Users & Groups

Topics: Administration, General
Apr 5, 2011 at 3:35 PM

Any idea when/if there sill be "Groups" in Orchardnative code (not module)? Right now, one can create users and assign user role templates but one cannot group users together and assign them common security attributes applicable per group. Any idea?

Apr 5, 2011 at 4:06 PM

I'm working on a set of modules that should enable this (and many other) scenarios.

When you say "Orchard native code" you are actually referring to a whole load of built-in modules that make up Orchard. So there's really little difference between having this as a 3rd-party module or as part of the Orchard package. To be honest, this kind of usage is beyond most people's needs and I'd be surprised if the team wanted this as core functionality any time soon.

What I'm working on is a system of many-to-many content relationships, and then an ability to apply effective roles to users across those relationships. Currently I'm implementing assigning a user effective roles per specific content items, but I'm also planning Group scenarios as an extension from this. So users will receive effective roles from Groups they are assigned to; and the Group in general can be assigned content and users will receive additional effective roles over those items.

Apr 5, 2011 at 5:03 PM
Edited Apr 5, 2011 at 5:35 PM

You might be right that most people who use Orchard for "website" development will not need the Group feature, however, as long as it is a framework for developing cloud apps in Azure then it is a requirement that many will need to organize backend users into more manageable groups. Otherwise there should not be the concept of Users and Roles in the first place. Right now, I am designing UI/UX based on Orchard for use on Azure and the Group feature is a need here, as it will be for many other projects for many people. Azure and multi-tenancy support is something many will take advantage of especially in developing apps usable on the client intranet that goes beyond what "websites" need and requires to be managed not just by users and role templates but groups as well.

Good to know that something along that line is in the works but I'm unsure about the concept you detailed. As an IT manager, I am familiar with Active Directory Users, which during creation MUST be assigned a role, which is totally different from groups. Roles in AD assigns a template of user resources to user accounts as they are created and (Security) Groups are basically used to assign shared resource permissions/access control. This is the sort of concept I am trying to convey.

The use case scenario is that, perhaps I create a cloudapp wihere the Staff role can be assigned to employees of a company so that all staff get a uniform landing page, then these emplyees have to be further narrowed down to have access to have some additional information pertinent to their group memberships, certain things like tabs, links, etc depnding if they are in the HR group, IT group, Accounting group, etc. While there can also be a Contractors role that can also be further narrowed down to various levels of access such as Partner Level 1 group (that has access to thing 1, 2, & 3,), Partner Level 2 group (that has access to thing 1, 2, 3, 4, & 5), etc so that landing pages and subsequent information can slightly differ based on partner level group.

So basically Roles and Groups are not optional in the concept that I just described because users MUST be assigned roles during creation otherwise they cannot be created, also the default roles at least have membership in the AllUser group (amongst others), which provides access to general access resources available to all.

Apr 5, 2011 at 5:44 PM
Edited Apr 5, 2011 at 5:47 PM

Yes I think one of the great strengths of Orchard is how it can naturally be extended to encompass these really big concepts; whilst still providing a simple and effective low-level CMS for day-to-day websites.

Just going back to your OP:

"group users together and assign them common security attributes applicable per group"

Now, Roles already provides this functionality. A Role is effectively a group of Users with a common set of permissions assigned.

What Orchard is lacking in this department, is any concept of "subordinate roles"; by which I mean a hierarchical model of security as you are familiar with in AD.

Now with the system I am implementing, you basically get a PermissionsPart that allows you select from existing Roles a number of effective Roles that are associated with this part.

Then I have a "PermissiveRelationship" content type. This is composed of the PermissionsPart amongst others, and lets you select a User and any Content Item. So you can establish any number of Roles that will be effective for the purposes of any operation the user attempts over that content item. (This was all nice and easy to hook into the existing permissions pipeline)

I've basically just finished most of the implementation of this and I'm about to test whether it actually works.

Ok ... that's the first part of the story.

What I'm then planning is to create a "Group" content type. This will also have the PermissionsPart in its composition. You can then relate any number of users to this group (using a "GroupMembership" content type). Then that Group's effective roles (defined in its PermissionsPart) will be applied to all users with group membership, for any authorizable activity.

Beyond that; it would be trivial to set up a GroupParent relationship and apply any effective roles hierarchically down the group tree.

And finally, to also be able to attach content items to the Group itself (probably using the original PermissiveRelationship) and group members would get additional effective roles over those items.

Now just for your particular permission example "to have some additional information pertinent to their group memberships, certain things like tabs, links, etc depnding if they are in the HR group, IT group, Accounting group, etc.".

What Orchard currently provides is the concept of Layers. This allows you to show or hide collections of UI elements (implemented as Widgets) based on a set of arbitrary Rule implementations.

It's trivially easy to create, say, a Roles-based rule that will check if the current user is in a particular role. Actually I thought this was built in but I just checked and the built-in security rule is just authenticated/anonymous. I think tho that there might be an example someone else of a roles-based rule.

So this means you can display any number of UI elements you wish for a particular role. I would have thought that combined with the hierarchical grouped permissions as above, this would enable everything you described.

Your other requirement "Roles and Groups are not optional in the concept" - well this can be up to you, it's very easy to hook into an event when the user gets created and assign a default group and role. I could perhaps consider the possibility of a "Default Group" setting or some other mechanism to achieve this from the UI. (Actually that's given me an overall awesome idea which fits nicely into some other features I was thinking about ... so yes, that scenario should also happen)

As it stands in Orchard, registered users already have the Authenticated role by default.

The only thing I haven't mentioned here is denial of permissions. The current implementation only allows for granting permissions; if it's granted anywhere in the chain then it applies full stop, no more checking is performed.

However, there are various ways to hook into the authorization system so you could effectively revoke a permission that had already been granted elsewhere. I'm just not going to complicate things at this stage since that level of control is far, far beyond my own needs :)

Apr 5, 2011 at 11:27 PM
techieg wrote:

 it is a requirement that many will need to organize backend users into more manageable groups.

I think you are absolutely correct to predict that future users will have the exact sort of expectations/use cases that you've detailed. Filtering (and assigning) access to content based on some sort of schema (hierarchical or not) would be fundamental to any non-brochureware site.

I wonder if you share my personal must-have feature: Command-line access to user access management?

Apr 6, 2011 at 12:33 AM

See workitem: http://orchard.codeplex.com/workitem/17667

Which I am dependent on to be able to control viewing access on regular content.

You can of course already completely customise security on your own routes and controllers if you critically need anything like this.

I just checked and I'm surprised there aren't already commands for role management. But it would be really easy to implement a DefaultOrchardCommandHandler yourself for assignment of roles in Orchard command line. Have a look at some existing implementations to get an idea; for instance you can already create users, you just can't set any roles on them.

Apr 29, 2011 at 11:31 PM

Hey Pete, not sure if you got my message, however I contacted you regarding collaborating with you on these modules.  I really don't want to reinvent the wheel if you're already a ways down this path.  

Apr 30, 2011 at 2:10 AM
Wondering what your prelimiary thoughts on the subject were? Are you approaching from a migration issue (moving your users to Orchard) or looking to a more generic implmentation? Count me interested in hearing more. thx

On Fri, Apr 29, 2011 at 5:31 PM, ldhertert <notifications@codeplex.com> wrote:

From: ldhertert

Hey Pete, not sure if you got my message, however I contacted you regarding collaborating with you on these modules. I really don't want to reinvent the wheel if you're already a ways down this path.

Read the full discussion online.

To add a post to this discussion, reply to this email (orchard@discussions.codeplex.com)

To start a new discussion for this project, email orchard@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


Apr 30, 2011 at 2:26 AM

Well I will be migrating existing users, and honestly it sounds like I'm going to need to implement exactly the type of functionality that Pete is describing.  First of all I need a better way of relating content to each other - the container/containable/list concept is nice, but I'm limited to a 1-N relationship where I really need N-N relationships.  

Right now I'm just focusing on getting my content type functionality in place, but I'm quickly going run into the security permissions limitations.  I basically am going to need very modular permissions. We make a CMS system for school districts, so I'll have a district level content type which can have pages, menus, blogs, etc.  Then there will be a collection of schools (content type) that will each have their own pages, menus, blogs, etc.  Then each teacher can have their own pages, blogs, menus, etc.

So first of all I run into having complex permissions such as: a district admin can edit anything, a school admin can edit anything at their school, a teacher can edit their own stuff, etc.

And that's just at the content level, I would like to make it work in such a way (as Pete mentioned) that people would be able to create/edit layers for the display of content that they have access to edit, etc.

Not sure if there was anything in particular that you wanted me to weigh in on, if so just let me know.

May 1, 2011 at 2:40 AM
I'll be migrating too but my users/groups fit nicely to 1-n so i don't those headaches.

I'm pretty sure Pete's continued development on the original core issue of this thread. The n-n thing seems to apply to lots of stuff - the Forums Module, for example.

Have you given any thought to the role Google Apps might play. They've a mature, well tested object model for users/groups (Contacts), they have rich, script-able permissions API that addresses both emails and documents. The .NET library makes it possible to drive GA from here. Wouldn't it be fun to see gDocs melded into Orchard - Orchard could become the front-end to gDocs? (or is that the adult beverage talking - gotta cut out these sat night postings)



On Fri, Apr 29, 2011 at 8:26 PM, ldhertert <notifications@codeplex.com> wrote:

From: ldhertert

Well I will be migrating existing users, and honestly it sounds like I'm going to need to implement exactly the type of functionality that Pete is describing. First of all I need a better way of relating content to each other - the container/containable/list concept is nice, but I'm limited to a 1-N relationship where I really need N-N relationships.

Right now I'm just focusing on getting my content type functionality in place, but I'm quickly going run into the security permissions limitations. I basically am going to need very modular permissions. We make a CMS system for school districts, so I'll have a district level content type which can have pages, menus, blogs, etc. Then there will be a collection of schools (content type) that will each have their own pages, menus, blogs, etc. Then each teacher can have their own pages, blogs, menus, etc.

So first of all I run into having complex permissions such as: a district admin can edit anything, a school admin can edit anything at their school, a teacher can edit their own stuff, etc.

And that's just at the content level, I would like to make it work in such a way (as Pete mentioned) that people would be able to create/edit layers for the display of content that they have access to edit, etc.

Not sure if there was anything in particular that you wanted me to weigh in on, if so just let me know.

Read the full discussion online.

To add a post to this discussion, reply to this email (orchard@discussions.codeplex.com)

To start a new discussion for this project, email orchard@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe or change your settings on codePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at codeplex.com


May 1, 2011 at 2:53 AM
Edited May 1, 2011 at 2:54 AM
justSteve wrote:
I'll be migrating too but my users/groups fit nicely to 1-n so i don't those headaches.

I'm pretty sure Pete's continued development on the original core issue of this thread. The n-n thing seems to apply to lots of stuff - the Forums Module, for example.

Have you given any thought to the role Google Apps might play. They've a mature, well tested object model for users/groups (Contacts), they have rich, script-able permissions API that addresses both emails and documents. The .NET library makes it possible to drive GA from here. Wouldn't it be fun to see gDocs melded into Orchard - Orchard could become the front-end to gDocs? (or is that the adult beverage talking - gotta cut out these sat night postings)


I'd rather have Office Web Apps in Orchard than Google Docs/Apps which seems to be consumer class to say the least and GDocs is also very incomplete in formatting documents. Here are some examples of its issues compared to same features in Office Web Apps; http://www.eweek.com/c/a/Cloud-Computing/Google-Docs-Microsoft-Word-Web-App-Files-Face-Off-in-Cloud-Comparison-844273/?kc=EWKNLEDP04272011A

May 1, 2011 at 8:01 AM
justSteve wrote:

 Have you given any thought to the role Google Apps might play. They've a mature, well tested object model for users/groups (Contacts), they have rich, script-able permissions API that addresses both emails and documents. The .NET library makes it possible to drive GA from here. Wouldn't it be fun to see gDocs melded into Orchard - Orchard could become the front-end to gDocs? (or is that the adult beverage talking - gotta cut out these sat night postings)


Qmiks Digital Media already had GoogleViewer support but it's just basically embedding rather than proper integration. However there might be some interesting things we can do with the new Media Garden project (http://orchardmediagarden.codeplex.com) as it has a really rich media pipeline that will let us connect to all sorts of feeds and services.

Anyway yes I've continued on the n:n stuff and contacted ldhertert, it's nearly ready and I want to get it up somewhere public asap.