[CPS-devel] Re: how to config LDAP with Active Directory.

Wed, 12 Apr 2006 00:35:01 -0700 

Damian Georgiou a écrit :
We have in Active Directory (AD), Users assigned to Groups. Each group is a business unit, ie: IT Services, Human Resources etc 

I need to give these AD groups access to business unit specific workspaces.

eg: the IT Services AD group has access to the IT Services Workspace.


Business Units only have access to their workspace and not other 
business unit workspaces.



You'll have to change the groups directory to use your LDAP back end instead of 
a simple ZODB directory because CPSLDAPSetup does not do it yet.



Roles need to be set up also using AD. Certain users within a group must 
have certain Privileges to a workspace.



eg: user called Sam has a Reviewer role, users Bruce, John  and James 
have Member roles and user Kate only has Reader role to the specific 
workspace / business unit they belong too.



Reader can only read content within the workspace. (not necessary but 
would be nice to have, providing you can revoke rights)

Member: creates content

Reviewer: Approves/Manages/Publishes content created by members in the 
Workspace



These roles will be created in AD, though i understand that all users 
get the Member role unless specified so i only need to create the 
Reviewer/Manager and Reader Roles?

There will need to be a role type for each business unit also.



Unless you want to change the workflow configuration, do not use new global 
roles for WSReader/WSReviewer/WSManager. If you have a functional groups of 
users, use the standard local roles interface to make the association WS + Group 
-> local roles. Local roles associations cannot be stored in AD since they are 
related one particular workspace (they are actually stored on the workspace object).



For instance if you want all the users of the group "Accounting" to get the 
WorkspaceMember role on a workspace named "Accounting departement", go to that 
workspace and delegate the WorkspaceMember role to the Accouting group.



What is the mapping between AD and CPS in regards to Groups and Roles. 
do they need to be the same name or is there a mapping process?



Am i able to give a user from another business unit, access to a 
specific folder within another business units workspace?



Sure, you can delegate roles to users as well. But it is more handy to use 
groups when you have lots of users.


--
Olivier

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel






















					Reply via email to