Thu 10 Sep 2009 |
Joomla! 1.6 Access Control Design Concepts
Written by Amy Stephen
Your review and feedback is appreciated on Design Concepts for the Joomla! 1.6 Access Control Improvements. Please review this video that overviews those ideas, review presentation material and leave your comments, questions and concerns, below. If you have specific application requirements that you want to ensure are met, take time to share those Use Cases for review. Thanks!
2009-09-10 06:51:40
I hope this will be found in joomla 1.6
2009-09-10 07:15:11
To start I'd like to say that it looks so well thought out, more so than we've gotten in using/planning for our site. We love how open it is in being able to accommodate many groups with many different "rules/actions." I know for us one of the most important things is viewing either specific pages, specific menu items, or specific urls (which I didn't see there and I'm not sure if it's overkill or a worthy add in..) as we include many things into our site not all of which are native to joomla
We've been using Juga ACL for our needs, and the system is nice, it takes some learning, but I can't wait until it is built more into Joomla, I feel like it will be easier...(why is that?) We have personally had some trouble getting it to allow or block specific things... (in their defense it is probably due more to our stupidity than the components short comings, don't get me wrong we love it and recommend it to those in need...) and the video here makes it appear easier to allow/deny specific items.
Looking forward to seeing the movement... move... however we are slightly scared that we will once again be searching HIGH and LOW for components that integrate... and having to do all that transfer mumbo jumbo...
2009-09-10 08:15:05
To the core developers. I've worked with phpGACL for quite a while, and what you're trying to do looks like a nice implementation.
An ACL system is hard to learn for the site-administrators though. Wrong settings often are not recongnized until it's too late. Therefore, some good tutorials and documentation pieces are as important as a well designed UI.
2009-09-10 08:24:10
Thank you very much Amy.
Its quite a long but useful presentation and I like the example of the elementary school.Would it be possible for us to download the screens used in the video or at least the last few screens( the test case using the school)
I have nominated you for the Open Source CMS MVP award.Like you said before, there are many other committed contributors.
However, there is only one "Joomla Queen"
2009-09-10 11:51:39
Thank you for putting this review together. I like 1.5 ACL, I think it' simple, works and covers 99% of the cases. I have used other granular ACL systems and my experience is that they tend to confuse users. But hey, that's just me. I know ACL is the next big thing, but I dont really know how much people will use it. I respectfully believe that more focus should be given to other areas that are a-must in a CMS, but Joomla does not have them. For example, a core out-of-the-box taxonomy system, a core out-of-the-box commenting system, support for databases other than MySQL and improved performance. Honestly, I'd rather give up the granular ACL for a gain of 10% of request-response performance. I'm afraid granular ACL will make joomla even slower. Thank you.
2009-09-10 12:20:12
2009-09-10 12:25:18
Hi,
Sorry about the direct email but the website blocked my comments as spam. Below is what I was commenting!
-----
Looking good
A couple of comments:
1) Terminology. The option names aren't always very clear but the verbal descriptions are better. Would recommend a review.
2) Apply to objects. It wasn't clear what constituted an object, it took me a while to realise it was a content item or "asset".
3) Apply to objects. If each item of content can have custom permissions, then how does that work when groups are edited afterwards and "apply to objects" is selected? Would that overwrite custom settings?
Keep up the good work.
-D
2009-09-10 13:55:30
2009-09-10 14:49:12
Schools having to manage access for hundreds of families with multiple children and grade levels are going to need significant bulk editing capabilities.
2009-09-10 15:06:51
I have a few minor recommendations:
- When you want to "add rule" for example, change the text color to green rather than red. Red is normally associated with "bad", or "delete". In this case you want to "add" something so it should be green
- Similarly, for the check box "apply to child" you should make this a check mark rather than an "x". "x" is usually "don't do, or does not apply" and in this case you want to apply something
Anyway just my 2 cents worth. Other than that, I cannot wait for 1.6 to be released!!!
Sandy
2009-09-10 15:19:39
EXCELLENT Improvements, and long needed organization. I look back at Joomla 1.0 and see how far it has came and where Joomla will go in the future! I love it.
Back to business, I really like the new initiatives and the obvious thought that went into the new Access Control.
I think what you have is great and very easy to understand!
Keep up the good work!
2009-09-10 16:55:00
A question re forums; if I use NinjaBoard will I be able to control access to the different forum categories and forums within categories.
2009-09-10 16:57:18
@Alex - Agree on your remarks about the need for good tutorials and documentation being equally important to a well designed UI. If you are interested in helping with that, the pay is terrible, but the satisfaction coming from knowing how many people you helped is *priceless*.
@John - Thanks, that's nice - don't forget, some people are just more visible. While they are out yacking, others are working.
@Luis Morales - Agree. In fact, I can't think of any other type of system that is more confusing than Access control environments. Now, my understanding is that next up - in 1.7, or 1.8, is a rewrite of com_content, and at that time, those missing features like the Taxonomy will be made available. And, of course, thanks to the Jxtended folks, comments will also be in 1.6. Appreciate your comments - it's even good to know that ACL isn't a priority for some. Big, diverse community!
@Jim Johnson - the trick to the Widget will be creating the same functionality without Ajax, so that those using assistive devices are still able to use the environment. So, that's priority one, but I am really hoping we can also build in a more dynamic widget like described in the video since it certainly helps with what you are pointing out - the frustration that comes from going here and there to do something that seems like it should be simple. Yes, good point on the "out of the box" defaults, it's a comment raised by Andrew Eddie, too, and I think there must be a way to keep what we had in place for those who require nothing addition - and also to open things up for those who need to fine tune. Great comments.
@David White - Good point on language - when UI settles down, consistent terms will be important. Yes, "object" is an "asset" - again, good reminder for settling on, and then sticking to, the same terms. The "apply to child objects" as designed is always a one-time thing. So, if you create a rule on a Category, and "apply to child objects", that rule is then attached to the Category and its children. If you delete the rule on a Category and "apply that change to child objects", all matching rules would be deleted for the children. I don't think (?) there will be a rule change - just a rule add and delete. It's only three options, not an Article, so, I'd recommend dealing with it as Add, Delete, nothing more.
@Dean Peterson - absolutely right on. I was thinking the same thing. Now, Core's job is not to provide for every possible way people need to use Joomla!, but rather to anticipate those needs. So, data structures need to be in place to capture information, and events can be used to trap and respond to actions and conditions in the data. In the case of bulk loading ids and groups, this could be accomplished as an extension and the core would accommodate that nicely.
@Sandy - excellent recommendations. Agree on Green for Add. On the wireframe, I typed an "X" and fonted it bold and red so it was visible; agree on the checkbox. I hope you continue to review interface changes and offer those types of observations. It's helpful.
Thanks everyone! Please feel free to add Use Cases http://tinyurl.com/JUseCases and to keep involved as we move forward.
2009-09-10 17:13:08
Would like to see Mass Mail included in the ACL and maybe have the option of having some groups designated so that any registered user can join. For example, we stream video for high school sports and I'd like a registered user to be able to self select groups from a list so enable groups like football, basketball, soccer, volleyball, motocross, etc. Then we could use the mass mail to send alerts about upcoming events that the registered user is personally interested in seeing.
Really looking forward to 1.6...especially after watching this video.
2009-09-10 17:38:34
2009-09-10 18:21:44
Can I suggest adding another system group called "Guest" which only shows to non-logged in users.
So many times in Joomla 1.5 I have a module or menu item that I only want to show to unregistered users (eg. Register Now!) which makes no sense to show to anyone who is logged in. Users cant understand why we cant hide something from someone who is logged in when it should be so simple. I think a "Guest" system group would solve this nicely. Eg:
- Public (everyone)
- Guest (non-logged in only)
- Registered (logged in only)
- Super Administrators (super admins only)
2009-09-10 19:32:37
Quick questions that I didn't see get addressed in the video though (I may have missed it, my apologies):
1) Can groups be members of other groups? Reasoning behind this is to create groups with basic permissions, and from there build a larger group that includes those groups as members to promote reusability and reduce configuration monotony.
2) Content-Related Actions: Will an "editor" be able to delete/modify with the "Create" permission or will it only be restricted to just add? Since the "Publish" permission will allow the "manager" to make the asset either accessible to the public or just reject it, I am assuming the "Create" permission will allow other actions (such has modify/delete) so that the "editor" can tweak the asset for resubmission, and hence "Create" as a permission may be confusing/misnamed. Thoughts?
Thanks for all the hard work! Nice to see progress on 1.6!
2009-09-11 02:04:44
@vjtemplates - You remind of the importance of keeping what's simple now, simple in the future. Joomla!'s ACL is largely fuss-free, and that is a *good* thing, isn't it? We need to make sure it stays that way for those who are happy with how it is now. Make sure to pay attention to the Beta's, etc., and provide feedback. Thanks.
@Joe - I agree on Guest - let's see if we can do that. Excellent idea and a need mentioned *often.* Thanks!
@Bao Tran - I am recommending not to get into "groups inheriting from groups", (sorry!) at least for this first release. I spoke to that when I recommended removing Parent from Groups. We have two node base structures (Menu and Categories) that the ACL interacts with, seems to me adding a third and building in inheritance is asking for trouble and might be a bit much for a first stab. There's talk about it still, but, I do my best to discourage it for now!
Great comments, thanks all!
2009-09-11 09:07:26
I have 2 remarks:
I don't think you need the 'Apply rule to child objects'. Child objects should inherit their parents behaviour by default and can be overridden if needed.
It looks like all setting are now done in the User Manager. I would also like to see the widgets on the asset form. E.g. the 'category edit form' also needs a widget for viewing/editing the access to that category.
Thanks
2009-09-11 19:28:16
2009-09-11 21:59:22
This is all I could as for and more.
I have two sites where this kind of ACL is demanded yesteday (of course).
One an artists's resource site the other a church site. The more complex of the two is the church site as it has all the requirements of the school site used as an example and more in terms of ACL.
I agree strongly with the idea of not, for now if not forever steering clear of groups inheriting from groups. I thought this was a wonderful ability of Linux on my first run at that and created some child groups of existing groups. After a time it seemed they were breeding because I kept adding more and more. I can tell you that when the time came to clean things up it was easier to start all over again that to back out of it. So stick to your guns!
There's enough power in what I see to simulate that ability with a bit of imagination and creativity so that the mess is avoided.
Oh, and the video itself is great. My biggest complaint about Joomla and open source is general, which is 99% of what I use is the awful, horrible documentation. This video could be with a few re-edits here and there and some reoderting a great administrators guide. It's coherent, moves from simple to complex in a step by step easy to understand and grasp way and I came out of it with a good grasp of the topic at hand. Enough, I feel, to at least have a huge head start in the inevitable troubleshooting when I screw up.
ttfn
John
2009-09-11 23:46:04
Create lacks edit capability, but you provide it with a config option. Publish automatically has edit capability, but it can't be taken away. Perhaps it would be more intuitive to have the actions Create, Edit and Publish separated?
Enable New Group Creation from View Level:
I could see a new site admin completely ignoring categories, and instead creating groups only from articles. They would then manually assign every article a group as they create the articles. While appearing straightforward to this admin, and maybe easy to use in this manner, if they ever want to switch to using category permissions (after their site grows a bit) its going to look like a mess. Not sure if this is good or not.
Also, should category/menu/other objects all have this sort of set-up? That way when I'm creating a new category, I can quickly set-up any related groups.
Uncategorized articles/assets:
Uncategorized articles should have a default group somehow.
Deny Permissions:
Do we need to be able to create groups that deny certain actions?
Apply rule to child objects:
This strikes me as potentially confusing as well. I think a general rule of thumb throughout the ACL set-up should be: "Inherit by default, edit if you want something different."
2009-09-12 17:32:36
Great work. My thoughts have been expressed by others above but I wanted to direct a public comment your way and toward to core team:
Fabulous efforts. Thank you for working on our behalf. Such vision and forethought are what make the Joomla application my #1 CMS.
2009-09-13 16:44:08
Have you considered the idea of having a master list of rules. What I mean is that you would create a rule once and then select which rules would be applied to a specific group. I can see two advantages: you would not have to create the same rule multiple times for different groups; if something changed (e.g., the asset being accessed, the module being used, etc), you wouldn't need to search out and change all identical rules.
I realize it would potentially add one level of complication on the user interface, but maybe not. The user manager would have a place to pick rules and perhaps a widget could be popped up if a new rule needed to be created. It would required that the manager created descriptive rule names, but perhaps joomla could default the name to something like "Create articles in category Firstgrade", etc.
2009-09-14 01:54:52
The ACL looks like what I've been waiting for since the Mambo days!
2009-09-14 12:01:16
1. Need to allow admins to create groups and add users to multiple groups
2. Need to expand core ALC system to all components, including 3rd party
3. Need more granular options like view only, edit only own content
4. Need integration with Active Directory, maybe a way to add selected AD groups to Joomla + block accounts when user is no longer in AD
5. Need option to add an email address for group
We use Joomla!1.5 for our company intranet for 2 years and meanwhile untill J1.6 will be ready, we decide to use JACL+. So i think something similar with JACL+ would be great to have for Joomla 1.6
Thank you again
2009-09-16 17:10:51
2009-09-17 06:15:23
2009-09-18 12:30:17
Thanks a lot for a wonderful video. I want to contribute to document about ACL but here is problem i am facing
I downloaded j1.6 but it seems the files which i downloaded are kinda older version and doesnt have a lot of screens which you have described in the.
Can you gimme any idea what am i doing wrong?
Regards
nik
2009-09-19 12:47:53
This is fantastic and I believe that this will empower Joomla to be easily implemented as a more sophisticated websites.
Thank you for your hard work on the proposal... 5/5
2009-09-19 14:13:45
I encourage you to get a copy of the nightly Joomla! 1.6 download. Look at what is there, and provide feedback as to what you see as useful and what minor changes could make this feature more useful to you.
Thanks!
2009-09-19 14:15:06
2009-09-20 22:42:28
I would like to give following suggestion to make ACL more flexible and useful.
1- There should be content viewing control at user level as well as group level.
2- There should be content viewing control on time duration,I mean that particular viewer can see specific content as per schedule, there should be a provision to set schedule with information start and stop of year,date, time,duration,once,daily.
This feature will helpful to create for schools and examinations etc.
3- As you describe in your presentation about default user registration group,I suggest that we should able to define different user group registration for different menu items.for example if someone make registration from customer menu then that user register under customer group and someone register from dealer menu then that user should register in dealer group.
4- There should be a user account validity period and before expiry date user will re validate account and system will send notice before expiry of account.
5- There should be a provision to set access time and period of back end users.
6- There should be a access control activity log to analyze all user activity.
I am not sure how difficult to implement these features.These feature will make Joomla more secure and useful.
With best wishes.
2009-09-21 19:50:56
hello my English is not excellent but I try.
the truth is that we are about a real revolution.
you just said something I'm looking for a long time. TIME to control access to the articles would be the climax to say that joomla ACLs are really perfect. would be something so perfect that it does not seem real.
no such control would have it, just joomla 1.6. and would be another reason to migrate quickly. took a year hoping that some component incorporates it. and I'm not the only one.
joomla ACL to have 100% the incorporation of this feature is essential.
2009-09-22 06:17:31
Any ACL would be great but with what you're suggesting I'd be ecstatic! Giving more control and freedom over content is where I'm at and looking for. GOOD STUFF!!!
2009-09-23 11:01:30
For example if our site is a personnal site, i want to have a general site with generality for all visitors, and two diffferent view of the site for registered users, some enumerated users that will have a PRIVATE access to this part of the site. (read only, or ReadWrite, etc..) and on which they will see content that no other users profile will be able to see (Registered and not registered).The second category being the internet unknown user or company wishing to have further informations, for example professional, etc.., but where we do not want to show the last saturday party pictures.
In my idea the need is to have the possibility to have registered user groups, for wchich the rights are not only to be able to post, or to modify, but to be able to access full parts of the site, or parts of menu, or articles.
Users when they first register could choose a user category, and then have access to the right part of the site. As well the administrator could add himself a user to which he could give right to have access to the most confidential part of the site.
A validation of users could be optionnaly requested to administrator. And to avoid robots scanning site a Picture with letters like in this current form could be a great improvment to avoid polution of our sites with false registered users trying to hack the site.
Hoping that i do no make waste your time with this request (If already available - I have not found).
Thank's a lot
And Again Well done for this CMS in general, and the upcoming version in particular.
Kind regards
Stéphane
2009-09-25 10:34:01
2009-09-30 13:04:19
2009-09-30 13:59:36
Very nice work! This was very informative, and incredibly exciting. I am glad to see the granularity of ACL implementation in 1.6.
This will finally give us Joomla! users the tools we need to truly provide robust, effective websites to our clients. I can't wait!!!
2009-11-24 04:15:38
2009-11-26 14:41:00
2009-11-28 05:51:36
2009-12-06 11:21:46
There is plenty of other cms using Permission system ...
just open your eyes and you will see that suddy like this one has been done a long long time ago on other system, just have to copy (like microsoft did with mac)..
your system is too complicated..
a simple list of all and check what you want or not, that should be enough
anyway, it is funny to see people beeing impressed by some revolutionary system that is not loool...
good luck
2009-12-16 19:31:37
Great job!