Hello,
Here's a partial rewrite of sitegroups. Let me know if it makes
any sense. I haven't attempted to use SiteGroups yet so I'm doing this in
the blind.
Unfortuneately, I've gotta get ready for work so it's not a completed
document, I marked my start and stop points. Should be able to finish it
by tomorrow or Friday at the latest. SiteGroups definitely looks like a
great solution, I'll incorporate it into my strategy when I finish this
document.
Ron Parker
Mi-Recordz
www.mi-recordz.com
[EMAIL PROTECTED]
<!--Beginning of edits-->
SITEGROUPS
SiteGroups seperates the address spaces of a global pool of users who share one
database. Consequently when users logs into specific SiteGroups, it appears as though
they're accessing seperate databases. In addition to manageing access
privelages, this fascilitates the use of one administration interface which also
reduces the number of persistent database connections.
If Henry owns vmuc.com and vmucentertainment.com; obviously Henry must have
administrative privelages for those Hosts, while it's equally imperative that he's
denied read and write privelages to anything that he doesn't own while useing the
Midgard administration tools.
CONFIGURATION
To enable SiteGroups you must specify "--with-sitegroups" during the configuration
process of libmidgard. The configure programs for mod_midgard and midgard-php probe
libmidgard to see if sitegroups are enabled and respond accordingly.
While SiteGroups is designed to be as transparent as possible, the transition to
makeing your administration tool SiteGroups aware requires the manual
instantiation of sitegroups. You do this by issueing:
INSERT INTO sitegroup (name) VALUES ('sitegroupname');[0]
In order to make the Midgard administration site available to users it's ownership
must be assigned to SiteGroup 0 (SG0). When libmidgard is configured with
"--with-sitegroups" it's default state of ownership is SG0. Users that require write
access to the entire Midgard database must be members of SG0.
In order to enable Henry's write permissions within vmuc.com we create the sitegroup
"vmuc.com," add henry as a user and finally modify the vmuc.com sitegroup to include
him within its membership.
USEAGE
When logging into the Midgard administration interface site, the user is prompted to
specifiy a username@sitegroup. Only root users, members of SG0, can remain in SG0
while logged in. The "sitegroup" field for a host record is used to determine which
records are accessible dureing the session. Either a
specific host or 0 must be specified. Consequently when Henry specifies
[EMAIL PROTECTED], midgard-root.php3 queries the sitegroup field in the Midgard database
and determines which records Henry will see in the administration
interface.
<!--End of edits-->
You will want the admin site (all records that build the admin site) and the
root users in SG0. This will make all these records available so the visitor
will be able to use the admin site and all records in the sitegroup he/she
chose to be logged into. The default state of the database after the sitegroup
addition is that all records are SG0.
Since SG0 records are only changeable by root users the visitor will be able to
use all of the admin site but will only see and be able to change resources fro
the sitegroup requested (and authenticated for).
Normal midgard 1.2 access control applies. Even if the user can login to the
admin site, if no ownership was assigned then updates will fail just as is the
case now. Creation of host records requires you to be root. When created,
resources will automatically be tagged with the current sitegroup so to create a new
host, simply log on as admin@sitegroupname and everything you create
(including the host record) will be part of that sitegroup.
SiteGroups also introduces the feature of per-sitegroup admin groups. These
users will have unrestricted create and modify access to all resources within
their sitegroup. root users are automatically admin users for every sitegroup.
The admingroup for a sitegroup is specfied in the admingroup table. Both the
group and the person records must be in the sitegroup their admins for.
Note: multiple, even non-related hosts can be in the same sitegroup.
[0]Where does this take place?
--
This is The Midgard Project's mailing list. For more information,
please visit the project's web site at http://www.midgard-project.org
To unsubscribe the list, send an empty email message to address
[EMAIL PROTECTED]
