that are created later will be allowed All items denyed – even new items within this category. Even an Allow on the item will not undo the Deny on the category. When the component is allowed by a Deny is set inside it…
  • 40. ACL Manager is a great tool for helping you see the results of your ACL settings.
  • 41. RBAC1 Let’s look at how Role-based ACL looks
  • 42. RBAC1 Users can be assigned to one or more roles. The thin lines denote these connections are easily made or changed Users Roles Permissions The ACL Rules assigns permissions to each role. The thick arrows denote that these do not change often and can demand more technical knowledge to set up.
  • 43. RBAC1 Joomla accommodates this. If we treat a user group as a role, then we have what we need to implement role-based access control. Users are assigned to one or more roles. Each role is assigned to a set of permissions
  • 45. 1.5 vs 2.5/3.x 1.5 delivered a totem-pole approach to groups. 2.5 allows for sibling groups.
  • 46. 1.5 vs 2.5/3.x 1.5 has a fixed set of groups 2.5 allows us to create groups as we need them… …and to place them wherever we want within the group hierarchy.
  • 47. 1.5 vs 2.5/3.x In 1.5 a user belonged to one place on the ‘totem pole’ of groups. In 2.5 we can assign any user to any combination of groups
  • 48. 1.5 vs 2.5/3.x In 1.5 the permission were pre-assigned are rather fixed for each group In 2.5 a component can declare the actions, and each actin can have its own permissions settings. We can set a permission as we want: on whichever actions for whichever groups.
  • 49. 1.5 vs 2.5/3.x Since 2.5 we can set permissions at the category and object levels.
  • 50. 1.5 vs 2.5/3.x And the new ACL allows developers to declare a rich set of actions that are specific to the component.
  • 51. 1.5 vs 2.5/3.x Whereas the old ACL gave us only 3 access levels …that imposed levels (no sibling items) ...and we could not change In the new ACL we have real access lists …we create as many as we want …each item is a sibling (no imposed levels) …we can configure each as we want/need
  • 52. The new ACL offers so much more than the old one did. So why does the 2.5 and 3.x ACL look so similar!?!
  • 53. 1.5 2.5/3.x The new ACL offers so much more than the old one did. But to help users understand the ACL, the out-of-the-box configuration mimicked what users knew from 1.5. …The unintended consequence is that many 2.5 users maintained their 1.5 mindset about the new ACL. But the new ACL was not meant to be limited to that!
  • 54. 1.5 2.5/3.x role-based The role-based approach exploits the new features of Joomla’s ACL and it leads us to a different look.
  • 55. What does a role-based system look like just enough
  • 56. What does a role-based system look like isolated and typically non-overlapping
  • 57. What does a role-based system look like assigned to more than one role
  • 58. What does a role-based system look like share the same role
  • 59. What does a role-based system look like business concept of its roles name, capabilities
  • 60. Each user can be assigned his own set of roles.
  • 61. What does a role-based system look like easily added, removed, or transferred among users
  • 63. What does role-based buy us? Security – for the client and stake holders principle of least privileges
  • 64. What does role-based buy us? Usability – for those using the CMS
  • 65. What does role-based buy us? Flexibility – as staff and staff assignments change over time
  • 66. What does role-based buy us? Ease of Comprehension – for business people using the CMS A staff person does not have to understand ACL and permissions to quickly and easily assign a person to a role.
  • 68. roles permissions personalization Now its time to look at the other side of the coin – using roles to reflect personalization of the user’s experience with the CMS.
  • 69. Role-Based Joomla! We can leverage roles to reflect what the user sees when logging in to the backend
  • 70. County Auditor’s dashboard I built a site for a county that had over 20 departments. Each department was represented by a role (user group). When a staff member logged in, she would see the quick links for the department to which she belonged. Here is what the staff for the Auditor/Treasurer would see.
  • 71. Auditor’s department pages And each link led to a list of items with the filter preset to those of that department’s category.
  • 72. Auditor’s JCE settings The JCE editor was preset so that its image manager and document manager would give that user access only to the directory dedicated to that department. A user could not add or delete assets only for any department but his own.
  • 73. County Sheriff’s dashboard Here is the view of the Sheriff’s department, which contains two additional roles.
  • 74. County Webmaster’s dashboard The person who is a site’s webmaster usually includes multiple administrative roles – including access to site reports.
  • 75. before after HikaShop product pageOne can use roles to show only the form fields that a user needs to access. This usually takes a little bit of code in a layout override. I am developing a tool that allows a site integrator to configure this per role, without having to code the solution.
  • 77. I first create a base usergroup that grants nothing but access to the backend. All backend roles will extend from this.
  • 78.
  • 79. Role-based implies: Then I create a user group (white) for each role, and an access level item (red) for each of these role-based user groups. Each of these access level items includes only it’s associated user group.
  • 80.
  • 81. Typically, a role will be associated with only one component. Set the permissions on this role only for that component and for that role’s user group. Leave all other permissions as inherit.
  • 82. Create an access level item for each role. For each of these access level items, assign it to include only the corresponding user group.
  • 83. My preference is to prefix each role-based access level with a tilde ~. It helps me navigate the dropdown list when assigning an access level.
  • 84. Then I create an admin module of quick links for each role. The access level for each of these access levels is set accordingly.
  • 85. The admin template uses module positions, so identify the position to use for each of your role-based admin modules.
  • 86. As a result, one sees only the quick links modules for the roles to which she is assigned.
  • 87. assignment Often overlooked is the important role of user manager. This itself should be a role, and whoever is assigned it has the power of your ACL in his hands.
  • 88. User ManagerLet’s make a role for User Manager…
  • 89.
  • 90.
  • 91.
  • 92. Now, anyone assigned to just the role of User Manager will see this
  • 93. …and have access to set things like password, a changed email address, user groups, the backend template that a user should see, etc.
  • 94. Personalization of the client’s user experience is a major part of the work that I’m exploring and developing through the iCue Project.
  • 95. Areas to personalize  dashboard: personalized links  pre-filtered list  edit screen  edit toolbar  media manager
  • 99. tailored edit form This is Form Field Manager, a tool being developed through the iCue Project
  • 101. iCueProject.com a suite of extentions to provide role-based personalization. to be available through the iCue Project
  • 102. Role-Based ACL to improve content management Randy Carey iCueProject.com

Notas del editor

  1. As I’ve worked on CMS-based projects over the past few years I’ve come to believe that we should not be giving our end users the same CMs interface that we use to build the site.
  2. I believe we deliver added value when we deliver a CMS experience that is tailored to the needs and capabilities of those who will be maintaining the site and its content. I realize that for some this is an unconventional approach. But I believe it is the rigth thing to do
  3. Groups are related in a tree structure – groups can be independent of other groups. Use to be: arranged linearly as increasing levels, with each group contributing or inheriting to any other group.
  4. Custom groups can be created and added anywhere within the group hierarchy.
  5. User can belong to multiple groups and any combination of groups
  6. Permissions can be set independently per group.
  7. Permissions can be extended to category and object levels.
  8. We are not bound to just the core actions: Extension developers can create a set of specialized actions that are appropriate for that extension.
  9. We can create and configure access list items however we want.
  10. A year ago I built a county website. The county had about 20 different usergroups for its departments and sub-departments. Each backend user is assigned to a usergroup representing a department. As a result, when that person logs in, he or she sees a list of tasks as you see here. Each task is preset to lead to an item or list of items filtered to that department. How does this improve workflow? The user sees only those few links relevant to his/her role. And the user doe not have to navigate through filters each time to find the content to edit. Security is included, of course. But the user of department-specific usergroups improves usability and streamlines the user’s workflow.
  11. Here is an example of the list of articles that the auditor reaches when clicking to see a list of department pages. Prefiltered to show just that departments pages, and every new item is preset to that department’s category.
  12. Even the JCE toolbar is tuned with a profile for each department. For instance, clicking on an insert button (image, document, media), the popup opens to the directory for that department. Workflow is advanced because the user does not have to navigate to his/her directory, and all items uploaded are automatically uploaded to that department’s directory.
  13. Here is an example of the dashboard for anyone belong to the Sheriff’s department. In this case, the sheriff’s department includes a couple of sub departments, so those tasks are grouped accordingly and displayed.
  14. The IT department includes a webmaster and site administrator. We also give this user roles like Security and front page management of announcements, events, and a gallery. Note that even though this is the webmaster, I didn’t give this user full admin access. They have a super admin account to user perchance they need that level of control. But as a webmaster, that user just needs what you see here – nothing displaying that is not needed
  15. By overriding the layout file for the HikaShop products page, I was able the significantly reduce the form’s footprint.
  16. This introduces a new discipline into the field of web development. The first part is what is discovering what is the appropriate user experience for any given client and the staff managing the site. The second part is developing the skill and toolset for building this tailored experience. I acknowledge that this requires extra work from the website developer. But I feel this provides additional value to the client. And in a competitive market, this is an added value that will win business and set your services apart. In this presentation we will be looking at streamlining workflows, and in the latter minutes I would like to demo some of the tools that help us do that.
  17. Evaluate which buttons the user needs – really needs. Maybe we give them something simple like this. --------- On a related note… There is a growing revolution emerging within the fields of content strategy and mobile development. It is a revolt against the idea of giving content managers toolbars for editing content as if it were a Word document. The argument is that content should be separated from form. The end users think they are designing for one platform – the desktop – and as a result the mobile display can suffer – suffer greatly. Not just mobile, but also RSS feeds, and perhaps more. While some tags can help to qualify pieces of content, these should be free of formatting that maybe should be rendered differently on different platforms. The movement says we (site developers) need to train our users that editing content on the web is not the same as editing a Word doc. Don’t give out users that idea, and don’t give them the toolbar to treat content that way. Point here being – we should try to give as few toolbar buttons as we can.