Help! (Group+Product access control) - Mozilla

This is a discussion on Help! (Group+Product access control) - Mozilla ; I'm reading the table that shows the behaviours of each option (NA, Shown, Default, Mandatory) but I can't manage to get it working for what I want. What I want is quite simple: -Product A. -Groups X, Y, Z, T. ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Help! (Group+Product access control)

  1. Help! (Group+Product access control)

    I'm reading the table that shows the behaviours of each option (NA,
    Shown, Default, Mandatory) but I can't manage to get it working for what
    I want.

    What I want is quite simple:

    -Product A.
    -Groups X, Y, Z, T.

    Only members of groups X, Y, Z are able to create bugs on product A.
    Only members of groups of X, Y can see and edit all bugs on product A.
    (Members of group Z won't see Product A bugs unless they were created by
    them.)
    Only members of group X have can_confirm rights on bugs of product A.


    -Product B.
    -Groups X, Y, Z, T.

    All groups except T are allowed to read, and change bugs of product B
    (but group T has only can_confirm status on them).



    Does anybody know how can I do this?

    Thanks in advance,

    Andrés [ knocte ]

    --

  2. Re: Help! (Group+Product access control)

    Andrés,

    2007/3/28, "Andrés G. Aragoneses" :
    > What I want is quite simple:


    I found that it helps to avoid starting with a set of groups. Instead,
    it's often easier to define the groups so that they match what you
    want.

    You want to
    - restrict bug creation, per product
    - restrict who may see bugs, per product
    - restrict who may confirm bugs, per product

    So you'll need a setting on product A like this (similar for product B):
    Group ProductA-create: ENTRY/NA/NA/--
    Group ProductA-read: --/Mandatory/Mandatory/--
    Group ProductA-write: --/NA/NA/CANEDIT
    Group ProductA-insiders: --/Default/NA/-- (--/Mandatory/NA/-- is not possible)
    Group ProductA-confirm: --/NA/NA/-- and canconfirm (possible
    beginning with 3.0)

    Then, you can make these new groups inherit your groups X, Y, Z and T
    so that permissions get assigned correctly:
    ProductA-create inherits members of X, Y and Z
    ProductA-read inherits members of X, Y and Z
    ProductA-write inherits members of X, Y and Z
    ProductA-insiders inherits members of X and Y
    ProductA-confirm inherits members of X

    Kind regards
    Marc

  3. Re: Help! (Group+Product access control)

    Marc Schumann escribió:
    > Andrés,
    >
    > 2007/3/28, "Andrés G. Aragoneses" :
    >> What I want is quite simple:

    >
    > I found that it helps to avoid starting with a set of groups. Instead,
    > it's often easier to define the groups so that they match what you
    > want.
    >
    > You want to
    > - restrict bug creation, per product
    > - restrict who may see bugs, per product
    > - restrict who may confirm bugs, per product
    >
    > So you'll need a setting on product A like this (similar for product B):
    > Group ProductA-create: ENTRY/NA/NA/--
    > Group ProductA-read: --/Mandatory/Mandatory/--
    > Group ProductA-write: --/NA/NA/CANEDIT
    > Group ProductA-insiders: --/Default/NA/-- (--/Mandatory/NA/-- is not
    > possible)
    > Group ProductA-confirm: --/NA/NA/-- and canconfirm (possible
    > beginning with 3.0)
    >
    > Then, you can make these new groups inherit your groups X, Y, Z and T
    > so that permissions get assigned correctly:
    > ProductA-create inherits members of X, Y and Z
    > ProductA-read inherits members of X, Y and Z
    > ProductA-write inherits members of X, Y and Z
    > ProductA-insiders inherits members of X and Y
    > ProductA-confirm inherits members of X


    Hugh, thanks for the guidelines, I've finally managed to do it. However,
    I think that this demonstrates that the group access control must be
    re-architectured or something like that. It's not maintainable this way,
    because I can't do cascade updates on the permissions if I want to, I
    must touch every user...

    Is there any bug in bugzilla that claims to change the way this is
    implemented?

    Regards,

    Andrés [ knocte ]

    --

  4. Re: Help! (Group+Product access control)

    Andrés,

    2007/3/30, "Andrés G. Aragoneses" :
    > Hugh, thanks for the guidelines, I've finally managed to do it. However,
    > I think that this demonstrates that the group access control must be
    > re-architectured or something like that. It's not maintainable this way,
    > because I can't do cascade updates on the permissions if I want to, I
    > must touch every user...
    >
    > Is there any bug in bugzilla that claims to change the way this is
    > implemented?


    this is already implemented. "Inheriting users" means making the
    *group* automatically inherit all members of another group. You can do
    this on the group editing page. There is no need to edit your users
    individually!

    Regards
    Marc

  5. Re: Help! (Group+Product access control)

    Hi Marc,

    I have a question that is related to this that hopefully you, or
    someone else on the list, can answer:

    On 3/29/07, Marc Schumann wrote:
    > I found that it helps to avoid starting with a set of groups. Instead,
    > it's often easier to define the groups so that they match what you
    > want.
    >
    > You want to
    > - restrict bug creation, per product
    > - restrict who may see bugs, per product
    > - restrict who may confirm bugs, per product


    We all have these sort of requirements. And I imagine many of us also
    have LDAP groups defined (eg "dev team", "support team", etc). Is
    there a way in Bugzilla to map an LDAP group to one or more Bugzilla
    groups? Eg, given the bugzilla groups "product A", "product A read
    only", "product A confirm", I would like the following mappings:

    dev team: product A
    support team: product A confirm
    analysis team: product A
    business owners: product A read only
    users: product A read only

    Note that I've just made those mappings up, I'm sure there are holes
    in them - but for the purpose of the exercise, I hope this makes what
    I'm looking for clear.

    Any thoughts?

    cheers,
    dim

  6. Re: Help! (Group+Product access control)

    Dmitri,

    2007/3/31, Dmitri Colebatch :
    > have LDAP groups defined (eg "dev team", "support team", etc). Is
    > there a way in Bugzilla to map an LDAP group to one or more Bugzilla
    > groups? Eg, given the bugzilla groups "product A", "product A read


    there is currently no way to map an LDAP to one or more Bugzilla
    groups. I'd say this would make for a great enhancement, though. If
    there isn't an enhancement bug already in place for this, please file
    one.

    Kind regards
    Marc

+ Reply to Thread