Hi Olivier What do you suggest i use to extract groups out of LDAP seeing CPSLDAP doesn't support groups yet? Damian On 4/13/06, Damian Georgiou <bachomp at gmail.com> wrote: > > > Thanks for the email Olivier. > > So if i understand correctly i could set it up like this: > > In AD create a number of groups for each Business Unit. > > eg: > Finance Manager > Finance Reviewer > Finance Member > Finance Reader > Finance Contributor > > I then assign users to the appropriate groups. > > In CPS > > I will create a workspace called 'Finance' for example > > I assume i can then assign the groups to this workspace. > > When you assign a Group, you assign that group a role? > So i can have one group with the ability to create content, and another > group with read only access? > > can i search for a user and promote them different rights on a sub > workspace? > > ie: > > Workspace > Finance (everyone has atleast reader role) > Software Review Team (promote a person(s) within the the > reader role to have member role) > > is this possible? > > > We want the workspace manager to be able to assign / maintain who has > access to sub workspaces. > > It would be nice to be able to create groups within CPS and search and > assign users to that group however i can't activate write access to Active > Directory as the simple action of logging into CPS is enough to delete the > users account, exchange account etc. (unless there is a workaround for this) > so i have the CPSLDAP connection in read only mode > > thanks Olivier > > Damian > > Message: 1 > > Date: Wed, 12 Apr 2006 09:34:49 +0200 > > From: Olivier Grisel < ogrisel at nuxeo.com> > > Subject: [CPS-devel] Re: how to config LDAP with Active Directory. > > To: cps-devel at lists.nuxeo.com > > Message-ID: <e1iaiq$f6c$1 at sea.gmane.org> > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > Damian Georgiou a écrit : > > > > > We have in Active Directory (AD), Users assigned to Groups. Each group > > > > > is a business unit, ie: IT Services, Human Resources etc > > > > > > I need to give these AD groups access to business unit specific > > workspaces. > > > > > > eg: the IT Services AD group has access to the IT Services Workspace. > > > > > > Business Units only have access to their workspace and not other > > > business unit workspaces. > > > > You'll have to change the groups directory to use your LDAP back end > > instead of > > a simple ZODB directory because CPSLDAPSetup does not do it yet. > > > > > Roles need to be set up also using AD. Certain users within a group > > must > > > have certain Privileges to a workspace. > > > > > > eg: user called Sam has a Reviewer role, users Bruce, John and James > > > have Member roles and user Kate only has Reader role to the specific > > > workspace / business unit they belong too. > > > > > > Reader can only read content within the workspace. (not necessary but > > > would be nice to have, providing you can revoke rights) > > > Member: creates content > > > Reviewer: Approves/Manages/Publishes content created by members in the > > > Workspace > > > > > > These roles will be created in AD, though i understand that all users > > > get the Member role unless specified so i only need to create the > > > Reviewer/Manager and Reader Roles? > > > There will need to be a role type for each business unit also. > > > > Unless you want to change the workflow configuration, do not use new > > global > > roles for WSReader/WSReviewer/WSManager. If you have a functional groups > > of > > users, use the standard local roles interface to make the association WS > > + Group > > -> local roles. Local roles associations cannot be stored in AD since > > they are > > related one particular workspace (they are actually stored on the > > workspace object). > > > > For instance if you want all the users of the group "Accounting" to get > > the > > WorkspaceMember role on a workspace named "Accounting departement", go > > to that > > workspace and delegate the WorkspaceMember role to the Accouting group. > > > > > What is the mapping between AD and CPS in regards to Groups and Roles. > > > do they need to be the same name or is there a mapping process? > > > > > > Am i able to give a user from another business unit, access to a > > > specific folder within another business units workspace? > > > > Sure, you can delegate roles to users as well. But it is more handy to > > use > > groups when you have lots of users. > > > > -- > > Olivier > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.nuxeo.com/pipermail/cps-devel/attachments/20060413/0803b1ae/attachment-0001.html
Hosting: Nuxeo: Zope service provider