Configuring Groups and Group Controls

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Configuring Groups and Group Controls

ZeroD
Hi! I'm new to configuring Bugzilla and am stuck with a problem.

I'm setting up Bugzilla for different product teams(groups). Only
respective product team members should have bug ENTRY/EDIT access to
the product. Other users (say management, other project groups,
customers, etc) must be configured with SEARCH/VIEW rights to ALL the
bugs in all the products.

I managed to achieve the first requirement with the following setting:
PDTGRP:ENTRY/MANDATORY/MANDATORY/CANEDIT setting.
However, this setting makes the bugs only 'visible' to the product
group.

How can I configure the group controls so that bugs entered by one
product group are made 'visble' (search/view but not editable) to other
groups as well?

_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
ZeroD wrote:

> Hi! I'm new to configuring Bugzilla and am stuck with a problem.
>
> I'm setting up Bugzilla for different product teams(groups). Only
> respective product team members should have bug ENTRY/EDIT access to
> the product. Other users (say management, other project groups,
> customers, etc) must be configured with SEARCH/VIEW rights to ALL the
> bugs in all the products.
>
> I managed to achieve the first requirement with the following setting:
> PDTGRP:ENTRY/MANDATORY/MANDATORY/CANEDIT setting.
> However, this setting makes the bugs only 'visible' to the product
> group.
>
> How can I configure the group controls so that bugs entered by one
> product group are made 'visble' (search/view but not editable) to other
> groups as well?
>

PDTGRP: ENTRY, NA/NA, CANEDIT
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

ZeroD
Thanks Joel! Can't believe that this was so simple.

This works. But when the external(/other) user performs a search of
bugs, he/she is not provided an option to choose the 'Product' (in the
Product drop-down list on 'Find a specific bug' page) against which to
search for bugs. i would like all users to search by product names and
hence would want the 'Product' ddl to be populated for all users. Is
this possible? Does the group/product control feature address this?

_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
ZeroD wrote:

> Thanks Joel! Can't believe that this was so simple.
>
> This works. But when the external(/other) user performs a search of
> bugs, he/she is not provided an option to choose the 'Product' (in the
> Product drop-down list on 'Find a specific bug' page) against which to
> search for bugs. i would like all users to search by product names and
> hence would want the 'Product' ddl to be populated for all users. Is
> this possible? Does the group/product control feature address this?
>

Yes, but you have to turn "useentrygroupdefault" (paramter) off to stop
the emulation of the behavior of 2.16.
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

ordbkr
In reply to this post by ZeroD
I have a "similar" problem with groups.

For illustrative purposes, my company has products A, B, C, D.  We have
a support staff and customers 1 and 2 (plus many others).  A customer
can have a system consisting of a single product or several products.

The support staff needs to be able to have all priveleges with the
products.

Customer 1 needs to be able to enter, view, edit bugs for the products
they have, A & B.
Customer 2 needs to be able to enter, view, edit bugs for product A
only.

I do not want Customer 1 to see bugs submitted by Customer 2 against
product A and visa versa.  Their platforms may be different and their
product capabilities may be different.

Groups for the products were created automatically.  I have created
groups for the support staff and each customer.  How is this done with
groups and group controls?

Thanks.

_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
Don wrote:

> I have a "similar" problem with groups.
>
> For illustrative purposes, my company has products A, B, C, D.  We have
> a support staff and customers 1 and 2 (plus many others).  A customer
> can have a system consisting of a single product or several products.
>
> The support staff needs to be able to have all priveleges with the
> products.
>
> Customer 1 needs to be able to enter, view, edit bugs for the products
> they have, A & B.
> Customer 2 needs to be able to enter, view, edit bugs for product A
> only.
>
> I do not want Customer 1 to see bugs submitted by Customer 2 against
> product A and visa versa.  Their platforms may be different and their
> product capabilities may be different.
>
>
You have to split product A into A1 and A2 for that.
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

ordbkr
So we would model each system as a separate product?

I guess that works okay.  Then, I could use the Component object to be
our product A,B, .. installed as part of each cusomer's system.

Hmm, that is basically how our home-grown database works.

Thanks for the clarification.

Don

_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Mike Hobbs
In reply to this post by Joel Peshkin
In message <d8oeia$[hidden email]>
          Joel Peshkin <[hidden email]> wrote:

> Don wrote:
>> I have a "similar" problem with groups.
>>
>> For illustrative purposes, my company has products A, B, C, D.  We have
>> a support staff and customers 1 and 2 (plus many others).  A customer
>> can have a system consisting of a single product or several products.
>>
>> The support staff needs to be able to have all priveleges with the
>> products.
>>
>> Customer 1 needs to be able to enter, view, edit bugs for the products
>> they have, A & B.
>> Customer 2 needs to be able to enter, view, edit bugs for product A
>> only.
>>
>> I do not want Customer 1 to see bugs submitted by Customer 2 against
>> product A and visa versa.  Their platforms may be different and their
>> product capabilities may be different.
>>
>>
> You have to split product A into A1 and A2 for that.

In our case we have products A and B.
A is required to be seen and edited only by internal staff.
B may be seen and edited by a specific customer and our staff.

We already have groups set up so that this access works and
we have regex match on the email address for group membership.
It all works just fine, except for one gaping hole...

If the user doesn't log in he can view any bug in the entire
Bugzilla database!  OK, he can't enter any bugs but we don't
want him to *see* anything.  How do we prevent this?

--
Mike Hobbs
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

RE: Configuring Groups and Group Controls

Jeff Jensen
I am using 2.18.1.  If I don't login but instead click on "Search", I am
automatically forwarded to the login page.  Every link (except Home and New
Account of course :-) I click or bug number I enter forwards me to the login
page.

What is your setting of the "requirelogin" parameter?

I am also wondering about your product and group configurations.  I setup
every product with its own group.  Then, configure the product's "Group
Access Controls" to something very restrictive.  I typically use
"Mandatory/Mandatory, ENTRY, CANEDIT" for the product's group.

What are your Group Access Control settings?


-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Mike Hobbs
Sent: Friday, June 24, 2005 4:22 AM
To: [hidden email]
Subject: Re: Configuring Groups and Group Controls

In message <d8oeia$[hidden email]>
          Joel Peshkin <[hidden email]> wrote:

> Don wrote:
>> I have a "similar" problem with groups.
>>
>> For illustrative purposes, my company has products A, B, C, D.  We
>> have a support staff and customers 1 and 2 (plus many others).  A
>> customer can have a system consisting of a single product or several
products.

>>
>> The support staff needs to be able to have all priveleges with the
>> products.
>>
>> Customer 1 needs to be able to enter, view, edit bugs for the
>> products they have, A & B.
>> Customer 2 needs to be able to enter, view, edit bugs for product A
>> only.
>>
>> I do not want Customer 1 to see bugs submitted by Customer 2 against
>> product A and visa versa.  Their platforms may be different and their
>> product capabilities may be different.
>>
>>
> You have to split product A into A1 and A2 for that.

In our case we have products A and B.
A is required to be seen and edited only by internal staff.
B may be seen and edited by a specific customer and our staff.

We already have groups set up so that this access works and we have regex
match on the email address for group membership.
It all works just fine, except for one gaping hole...

If the user doesn't log in he can view any bug in the entire Bugzilla
database!  OK, he can't enter any bugs but we don't want him to *see*
anything.  How do we prevent this?

--
Mike Hobbs
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools

_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
In reply to this post by Mike Hobbs
Mike Hobbs wrote:

>
>
> In our case we have products A and B.
> A is required to be seen and edited only by internal staff.
> B may be seen and edited by a specific customer and our staff.
>
> We already have groups set up so that this access works and
> we have regex match on the email address for group membership.
> It all works just fine, except for one gaping hole...
>
> If the user doesn't log in he can view any bug in the entire
> Bugzilla database!  OK, he can't enter any bugs but we don't
> want him to *see* anything.  How do we prevent this?
>
That sounds pretty backward.  Exactly what configration are you using?
Specifically, what bugzilla version are you using and exactly what are
the group controls set to?
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Mike Hobbs
In message <d9gsm5$[hidden email]>
          Joel Peshkin <[hidden email]> wrote:

> That sounds pretty backward.  Exactly what configration are you using?
> Specifically, what bugzilla version are you using and exactly what are
> the group controls set to?

In message <[hidden email]>
          "Jeff Jensen" <[hidden email]> wrote:

> I am using 2.18.1.  If I don't login but instead click on "Search", I am
> automatically forwarded to the login page.  Every link (except Home and New
> Account of course :-) I click or bug number I enter forwards me to the login
> page.
>
> What is your setting of the "requirelogin" parameter?

Aha, that did the trick!  (and I had browsed the params several
times for something like this and missed it each time).

> I am also wondering about your product and group configurations.  I setup
> every product with its own group.  Then, configure the product's "Group
> Access Controls" to something very restrictive.  I typically use
> "Mandatory/Mandatory, ENTRY, CANEDIT" for the product's group.
>
> What are your Group Access Control settings?

Product A group access controls:
           Internal_group: Shown/NA, ENTRY, CANEDIT

Product B group access controls:
           Customer_group: Mandatory/Mandatory, ENTRY, CANEDIT
     (and Internal staff are also members of Customer_group)

Result is customer can only see/edit bugs in Product B, which
is just what we want. Our staff can view/edit all bugs in all
products.

Thanks for helping me to RTFM.

Mike


--
Mike Hobbs
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Mike Hobbs
In reply to this post by Joel Peshkin
For interest, there are a couple of anomalies I've discovered
around controlling access to bugs:

 1. One of our products was created before we enabled group
    access control and bugs in this product are by default
    viewable by the customer who should only see bugs in his
    product. We can stop him seeing the bugs in the one he
    should not see but we have to manually tick the group
    restriction box on every bug and there seems to be no
    way to bulk edit them (other than directly with SQL).

 2. We have created a new product which we want to restrict
    to being viewable only by our staff.  Groups are set
    appropriately and we can restrict each bug to be viewed
    only by our staff, but if the reporter forgets to tick
    the box then the customer can see the bug.  It seems to
    me that the default ought to be to have the box ticked.
    Would this be easy to change?

Generally there are all sorts of warnings about compromising
security but in general Bugzilla seems to leave things pretty
open by default and the sysadmin and users have to remember to
lock things down.

Mike
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
Mike Hobbs wrote:
> For interest, there are a couple of anomalies I've discovered
> around controlling access to bugs:
>
>

You need to specify the exact version and the exact settings you are using.
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Mike Hobbs
In message <d9i5rj$[hidden email]>
          Joel Peshkin <[hidden email]> wrote:

> Mike Hobbs wrote:
>> For interest, there are a couple of anomalies I've discovered
>> around controlling access to bugs:
>>
>>
>
> You need to specify the exact version and the exact settings you are using.

Version 2.18

Product A group access controls:
           Internal_group: Shown/NA, ENTRY, CANEDIT

Product B group access controls:
           Customer_group: Mandatory/Mandatory, ENTRY, CANEDIT

Product C group access controls:
           Internal_group: Shown/NA, ENTRY, CANEDIT

Groups:            RegEx              UseforBugs  Type
Product A:                                        user
Product B:                                        user
Product C:                                        user
Internal_group:  (*?)\@company.com        X       user
Customer_group:  (*?)\@cust.co.uk         X       user

Internal_group: only Administrators are also members of this group
Customer_group: Internal_group are also members of this group
                also: canconfirm, editbugs, editcomponents
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
Mike Hobbs wrote:

> Version 2.18
>
> Product A group access controls:
>            Internal_group: Shown/NA, ENTRY, CANEDIT
>
> Product B group access controls:
>            Customer_group: Mandatory/Mandatory, ENTRY, CANEDIT
>
> Product C group access controls:
>            Internal_group: Shown/NA, ENTRY, CANEDIT
>
> Groups:            RegEx              UseforBugs  Type
> Product A:                                        user
> Product B:                                        user
> Product C:                                        user
> Internal_group:  (*?)\@company.com        X       user
> Customer_group:  (*?)\@cust.co.uk         X       user
>
> Internal_group: only Administrators are also members of this group
> Customer_group: Internal_group are also members of this group
>                 also: canconfirm, editbugs, editcomponents


OK, you have a couple of errors here....
Your RegEx patterns would permit me to use [hidden email]
Change that to "@company\.com$"

You mentioned in your original post that you wanted a product to be
viewable by your staff only, but you have selected Shown/NA for the
controls.  You either want Default/NA + ENTRY or Mandatory/Mandatory + ENTRY

To force all of the legacy bugs into a group, there is a trick.  First
change the controls for that product/group to Mandatory/Mandatory, then
change them to Default/NA.
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Mike Hobbs
In message <d9olf0$[hidden email]>
          Joel Peshkin <[hidden email]> wrote:
[snip]
>> Internal_group:  (*?)\@company.com        X       user
>> Customer_group:  (*?)\@cust.co.uk         X       user
[snip]
>
> OK, you have a couple of errors here....
> Your RegEx patterns would permit me to use [hidden email]
> Change that to "@company\.com$"

OK, thanks for this. Actually I seem to have omitted the "$" in
my post when actually it was there already in Bugzilla.

> You mentioned in your original post that you wanted a product to be
> viewable by your staff only, but you have selected Shown/NA for the
> controls.  You either want Default/NA + ENTRY or Mandatory/Mandatory + ENTRY

OK, I've set it to "Default/NA" now.  I must say that I have great
difficulty getting my head around the descriptions of the various
options here. Can anyone describe it better than the text in the
html pages?  I'm sure its very logical when you understand what the
words really mean. The words don't say "may be viewed by members of
group X" or "cannot be viewed by any other group" so I'm having
trouble building a conceptual model in my head.  Does anyone else
have this trouble?

> To force all of the legacy bugs into a group, there is a trick.  First
> change the controls for that product/group to Mandatory/Mandatory, then
> change them to Default/NA.

Thanks for this tip. Seems to have done the job. Excellent!

Mike
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

Joel Peshkin
Mike Hobbs wrote:
> OK, I've set it to "Default/NA" now.  I must say that I have great
> difficulty getting my head around the descriptions of the various
> options here. Can anyone describe it better than the text in the
> html pages?  I'm sure its very logical when you understand what the
> words really mean. The words don't say "may be viewed by members of
> group X" or "cannot be viewed by any other group" so I'm having
> trouble building a conceptual model in my head.  Does anyone else
> have this trouble?
>

Mike,

     I'll elaborate, but I am probably the worst person to judge what
makes sense to people that haven't had their heads in the code.

     For historical reasons, Bugzilla uses the model that a bug is "in"
zero or more groups and the user is "in" a list of groups.  If a bug is
in ANY group that the user is not, then the user cannot see the bug. So,
the user must satify ALL of the restrictions applied to the bug.

    The group controls indicate which groups are used for bugs in a
product.  The simplest model would be to have a checkbox on every bug
for every group.  That would be the equivalent of having every group
"Shown" but the UI would be terrible.  So, some of the groups are NA
meaning that they can never be used for a bug in that product.  Now,
sometimes we don't want to give the user the option of taking a bug out
of a group.  So, we set that group to be MANDATORY.  That means that the
bug is in the group regardless.  That leaves the distinction between
SHOWN and DEFAULT which is a bit more intuitive.

-Joel
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Configuring Groups and Group Controls

mordith
In reply to this post by ZeroD

This seems to be the place to ask this question, and Joel seems to be a
maven at group security, so here goes.

I have two products, A and B.  I have two groups, also A and B.  Each
group is a discrete set of programmers.  The programmers in Group A are
responsible for resolving issues in Product A.  Likewise, the
programmers in Group B are responsible for resolving issues in Product
B.  Product B is dependant on Product A, which means issues in the
output Product A passes to Product B can result in issues with the
output Product B provides to the user.  Very object oriented.

For Product A:
I would like all members of Group A to have issue entry rights.
I would like all members of Group A to have comment rights to all
issues related to Product A.
I would like only the issue reporter (who can be a member of either
Group A or B) and the programmer to whom the issue is assigned (who
will always be a member of Group A) to have the ability to edit the
other fields in the issue report, such as Priority, Status, and
Severity.
I would like all members of Group B to have issue entry rights.
* Here's the first kicker (required).  I would like all members of
Group B to be able to view all issues for Product A.
* Here's the second kicker (optional).  I would like all members of
Group B to be able to add comments for all issues in Product A.

For Product B:
I would like all members of Group B to have issue entry rights.
I would like all members of Group B to have comment rights to all
issues related to Product B.
I would like only the issue reporter (who can be a member of either
Group A or B) and the programmer to whom the issue is assigned (who
will always be a member of Group B) to have the ability to edit the
other fields in the issue report, such as Priority, Status, and
Severity.
I do not want any member of Group A to have issue entry rights for
Product B.
* Here's the first kicker (required).  I would like all members of
Group A to be able to view all issues for Product B.
* Here's the second kicker (required).  I would like all members of
Group A to be able to add comments for all issues in Product B.

The security settings with the asterixes(*) next to them are the ones I
haven't been able to get working.  If someone could provide me with
Group Access Control settings for Product A and Product B that would
get Bugzilla working the way I need it to, I would really appreciate
it.



--
mordith
------------------------------------------------------------------------
Posted via http://www.forum4designers.com
------------------------------------------------------------------------
View this thread: http://www.forum4designers.com/message257377.html


 
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools