Custom role-based security

Topics: Core, Customizing Orchard
Aug 5, 2012 at 1:04 PM

Hi,

I'm new to Orchard and currently evaluating it to build team management portal for my organization.

The idea of the security system is the following:

- there are many teams in organization

- employee can be a member of several teams 

- employee can be assigned a role in the team: customer, manager, developer; so one user can be a developer on team1, but manager on team2.

- employee can only view the content that belongs to his team(s) and the information from other teams is not visible for him at front-end

- based on the role (manager, or regular developer) the different views of the team's content should be provided, for instance, manager can see all his team's members reports, while developer can only view/edit only his own reports

Is there any way to achieve this using standard modules ?

If no, can you please give me some directions how this can be implemented.

Coordinator
Aug 6, 2012 at 6:46 PM

Yes, this can be handled by Orchard 1.5.1.

Aug 6, 2012 at 9:10 PM
Edited Aug 6, 2012 at 9:11 PM
bertrandleroy wrote:

Yes, this can be handled by Orchard 1.5.1.

Hi Bertrand,
Can you please give more details how this can be done?

My initial thought was to use content item permissions, and enable it for each content type that has to be "secured" for team's access.
Then create the set of roles for each team:
team1 customer
team1 manager
team1 developer
...
teamN customer
teamN manager
teamN developer

Then for each sensitive content item I can restrict certain roles from viewing content item on front-end and editing content on backend.

It might look not the most optimal way, because it results in creating NumberOfTeams*NumberOfTeamRoles roles (for 10 teams and customer, manager, developer roles => 30 unique roles).

Thanks in advance for your help.

Aug 7, 2012 at 10:46 PM

You should be able to handle this using a combination of role permissions (view, edit yours and others content), layer rules (see this page http://docs.orchardproject.net/Documentation/Managing-widgets), and if necessary, content permissions for individual content items.

Greg

Aug 10, 2012 at 8:59 AM

Thank you gkennedy.

I'm not quite sure how layer rules can help me - do the rules support expressions for filtering by role?
As far as I understand they support filtering by URL or authenticated, but not by roles. 


Aug 10, 2012 at 5:23 PM

I think layer rules would only help in the case of widgets.  As far as I know, the content is not placed in a layer.  Even if it was, it would be odd because it only decides whether or not to display.  With your situation, you would want to redirect or give a security message of some type I think.  

Aug 11, 2012 at 12:42 AM

You're right. I assumed that it would be possible to filter authentication by role (something like IsInRole("Dealer") on a widget layer but you can't. Sorry for the misleading comment. I wonder how hard it would be to make a core change to enable something like this?

Coordinator
Aug 11, 2012 at 2:02 AM

Why would you need a core change? Wouldn't this work? http://gallery.orchardproject.net/List/Modules/Orchard.Module.PCG.RoleLayer

Aug 12, 2012 at 3:57 AM

yeah, like that.