[CPS-devel] Re: how to config LDAP with Active Directory.

Damian Georgiou bachomp at gmail.com
Thu Apr 13 01:45:58 CEST 2006 

Thanks for the email Olivier.

So if i understand correctly i could set it up like this:

In AD create a number of groups for each Business Unit.

eg:
Finance Manager
Finance Reviewer
Finance Member
Finance Reader
Finance Contributor

I then assign users to the appropriate groups.

In CPS

I will create a workspace called 'Finance' for example

I assume i can then assign the groups to this workspace.

When you assign a Group, you assign that group a role?
So i can have one group with the ability to create content, and another
group with read only access?

can i search for a user and promote them different rights on a sub
workspace?

ie:

Workspace
        Finance (everyone has atleast reader role)
                Software Review Team (promote a person(s) within the the
reader role to have member role)

is this possible?


We want the workspace manager to be able to assign / maintain who has access
to sub workspaces.

It would be nice to be able to create groups within CPS and search and
assign users to that group however i can't activate write access to Active
Directory as the simple action of logging into CPS is enough to delete the
users account, exchange account etc. (unless there is a workaround for this)
so i have the CPSLDAP connection in read only mode

thanks Olivier

Damian

Message: 1
> Date: Wed, 12 Apr 2006 09:34:49 +0200
> From: Olivier Grisel <ogrisel at nuxeo.com>
> Subject: [CPS-devel] Re: how to config LDAP with Active Directory.
> To: cps-devel at lists.nuxeo.com
> Message-ID: <e1iaiq$f6c$1 at sea.gmane.org>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Damian Georgiou a écrit :
>
> > We have in Active Directory (AD), Users assigned to Groups. Each group
> > is a business unit, ie: IT Services, Human Resources etc
> >
> > I need to give these AD groups access to business unit specific
> workspaces.
> >
> > eg: the IT Services AD group has access to the IT Services Workspace.
> >
> > Business Units only have access to their workspace and not other
> > business unit workspaces.
>
> You'll have to change the groups directory to use your LDAP back end
> instead of
> a simple ZODB directory because CPSLDAPSetup does not do it yet.
>
> > Roles need to be set up also using AD. Certain users within a group must
> > have certain Privileges to a workspace.
> >
> > eg: user called Sam has a Reviewer role, users Bruce, John  and James
> > have Member roles and user Kate only has Reader role to the specific
> > workspace / business unit they belong too.
> >
> > Reader can only read content within the workspace. (not necessary but
> > would be nice to have, providing you can revoke rights)
> > Member: creates content
> > Reviewer: Approves/Manages/Publishes content created by members in the
> > Workspace
> >
> > These roles will be created in AD, though i understand that all users
> > get the Member role unless specified so i only need to create the
> > Reviewer/Manager and Reader Roles?
> > There will need to be a role type for each business unit also.
>
> Unless you want to change the workflow configuration, do not use new
> global
> roles for WSReader/WSReviewer/WSManager. If you have a functional groups
> of
> users, use the standard local roles interface to make the association WS +
> Group
> -> local roles. Local roles associations cannot be stored in AD since they
> are
> related one particular workspace (they are actually stored on the
> workspace object).
>
> For instance if you want all the users of the group "Accounting" to get
> the
> WorkspaceMember role on a workspace named "Accounting departement", go to
> that
> workspace and delegate the WorkspaceMember role to the Accouting group.
>
> > What is the mapping between AD and CPS in regards to Groups and Roles.
> > do they need to be the same name or is there a mapping process?
> >
> > Am i able to give a user from another business unit, access to a
> > specific folder within another business units workspace?
>
> Sure, you can delegate roles to users as well. But it is more handy to use
> groups when you have lots of users.
>
> --
> Olivier
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nuxeo.com/pipermail/cps-devel/attachments/20060413/4e03de04/attachment.htm

More information about the cps-devel mailing list
More information about CPS: CPS project - CVS - API

Hosting: Nuxeo: Zope service provider

This list archive provided by Nuxeo, the leaders of open source ECM. Check out the Nuxeo 5 open source, standards-based ECM project.