Hi Matt, In case you don't know, an explicit allow rule means deny for everyone else. So when you give for instance 'view' rights to Group A to a Space X it means that *only* Group A is allowed to view the pages from space X. Thus if you use allow instead of deny then you can have an user be part of both Group A and B, and she will have access to the set of pages that both groups have.
In any case, removing users from XWikiAllGroup is a sign of bad design. You should not have to do this. All valid users must be part of XWikiAllGroup otherwise you might get into trouble later. Hope this helps, Marius On Thu, Mar 7, 2013 at 9:52 PM, Matt Lamoureux <[email protected]> wrote: > Hi all, > I am having trouble understanding user permissions again. I have Xwiki > set up for LDAP authentication, so any user who signs in gets added to the > XWikiAllGroup. For this example, let's say I have GroupA and GroupB, both > of which have their own sets of protected pages. The way it works now is > that I have to remove each user from XWikiAllGroup and add them to either > GroupA or GroupB. This way, the protected pages are set to deny to anyone > NOT a member of that particular group. > My question is: how can I get a single member of Group A to be > authorized for the GroupB protected pages? I cannot simply add them to > GroupB - they would then not be allowed access to either set of pages > because the deny rules take precedence. I could add them to a third group > called GroupsA&B, but that seems a poor solution, as this would only > increase in complexity in the future. Do I have my architecture of > protected pages set up wrong - is there are more logical way to configure > this? > > Thanks in advance! > - Matt L. > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
