Forum OpenACS Q&A: Permissions granularity

Collapse
1: Permissions granularity
Posted by Randy Ferrer on 09/21/03 10:58 PM

Hello everyone - I have a question regarding how I can get better granularity out of oacs permissions. Here is what I need to do.

I have a package set-up that will be serving various views of data. The first requirement is that a viewer be a regular registered site user and then a member of an application group I created called "data". So far so good. If you are a registered user, but are not a member of data, you can't get into the top level page or anything else

Now, the next level of permissioning has to occur on the data views themselves. Right now a data view is defined by a pair of tcl/adp pages under the www dir for the data package. So view A is a pair of A.tcl A.adp pages.

In other words. Viewer A is a registered member. Viewer A is a member of the data group so the viewer can have access to the data pages. Viewer A has privileges to see View A but not View B.

My question is, how do I prevent the viewer from seeing B but yet have access to A? I have tried different things, but nothing has worked including setting up a privilege and testing for it.

Any assistance will be highly appreciated. Thanks!

Collapse
2: Re: Permissions granularity (response to 1)
Posted by Randy O'Meara on 09/22/03 12:57 AM
Hi Randy,

It sounds like what you're trying to do is identify various subgroups of users on a particular application group. One way to do this (you may already know this) is to use relational segments. In order to do that, you have to define the segments, (say) segments A, B, C,... Then you effectively relate users to the application group by creating a relation (represented by a rel_id) between a user, (say) 'a' and segment A.

There are several good and detailed discussions of these concepts buried in the forums. One such thread that describes and provides sample code is the one I created awhile back located at https://openacs.org/forums/message-view?message_id=116231

Randy

Collapse
3: Re: Permissions granularity (response to 1)
Posted by Randy Ferrer on 09/22/03 01:33 AM

Hi Randy - Thanks for the tip on this. I think you point at what I need to do very well. It seems like it should be simple enough. The system should not need more than two levels of permissioning.

- The first is once you are a regular registered member of the site, then you can subscribe to be a member of the data application group. This by itself should permit you only to see the pages withing this section of the site which are not considered data views. This is working just fine. In order to see a page that has a data view, you must have read privilige for that view and this is where I'm having the problem. Your description using seg_rels looks like the way to go, so I'll give that a shot.

- Just to be sure I understand what you are saying. I have a subset of users who are members of the data application group. These people are permissioned to access the main page for the data section and other pages not considered views.

- For the views then you suggest creating a segment A for view A, another for view B and then relating users by creating a relation or are you suggesting creating various roles and the assigning these? Sorry...but I think I'm a bit confused here. This should be easy enough...sigh......

- I'll read your doc throughly, but this seems to be quite a bit simpler than what you set out to do in your doc. Maybe not... 😉