[opencms-dev] General comments on OpenCMS access rights

Zixiong WANG z.wang at sysium.com
Fri Mar 7 18:40:04 CET 2003 

Hi,

We are using OpenCMS for implementing an "real life" intranet site, we
appreciate very much OpenCMS on many aspects, but it's access rights
management seems to us very limited.

OpenCMS's access rights are derived directly from Unix file access
permission. This is limited because in a Web environment, things are much
more complicated, essentially because for one site (I don't talk about yet
multi-sites management), you have administration access (content management)
and Web user access (content consultation), and inside each population, you
can have restricted rights for sub-populations.

For exemple, there is only one right for "viewing" a ressource. But we would
like to distinguish administration view right and consultation view right.
(forbid a group of administrators to view some ressources in the
administration interface, and in the published site, part of these
ressources are accessible by anonymous user  and another part are restricted
to another particular group of users)
On a ressource, you can only have ONE owner and ONE group, and rights are
relative to THIS owner and THIS group. So it's very difficult to manage
overlapping groups who have somme commun rights and some different rights.
(Sure, with group inheritence, we can manage in some degre more complicated
situation).

On other systems, the common practice is to define some RIGHTS, on some
RESSOURCES for some PEOPLES, where RIGHTS can be our existing "w","r","v",
etc. RESSOURCES can be one or a set of ressources, and PEOPLES can be one
person, a group of person, etc.

This way, you add one dimension on your rights which are no longer linear,
but in two dimension (representable in a table):
                   write read view-admin view-consul etc
owner 1      n         y          y                  y
owner 2      y         y          n                  y
group1        n        n           y                 y
group2        n        y          n                  y
etc.

In our example, some ressources are modified by only one group, somes
ressources are modified by severals groups.  Ressources managed by each
group can overlap, but can also be different. There can be a central content
validation (for publication) group, but it's possible that for some parts of
the site, they have their own validation group. In the administration
interface, one group can only view ressources that it can modify. On the
published site, a part of site is public, another part is restricted, we
distinguish two group of users for the restricted part, with differents
rights on ressources inside.

We can't figure out how we can implement all these things with OpenCMS's
native rights management.

Thanks in advance.

--
Zixiong WANG
z.wang at sysium.com

More information about the opencms-dev mailing list