Hi Olivier
What do you suggest i use to extract groups out of LDAP seeing CPSLDAP doesn't support groups yet?
Damian
On 4/13/06, Damian Georgiou <[EMAIL PROTECTED]> wrote:
Thanks for the email Olivier.
So if i understand correctly i could set it up like this:
In AD create a number of groups for each Business Unit.
eg:
Finance Manager
Finance ReviewerFinance Member
Finance ReaderFinance Contributor
I then assign users to the appropriate groups.
In CPS
I will create a workspace called 'Finance' for example
I assume i can then assign the groups to this workspace.When you assign a Group, you assign that group a role?So i can have one group with the ability to create content, and another group with read only access?can i search for a user and promote them different rights on a sub workspace?ie:WorkspaceFinance (everyone has atleast reader role)Software Review Team (promote a person(s) within the the reader role to have member role)
is this possible?We want the workspace manager to be able to assign / maintain who has access to sub workspaces.It would be nice to be able to create groups within CPS and search and assign users to that group however i can't activate write access to Active Directory as the simple action of logging into CPS is enough to delete the users account, exchange account etc. (unless there is a workaround for this) so i have the CPSLDAP connection in read only modethanks OlivierDamian
Message: 1
Date: Wed, 12 Apr 2006 09:34:49 +0200
From: Olivier Grisel < [EMAIL PROTECTED]>
Subject: [CPS-devel] Re: how to config LDAP with Active Directory.
To: [email protected]
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Damian Georgiou a écrit :
> We have in Active Directory (AD), Users assigned to Groups. Each group
> is a business unit, ie: IT Services, Human Resources etc
>
> I need to give these AD groups access to business unit specific workspaces.
>
> eg: the IT Services AD group has access to the IT Services Workspace.
>
> Business Units only have access to their workspace and not other
> business unit workspaces.
You'll have to change the groups directory to use your LDAP back end instead of
a simple ZODB directory because CPSLDAPSetup does not do it yet.
> Roles need to be set up also using AD. Certain users within a group must
> have certain Privileges to a workspace.
>
> eg: user called Sam has a Reviewer role, users Bruce, John and James
> have Member roles and user Kate only has Reader role to the specific
> workspace / business unit they belong too.
>
> Reader can only read content within the workspace. (not necessary but
> would be nice to have, providing you can revoke rights)
> Member: creates content
> Reviewer: Approves/Manages/Publishes content created by members in the
> Workspace
>
> These roles will be created in AD, though i understand that all users
> get the Member role unless specified so i only need to create the
> Reviewer/Manager and Reader Roles?
> There will need to be a role type for each business unit also.
Unless you want to change the workflow configuration, do not use new global
roles for WSReader/WSReviewer/WSManager. If you have a functional groups of
users, use the standard local roles interface to make the association WS + Group
-> local roles. Local roles associations cannot be stored in AD since they are
related one particular workspace (they are actually stored on the workspace object).
For instance if you want all the users of the group "Accounting" to get the
WorkspaceMember role on a workspace named "Accounting departement", go to that
workspace and delegate the WorkspaceMember role to the Accouting group.
> What is the mapping between AD and CPS in regards to Groups and Roles.
> do they need to be the same name or is there a mapping process?
>
> Am i able to give a user from another business unit, access to a
> specific folder within another business units workspace?
Sure, you can delegate roles to users as well. But it is more handy to use
groups when you have lots of users.
--
Olivier
_______________________________________________ cps-devel mailing list http://lists.nuxeo.com/mailman/listinfo/cps-devel
