Joomla! 1.6 Access Control Proposal

ACCESS CONTROL PROPOSALJoomla! 1.6

9/7/2009 [email protected]

EXISTING SITUATIONJoomla! 1.6 Access Control


Joomla! 1.5

Access Control• One role per User

• System-wide Scope

Four types of permissions:

• System Access

• System Administration

• Content Development

• View Access


Joomla! 1.5 ACL

System AccessTwo types:

• Registered – Frontend access only

• Special – Frontend and Administrator Access

A

B


Joomla! 1.5 ACL

System Administration

Special Access Level –Ability to Logon to the Administrator:

• Manager – Backend Publisher

• Administrator – Users and Extensions

• Super Administrator -+ Site Template, Cache, Check-in and Global Configuration


Joomla! 1.5 ACL

Content Development

Three levels of permission:• Author – Create and Edit what they created

• Editor – + Edit all

• Publisher – Plus Publish


Joomla! 1.5 ACL

View AccessAccess Levels:• Public

• Registered – Logged on

• Special – Backend access

Defined for:•Categories

•Content

•Menu Items and Modules


GOALS AND OBJECTIVESJoomla! 1.6 Access Control


Joomla! 1.6 UX Access Control Goals:

Don’t design it poorly.

Don’t make it complicated.

Don’t make something stupid.9/7/2009 [email protected]


No.

Joomla! 1.6 ACL Objectives

System Access

Ability to provide Administrator Access to Frontend users.



System Administration

Ability to set up System Administration Groups and assign permissions that fit organizational roles.

Examples:• Advertising – Banners

• Designer – Templates and Modules

• Site Developer Team –All Extensions, Modules, Menus 2



Content Development

Empower organizations to segment Content with Groups and Access Control Rules that fits their needs.

3

School

Elementary

1st Grade 2nd Grade

Administration

Principal



View Access

Augment View Access Levels to facilitate sharing information based on roles, interest areas, responsibilities, or whatever the needs might be.

4

Products • Customers

Timesheets and

Assignments• Employees

Financials • Accountants


USER MANAGERJoomla! 1.6 Access Control


Joomla! 1.6 User Manager

OptionsSuggest moving Global Configuration –System – User Settings here.

A Legacy parameters that will continue to be used. Note: The fourth parameter, New User Registration Type, is defined on Group Listpage.

B Suggest adding three new parameters:

• Enable Users as Groups

• Enable Content Creator to Update

• Enable New Group Creation for View Level

The first new option helps with Group Creation when establishing the Access Levelfor the Frontend.

The second option enables Web masters to decide if updating is allowed after creation since updates post-Publishing has been problematic.

The final option is described in the View Access Level section, and is used to enable creation of new Groups when needed for Access Level in Content development.

9/7/2009 [email protected] 16

B

A

User Manager: Users ListA - Remove Groups Column, problematic since Users can be in multiple groupsB - Groups listbox can filter by Groups, including Custom GroupsC – Also, the proposed Members list will display one row per Username / Group

C

AB


User Manager: Edit User: GroupsUser may be a member of multiple Groups. Groups can be added and removed on page. Note: consistent Widget UX object discussed in Group Edit.


User Manager Groups –A – Default User Registration TypeB – System Groups C – Custom Groups

B

C

A


Used to specify the Default value assigned to new Users

Registered is default Legacy value

Remove from Global Configuration.


A


Default User Registration Type


System GroupsPublic

Frontend Visitors

No Membership Editing

Can create rules

Take Action on Assets associated with Public Access Levels

Exceptions? Concerns?

RegisteredLogged on Users

No Membership Editing

Can create rules

Take Action on Assets associated with Public and Registered Access Levels

Super AdministratorFull Control

Cannot delete

No Rule Editing

Can manage membership

Do not recommend adding Legacy System Groups: Author, Editor, Publisher, Manager, Administrator due to System Wide capabilities and confusion


B

CUSTOM GROUPS, ACCESS CONTROL RULES, AND MEMBERS

Joomla! 1.6 Access Control


Administrators Manage PluginsRules define Who? What? and Where?

GroupSpecifies who can perform this action.

ActionDescribes what can be done.

AssetSpecifies where this Action is allowed.

Accountants Publish

Articles within the

Fiscal Category

Joomla! 1.6 ACL Proposed Rules

Group-Action-Asset



Group-Action-Asset Recommended:

System Groups: Public, Published, Super Administrator

Custom Groups: Created, as needed, by Site Developer

In order for Groups to be useful, it is important that the Interface enable Users to create Groups at the point of selection. More later…

Groups define who can do something.



Group-Action-Asset Recommended:

Access: Login

Content-related: View, Respond, Create, Publish

Publish includes Update, Delete, and Archive

System Administration: Install, Manage, Uninstall

Actions describe what can be done. Extensions can use existing actions or add actions, as needed.



Group-Action-Asset

Recommended:

All Access• Site (Frontend) Access• Administrator Access

All Content• Articles, Banners, Contacts, Contact Form,

Comments, Media, Newsfeed, Ratings, and Web Links

• Content Assets can be further specified by Category or Content Item

All AdministrationSite Development• Global Configuration, Installer, Languages,

Menus, Modules, Plugins, Templates System Management:• Cache, Check-in, Mass Mail, Messages, Redirect,

Users

Assets describe where an Action is allowed.

Content, Menu Item, and Module Assets can further restrict Actions to a Category or Item

Accountants Publish Articles within the Fiscal Category.

Parents View Menu Item Upcoming Events.


User Manager Group- Group Name

-Suggest Removing Parent- Manage ACL Rules Widget- Manage Group Member Widget- Proposed Widgets are Edit areas with List, Sort, Filter, Add, and Delete functions.

1

2


ACL Rules WidgetAdd Rule1. ACL Rules Widget on Group page.2. Press Add Rule.3. Widget slides open exposing Add Rule Form with

only the populated Action list box.4. Select Action. 5. Request sent and Asset list box is populated with

entries appropriate for selected Action.6. Select Asset.7. If Asset is type of Content, Menu, or Module, a

request is sent and the Categories list box populated with entries appropriate for the selected Asset. (Or, Menu Items or Module names).

8. Select Category (Or, Menu Item or Module name).9. Request sent and the Content Item list box is

populated with entries for that Category. The Apply Rule to Child Objects checkbox is presented.

10. Optionally, select Content Item and Apply Rule to Child Objects listbox.

11. Press Add Rule to process change. ACL Rules widget closes.

Delete Rule1. Sort, Scroll, Filter, or Search for Rule.2. Press X to the right of the Rule.3. Respond to Prompt, Apply Rule Removal to Child

Objects.

1


Group Members WidgetAdd Member

1. Group Members Widget on Group page.

2. Press Add Member.

3. Widget slides open exposing Add Member Form.

4. Enter Name in Autosuggest Listbox.

5. Select Name .

6. Press Add Member to process change. Group Member Widget closes with added Member.

Delete Member

1. Sort, Scroll, Filter, or Search for Member.

2. Press X to the right of the Member.

3. Widget slides open exposing Add Member Form.

4. Respond to Prompt confirming Delete. Group Member Widget presents without Member.

2


Rules List-Good resource to sort by Action, Asset, Category, Item, and Group-Ex. find all Groups w Web links access


Member List-Good resource to sort by Username, Name, and Group


VIEW ACCESS LEVEL FOR CONTENT, MENU ITEMS, MODULES




View Access Level

Access Level defines who can View content from the Frontend. In 1.5, default is “Public” and can be changed to “Registered” or “Special.”

Recommendations for Joomla! 1.6:

Build list of Access Level values from the list of System and Custom Group Names.

Default Access Level to Parent value(s). (Remove default in Global Configuration).

Remove Access Column in all List Views since it is no longer required to be a single value. The Access Listbox should remain allowing identification of content for that selected Access Level (Group).


1

2


View Access LevelDefault Access Level to Parent value(s).

Publish permission required before Access Level can be changed, otherwise, hide this Widget.

View Access Level Widget:

Group(s) Selection and Removal Widget enables search for Group. Multiple Groups can be selected for Access Level.

New Group Creation – Add User Manager Option “Enable New Group Creation for View Level.” If Parameter is activated, Widget should allow the creation of a Group and automatically add a View Access Rule for the current Object. The Widget should also enable search and selection of Group Members. Note: Use Group Member Widget with Group Name field.

If additional changes are desired for the new Group, those changes should be made in the User Manager to ensure proper access.

This Widget should be available everywhere the Access List selection is required.


USE CASEJoomla! 1.6 Access Control


Use Case: Elementary School


Elementary

Office

Internal

External

Classroom

News

Showcase

Portfolios Student

1. Create Categories

2. Create Pages

3. Create Users

4. Create Groups

5. Assign Members

6. Assign Rules

7. Create Menus

8. Create Menu Items

9. Create Modules

10. Create Templates

Joomla! 1.6 ACL Use Case

Design Test



2. Create Pages

3. Create Users

4. Create Groups

5. Assign Members

6. Assign Rules

7. Create Menus


9. Create Modules

10. Create TemplatesOffice Staff - Jean, SamFaculty - Lou, AddisonThe Student - RainbowParents - Stormy, Skye


Design Test



2. Create Pages

3. Create Users

4. Create Groups

5. Assign Members

6. Assign Rules

7. Create Menus


9. Create Modules

10. Create Templates

Group Action Asset Category Item Members

Public View Articles Office External News

View Articles Classroom

View Menu Item Showcase

View Menu Item News

View Menu Item Office

View Menu Item External News

Respond Comments News

Registered View Menu Item News

Super Administrator Sam

Content Administrator Access Administrator Jean

Publish All Content

Manage Users

Manage Modules

Manage Template

Faculty Access Administrator Lou, Addison

Create Articles Internal News

View Menu Item Internal News

Office Staff Publish Articles Office Internal News Jean, Sam

Publish Articles Office External News

View Menu Item Office

Students Create Articles Student Rainbox

Response Comment Student

Parents Response Comment Student Stormy, Skye

Teacher Publish Articles Student Lou

Response Comment Student

Publish Articles News


Design Test


The proposed design provides for these recommendations:

• The Access Control, Group, Membership Widgets must be flexible, not require page load or visit to another page.

• Widgets must link all information together so that every necessary configuration –be it the Group, Member List, Rules, and even multiple sets of such, are easy to iteratively complete.

• Widgets must be provided to create View Level Access Groups and define Members to create a truly usable interface.

Access Control Custom Groups and Rules are very powerful and flexible. I do not foresee concerns about major limitations. It should be adequate for any custom need I can imagine.

I do have concerns about usability. Even with my very small Use Case, the configuration required to implement the design – on paper – was considerable.

Consider, in Joomla! 1.5:

•Each User could have only one Group.

•Each content Item, Menu, Menu Item and Module could only have on Group, and typically that remained the default Public value.

Consider the difference for Joomla! 1.6:

When Groups, Membership, and three-part Group-Action-Asset Rules are created and applied to cascading layers of Components, Categories, Items, Menus, Menu Items, and Modules.

In short, User Interface will make or break Access Control in Joomla! 1.6.


Design Test Conclusion


Technology

Joomla! 1.6 Access Control Proposal