Apr 5, 2011 at 4:44 PM
Edited Apr 5, 2011 at 4:47 PM
Yes I think one of the great strengths of Orchard is how it can naturally be extended to encompass these really big concepts; whilst still providing a simple and effective low-level CMS for day-to-day websites.
Just going back to your OP:
"group users together and assign them common security attributes applicable per group"
Now, Roles already provides this functionality. A Role is effectively a group of Users with a common set of permissions assigned.
What Orchard is lacking in this department, is any concept of "subordinate roles"; by which I mean a hierarchical model of security as you are familiar with in AD.
Now with the system I am implementing, you basically get a PermissionsPart that allows you select from
existing Roles a number of effective Roles that are associated with this part.
Then I have a "PermissiveRelationship" content type. This is composed of the PermissionsPart amongst others, and lets you select a User and any Content Item. So you can establish any number of Roles that will be effective
for the purposes of any operation the user attempts over that content item. (This was all nice and easy to hook into the existing permissions pipeline)
I've basically just finished most of the implementation of this and I'm about to test whether it actually works.
Ok ... that's the first part of the story.
What I'm then planning is to create a "Group" content type. This will also have the PermissionsPart in its composition. You can then relate any number of
users to this group (using a "GroupMembership" content type). Then that Group's effective roles (defined in its PermissionsPart) will be applied to
all users with group membership, for any authorizable activity.
Beyond that; it would be trivial to set up a GroupParent relationship and apply any effective roles hierarchically down the group tree.
And finally, to also be able to attach content items to the Group itself (probably using the original PermissiveRelationship) and group members would get additional effective roles over those items.
Now just for your particular permission example "to have some additional information pertinent to their group memberships, certain things like tabs, links, etc depnding if they are in the HR group, IT group, Accounting group, etc.".
What Orchard currently provides is the concept of Layers. This allows you to show or hide collections of UI elements (implemented as Widgets) based on a set of arbitrary Rule implementations.
It's trivially easy to create, say, a Roles-based rule that will check if the current user is in a particular role. Actually I thought this was built in but I just checked and the built-in security rule is just authenticated/anonymous. I think tho that there
might be an example someone else of a roles-based rule.
So this means you can display any number of UI elements you wish for a particular role. I would have thought that combined with the hierarchical grouped permissions as above, this would enable everything you described.
Your other requirement "Roles and Groups are not optional in the concept" - well this can be up to you, it's very easy to hook into an event when the user gets created and assign a default group and role. I could perhaps consider the possibility of a "Default
Group" setting or some other mechanism to achieve this from the UI. (Actually that's given me an overall awesome idea which fits nicely into some other features I was thinking about ... so yes, that scenario should also happen)
As it stands in Orchard, registered users already have the Authenticated role by default.
The only thing I haven't mentioned here is denial of permissions. The current implementation only allows for
granting permissions; if it's granted anywhere in the chain then it applies full stop, no more checking is performed.
However, there are various ways to hook into the authorization system so you could effectively revoke a permission that had already been granted elsewhere. I'm just not going to complicate things at this stage since that level of control is far, far beyond
my own needs :)