During CodeGarden 15 I suggested to do an open space session about the Umbraco Security Model. The minutes from that session can be found here. In this topic I try to summarize the session.
The security model doesn't seem to have been very high on the roadmap of the HQ. Maybe because it is difficult to cater to all types of applications. There is no one model to rule them all.
The biggest change we (as participants of the open space) would like to have in the security model is the ability to use groups next to the user types (==roles) we have now. By having groups, you do not have to repeat settings for every user you add to the system. It was suggested to have the possibility to set rights on the group as well as on the individual user. I personally think that is a bit overkill, but as with everything about this subject it's open for debate (preferably in this topic).
Another point of discussion is the current member model. Should there be a difference between members and users? (Obviously access to the back-office is a differentiator). Members are now in the tree because of the ease off adding properties to them (had to be done in web.config otherwise). Is this still necessary when the member model uses the Identity providers.
Also discussed is if it would be an enhancement when rights could/should be set to fields and/or tabs. The consensus was that rights on tabs would do in most cases.
If something is added to the security model, all the pickers should also take that into account. Perhaps a level of access is needed (view, list, edit, ?). Following this the question was asked if a read only version of a document is a requirement? We all thought that would come in handy.
Groups are on the roadmap but fastest way is to get it is to do it ourselves (package or pull request). Start out with package, can be pulled in by core or core can be adopted to supply hooks.
We just have to start with it, but it makes sense to get the specs right first. Lets use this topic for that and see if we can set up a workspace next.
CG15 Open Space: Umbraco Security Model
During CodeGarden 15 I suggested to do an open space session about the Umbraco Security Model. The minutes from that session can be found here. In this topic I try to summarize the session.
The security model doesn't seem to have been very high on the roadmap of the HQ. Maybe because it is difficult to cater to all types of applications. There is no one model to rule them all.
The biggest change we (as participants of the open space) would like to have in the security model is the ability to use groups next to the user types (==roles) we have now. By having groups, you do not have to repeat settings for every user you add to the system. It was suggested to have the possibility to set rights on the group as well as on the individual user. I personally think that is a bit overkill, but as with everything about this subject it's open for debate (preferably in this topic).
Another point of discussion is the current member model. Should there be a difference between members and users? (Obviously access to the back-office is a differentiator). Members are now in the tree because of the ease off adding properties to them (had to be done in web.config otherwise). Is this still necessary when the member model uses the Identity providers.
Also discussed is if it would be an enhancement when rights could/should be set to fields and/or tabs. The consensus was that rights on tabs would do in most cases.
If something is added to the security model, all the pickers should also take that into account. Perhaps a level of access is needed (view, list, edit, ?). Following this the question was asked if a read only version of a document is a requirement? We all thought that would come in handy.
Groups are on the roadmap but fastest way is to get it is to do it ourselves (package or pull request). Start out with package, can be pulled in by core or core can be adopted to supply hooks.
We just have to start with it, but it makes sense to get the specs right first. Lets use this topic for that and see if we can set up a workspace next.
Hi Vincent,
I was in the same Open Space discussion. I tried to put my thoughts on paper over here: http://skrift.io/articles/archive/i-have-a-dream-about-user-management-in-umbraco/.
Love to have some feedback from you,
Jeffrey
Hi,
Saw the article and skimmed through it very quickly. Will supply feedback soon. Just need to find some time somewhere
is working on a reply...