5 Replies Latest reply on Oct 3, 2012 2:31 AM by shreyanakra

    Conflicting Space Permission for Users And Groups

      If I'm a member of two or more groups and the groups' space permission conflicts each other, how does CS resolve the conflict?

       

      Also, CS will check the space permission of the additionally defined user and group first before checking the "Registered Users" and "Anyone" group. When a match is found in the defined user and group, the checking bails out. Is this correct?

        • Re: Conflicting Space Permission for Users And Groups

          Permissions are handled by recursively building a permission object from the root level where at each level negative permissions are first removed then additive permissions are added. Retrieving the list of negative or additive permissions at each level is done by first getting the anonymous permissions, then the registered user permissions, then the permission explicitly set for that user, and finally the group permissions for all the groups the user belongs to. Merging those lists in that that order returns the 'final' user permissions for the given permission type (additive or negative) at that requested level (a community in most cases).

           

           

          So for example is you are a member of two groups, one of which is allowed to view a community and one which isn't, you will be allowed to view the community (since additive checks come last*  so it would trump the negative permission set on the 'blocking' group.

           

           

          Regards,

           

          Bruce Ritchie

           

          • - Well, except for at the root level which has the order inverted since there isn't anything to remove the negative permissions from

           

            • Re: Conflicting Space Permission for Users And Groups

              Merging those lists in that that order returns the

              'final' user permissions for the given permission

              type (additive or negative) at that requested level

              (a community in most cases).

              Then this 'final' user permission at this level is brought forward to the next sub-com and recursed?

               

              Clever design!

               

              • - Well, except for at the root level which has the

              order inverted since there isn't anything to remove

              the negative permissions from

              The anyone-registered-user-group flow is inverted as well and becomes group-user-registered-anyone?

                • Re: Conflicting Space Permission for Users And Groups

                  Then this 'final' user permission at this level is

                  brought forward to the next sub-com and recursed?

                   

                  Yes. That's why we say permissions are inherited in Forums and Clearspace - if it's set on one level it's kept for all child levels recursively unless explicitly set otherwise.

                   

                  • - Well, except for at the root level which has

                  the

                  order inverted since there isn't anything to

                  remove

                  the negative permissions from

                  The anyone-registered-user-group flow is inverted as

                  well and becomes group-user-registered-anyone?

                   

                  No, that stays the same. Attempting to set negative permissions at the root level doesn't exactly work perfectly quite perfectly anyways (i.e. block then allow in subcommunities) so it's best to stick with allow then block).

                   

                   

                  Regards,

                   

                  Bruce Ritchie

                    • Re: Conflicting Space Permission for Users And Groups

                      Thank you much Bruce! That sorts out the confusion.

                       

                      I think I'm gonna write a document explaining this since there seems to be no such document. However, I'll defer it until Jive fix the problem I mentioned in http://clearspace.jivesoftware.com/thread/14645?tstart=0

                      • Re: Conflicting Space Permission for Users And Groups
                        shreyanakra

                        hi,

                         

                        We have a scenario in our company where I'd like to ask for your advice.

                         

                        We have a set of senior leaders and people who report directly to our CEO. Typically they need to be given freedom to navigate from group to group and go through the content therein. This is because of their busy schedules, it is a challenge for community managers and leaders alike to define the groups they will need to be given access to.

                         

                        It will also directly impact the user adoption when we have them participating in the community.

                         

                        Is there a specific combination of user overide or user group properties that we can create so that they get free access to view all social groups even though they may not be members on the same? (a bit like how it works for admins, except that they shouldn't get bombared with moderator/system notifications etc)

                         

                        Also, there may be a handful of secret social groups that are strictly confidencial. Can we create an exception list for those, leaving all other groups accessible for leaders?

                         

                        Appreciate all the help you can provide.

                         

                        Thanks,

                        Shreya