Managing permissions with categories for large amount of groups
I am currently using the rc1 of version 3.0.
I want to set up a site for a school and would like to achieve the following:
- parents of each class/year have their private forum and file gallery
- other groups like kitchen, management etc. will also have their own private elements.
What I tried to do is:
For each group of the school I set up two tikiwiki groups:
- For the ordinary members, e.g. class1-parents. They should be able to use forum, galleries etc.
- For the administrators of that group, e.g. class1-parents-admins. They should be able to administrate the forum, galleries etc. of that school group (but not others).
What I wanted to avoid is to assing individual permissions to each forum, gallery etc. for the groups:So I tried the following:
- Assinged global permissions to the groups. E.g. class1-parents may use the forum and class1-parents-admins may admin the forum.
- Set up categories like class1-parents and categorised forums, galleries etc. accordingly.
- Assigned permission to categories for the groups, e.g. for category class1-parents I assigned groups class1-parents and class1-parents-admins.
This works quite fine. Once I have set up the permissions for a group, I do not have care on permission when adding objects. I put them into the right category and done. However one problem I have got:
- As the class1-parents-admins group has/needs admin permissions (e.g. forum administration) in the global permissions, they are allowed to create new forums - an perhaps more than I want. I did not find a way to limit this via categories.
The only solution I found for this is to assgin individual rights for each group to each object. Which is very hard to maintain.
Is there a more practical solution than the above?
What would find very convenient would be something like
- "associated permission"
- To associate a set of permissions (not only the category ones) when assigning a group to a category.
- This set of "associated permissions" could be dervied from a "template"/"dummy" group.
- The effective permissions derived by category would be the union of the associated rights and the global rights of the assigned group.
- "category context" flag for global permission
- add a flag to global permission indicates "only in the context of a category"
From my limited point of view I would prefer the "associated permission". In my use case I would
- define two dummy/template groups "members" and "group-admins" and assign them the permissions I find appropriate.
- All real groups would be set up with no permissions.
- When assinging the real group class1-parents to category class1-parents I would use the associated group "members".
- When assigning the real group class1-parents-admins to category class1-parents I would use the associated group "group-admins"
In this case manage the actual permission only throug the two dummy groups.