Forum OpenACS Q&A: Group composition and permissions hineritance

I used the groups system to model a hierarchical organization, i.e. I created groups one, two and three and then defined a composition relation between one and two and between two and three obtaining a structure like:
one
..two
....three
The application requires that if I grant a privilege to a party on a given group, then that party should hinerit the privilege for all groups which directly or indirectly depend by the granted one.

Unfortunately, contrary to my expectations, the acs_objects get as their context_id the object_id of the subsite and not that of the owning group.

Now I'm seeking the advice of those who know to make the program work as originally designed.

One possible way could be: when granting a privilege to a party also navigate the hierarchical structure and explicitly call acs_permission__grant_permission for all the dependent groups.

I wonder if there is a simpler way. I noticed that there are a couple of functions triggered by an acs_object update, i.e. acs_objects_update_tr and acs_objects_context_id_up_tr. Is it safe to update acs_objects pointing the context_id to the correct group_id to get the work done (i.e. automatically generating the acs_object_context_index)?

I would really appreciate any advice.

Collapse
Posted by Dave Bauer on
So you are saying ( i believe ) that if you grant permission to group three, that groups one and two also should get this permission?

This sounds like a similar issue I worked with on a site with 3 seperate group hierarchies.

The composition_rel works so that members of group three and also members of groups two and one in your example. Also memebers of group two are members of group one.

So if I am not mistaken you want the permissions to inherit in the reverse of how it currently works? That is a permission granted to group one is inherited by groups two and three.

Collapse
Posted by C. R. Oldham on
Claudio,

First, let me caution against modifying the permissions system.  It is a complicated beast fraught with possible performance killers unless you are able to do some serious profiling on your changes.

Don (and others) have spent a huge amount of time optimizing the system.

Let me see if I understand what you are trying to do:  You are modeling a hierarchical structure.  For your test you created groups "one", "two", and "three"  such that placing a party into group "three" essentially places him in groups "one" and "two" as well.

What I don't understand is what you are trying to achieve with permissions.  In the existing system, a permission is a triplet consisting of a privilege, an object, and a party.  So you grant a privilege ON an object TO a party.  That party can be a user or a group.  If you grant the privilege to the group, all members of the group get the privilege.  So, for example, if you granted "read" privilege to group "one", all members of group "three" would have the "read" privilege as well.
I'm thinking that you are suffering some of the same problems I had when wrapping my head around permissions.  Lots of stuff seems "backwards" (like group membership, OpenACS talks about components, so in your example you made group two a component of three and group one a component of two.  Most people would think of creating group one, then create a "subgroup" two and a "subsubgroup" three).  It often helps to think in terms of Venn diagrams and set theory when working with the groups system.

Collapse
Posted by Claudio Pasolini on
Dave,

it is exactly the contrary: if I grant a privilege, let say write, TO a party ON, let say, group one, I want that the party also get the write privilege on the objects two and three.

Unfortunately the groups don't hinerit their permissions by the parent group, but by the object corresponding to the closest subsite.

Collapse
Posted by C. R. Oldham on
Claudio,

I think your statement above indicates a possible misunderstanding (maybe on my part 😊 ). Remember a permission is a *triplet* with one element of the triplet being an object for which the privilege would make sense.  Granting "write" to a party on a *group* has undefined semantics.  What would you be trying to achieve with that?

Collapse
Posted by Dave Bauer on
Groups don't have parents. The comoposition relationship does not represent a hierarchy in that way.

To solve the problem you are referring to I subtyped the group object with my own object type to represent the hierachy of a company. The table for these company groups did include a parent_id column to represent the hierachy. When I created these groups I set the context_id to be the whatever group was set as the parent_id.

This was used to assign who had permission to add and remove members from a group in this case and to see details of am employee.

Collapse
Posted by Tom Jackson on

If you set the context_id of group B to be the object_id/group_id of group A, then in effect, group A is the parent of group B. Any objects that group B can access, group A should also be able to access. This is regardless of whether there is a composition relation between A and B.

What a composition relation will allow you to do is, for instance, you can add members to B (i.e. add a membership_rel of a party to group B), and they will also be members of A (They will have the same type of relationship to A).

Collapse
Posted by Claudio Pasolini on
Thank you all for answering.

I'll try to better clarify the objectives of my application and why I used the groups system.

  • The program is a sort of project planning and control system.
  • Every project is owned by an organizational unit.
  • The organizational units are grouped in a hierarchy.
  • The projects are acs_objects whose context_id points to the owning org unit.
  • A user with write privileges on a group representing the org unit can manage all the corresponding projects.
  • Following the natural hierarchy, a user with a given privilege on a group should get the same privileges on all the groups (and the corresponding projects) down the hierarchy.
In the past I already developed an application implementing the hierarchy using the approach suggested by Dave, but this time I wanted to be smarter making use of the groups system.

Now I understand my error, but I'm searching a way to get the desired effect (make the component groups inherit the privileges of the composite, so as to enable a user to manage the corresponding projects) without too much disruption.

I think I will experiment pointing the context_id of the components groups to the corresponding composite, hoping that the triggers do the right work (they are too difficult for me to grasp) and then I'll tell you the results.