Help! (Group+Product access control)

I'm reading the table that shows the behaviours of each option (NA,
Shown, Default, Mandatory) but I can't manage to get it working for what
I want.

What I want is quite simple:

-Product A.
-Groups X, Y, Z, T.

Only members of groups X, Y, Z are able to create bugs on product A.
Only members of groups of X, Y can see and edit all bugs on product A.
(Members of group Z won't see Product A bugs unless they were created by
them.)
Only members of group X have can_confirm rights on bugs of product A.

-Product B.
-Groups X, Y, Z, T.

All groups except T are allowed to read, and change bugs of product B
(but group T has only can_confirm status on them).

Does anybody know how can I do this?

Thanks in advance,

Andrés [ knocte ]

--

Andrés,

2007/3/28, "Andrés G. Aragoneses" :
> What I want is quite simple:

I found that it helps to avoid starting with a set of groups. Instead,
it's often easier to define the groups so that they match what you
want.

You want to
- restrict bug creation, per product
- restrict who may see bugs, per product
- restrict who may confirm bugs, per product

So you'll need a setting on product A like this (similar for product B):
Group ProductA-create: ENTRY/NA/NA/--
Group ProductA-read: --/Mandatory/Mandatory/--
Group ProductA-write: --/NA/NA/CANEDIT
Group ProductA-insiders: --/Default/NA/-- (--/Mandatory/NA/-- is not possible)
Group ProductA-confirm: --/NA/NA/-- and canconfirm (possible
beginning with 3.0)

Then, you can make these new groups inherit your groups X, Y, Z and T
so that permissions get assigned correctly:
ProductA-create inherits members of X, Y and Z
ProductA-read inherits members of X, Y and Z
ProductA-write inherits members of X, Y and Z
ProductA-insiders inherits members of X and Y
ProductA-confirm inherits members of X

Kind regards
Marc

Marc Schumann escribió:
> Andrés,
>
> 2007/3/28, "Andrés G. Aragoneses" :
>> What I want is quite simple:
>
> I found that it helps to avoid starting with a set of groups. Instead,
> it's often easier to define the groups so that they match what you
> want.
>
> You want to
> - restrict bug creation, per product
> - restrict who may see bugs, per product
> - restrict who may confirm bugs, per product
>
> So you'll need a setting on product A like this (similar for product B):
> Group ProductA-create: ENTRY/NA/NA/--
> Group ProductA-read: --/Mandatory/Mandatory/--
> Group ProductA-write: --/NA/NA/CANEDIT
> Group ProductA-insiders: --/Default/NA/-- (--/Mandatory/NA/-- is not
> possible)
> Group ProductA-confirm: --/NA/NA/-- and canconfirm (possible
> beginning with 3.0)
>
> Then, you can make these new groups inherit your groups X, Y, Z and T
> so that permissions get assigned correctly:
> ProductA-create inherits members of X, Y and Z
> ProductA-read inherits members of X, Y and Z
> ProductA-write inherits members of X, Y and Z
> ProductA-insiders inherits members of X and Y
> ProductA-confirm inherits members of X

Hugh, thanks for the guidelines, I've finally managed to do it. However,
I think that this demonstrates that the group access control must be
re-architectured or something like that. It's not maintainable this way,
because I can't do cascade updates on the permissions if I want to, I
must touch every user...

Is there any bug in bugzilla that claims to change the way this is
implemented?

Regards,

Andrés [ knocte ]

--

Andrés,

2007/3/30, "Andrés G. Aragoneses" :
> Hugh, thanks for the guidelines, I've finally managed to do it. However,
> I think that this demonstrates that the group access control must be
> re-architectured or something like that. It's not maintainable this way,
> because I can't do cascade updates on the permissions if I want to, I
> must touch every user...

>
> Is there any bug in bugzilla that claims to change the way this is
> implemented?

this is already implemented. "Inheriting users" means making the
*group* automatically inherit all members of another group. You can do
this on the group editing page. There is no need to edit your users
individually!

Regards
Marc

Hi Marc,

I have a question that is related to this that hopefully you, or
someone else on the list, can answer:

On 3/29/07, Marc Schumann wrote:
> I found that it helps to avoid starting with a set of groups. Instead,
> it's often easier to define the groups so that they match what you
> want.
>
> You want to
> - restrict bug creation, per product
> - restrict who may see bugs, per product
> - restrict who may confirm bugs, per product

We all have these sort of requirements. And I imagine many of us also
have LDAP groups defined (eg "dev team", "support team", etc). Is
there a way in Bugzilla to map an LDAP group to one or more Bugzilla
groups? Eg, given the bugzilla groups "product A", "product A read
only", "product A confirm", I would like the following mappings:

dev team: product A
support team: product A confirm
analysis team: product A
business owners: product A read only
users: product A read only

Note that I've just made those mappings up, I'm sure there are holes
in them - but for the purpose of the exercise, I hope this makes what
I'm looking for clear.

Any thoughts?

cheers,
dim

Dmitri,

2007/3/31, Dmitri Colebatch :
> have LDAP groups defined (eg "dev team", "support team", etc). Is
> there a way in Bugzilla to map an LDAP group to one or more Bugzilla
> groups? Eg, given the bugzilla groups "product A", "product A read

there is currently no way to map an LDAP to one or more Bugzilla
groups. I'd say this would make for a great enhancement, though. If
there isn't an enhancement bug already in place for this, please file
one.

Kind regards
Marc

Help! (Group+Product access control) - Mozilla

Thread: Help! (Group+Product access control)

LinkBack

Tools

Help! (Group+Product access control)

Re: Help! (Group+Product access control)

Re: Help! (Group+Product access control)

Re: Help! (Group+Product access control)

Re: Help! (Group+Product access control)

Re: Help! (Group+Product access control)