Product group access control problem

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Product group access control problem

Mike Hobbs
I thought I was beginning to get on top of the access control
but I'm confused again.

We have Product A and Product B.
Customer X can only see bugs in Product B (as we want it).
Internal staff can see bugs in both products (again OK).

Now we want Partner Y to be able to see only selected bugs in
Product B.

So, I created a group PartnerY.
The Product B Group Access Controls are currently set to the
following (although I've tried various other settings):
 Group      Entry  MemberControl  OtherControl  CanEdit
 PartnerY     no     Default       NA              no
 CustomerX    yes    Manmdatory    Mandatory       yes
 Internal     no     NA            NA              no

Internal is a member of CustomerX, giving them access.
PartnerY is NOT a member of any other group.

The effect is that nothing I've done prevents PartnerY
from viewing any bug in Product B.  PartnerY cannot see
any bugs in Product A (which is as we want it).
I've tried Mandatory Mandatory and various other combinations
which I think migh be appropriate but nothing has the
desired effect.

Bugs in Product B now have just one tick box
  [_]  PartnerY users
which by default is ticked, but if I untick and submit
PartnerY can still see all the bugs in Product B.
I guess what we need is to add a tick box for CustomerX
so that it can be ticked whilst the PartnerY box is
unticked, thus restricting viewing only to CustomerX?
But how?

Thanks
--
Mike Hobbs
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Product group access control problem

Joel Peshkin
Mike Hobbs wrote:

> I thought I was beginning to get on top of the access control
> but I'm confused again.
>
> We have Product A and Product B.
> Customer X can only see bugs in Product B (as we want it).
> Internal staff can see bugs in both products (again OK).
>
> Now we want Partner Y to be able to see only selected bugs in
> Product B.
>
> So, I created a group PartnerY.
> The Product B Group Access Controls are currently set to the
> following (although I've tried various other settings):
>  Group      Entry  MemberControl  OtherControl  CanEdit
>  PartnerY     no     Default       NA              no
>  CustomerX    yes    Manmdatory    Mandatory       yes
>  Internal     no     NA            NA              no
>
> Internal is a member of CustomerX, giving them access.
> PartnerY is NOT a member of any other group.
>
> The effect is that nothing I've done prevents PartnerY
> from viewing any bug in Product B.  PartnerY cannot see
> any bugs in Product A (which is as we want it).
> I've tried Mandatory Mandatory and various other combinations
> which I think migh be appropriate but nothing has the
> desired effect.
>
> Bugs in Product B now have just one tick box
>   [_]  PartnerY users
> which by default is ticked, but if I untick and submit
> PartnerY can still see all the bugs in Product B.
> I guess what we need is to add a tick box for CustomerX
> so that it can be ticked whilst the PartnerY box is
> unticked, thus restricting viewing only to CustomerX?
> But how?
>
> Thanks

For Product A
internal ENTRY, MANDATORY/MANDATORY

For Product B
B_access_at_all_group ENTRY, MANDATORY/MANDATORY
B_morerestrictive_group Default/NA

Then, include only  CustomerX and internal in B_morerestrictive_group
and include PatnerY and B_morerestrictive_group in B_access_at_all_group
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Product group access control problem

Mike Hobbs
In message <danfi7$[hidden email]>
          Joel Peshkin <[hidden email]> wrote:

> Mike Hobbs wrote:
>> I thought I was beginning to get on top of the access control
>> but I'm confused again.
>>
>> We have Product A and Product B.
>> Customer X can only see bugs in Product B (as we want it).
>> Internal staff can see bugs in both products (again OK).
>>
>> Now we want Partner Y to be able to see only selected bugs in
>> Product B.
>>
>> So, I created a group PartnerY.
>> The Product B Group Access Controls are currently set to the
>> following (although I've tried various other settings):
>>  Group      Entry  MemberControl  OtherControl  CanEdit
>>  PartnerY     no     Default       NA              no
>>  CustomerX    yes    Manmdatory    Mandatory       yes
>>  Internal     no     NA            NA              no
>>
>> Internal is a member of CustomerX, giving them access.
>> PartnerY is NOT a member of any other group.
>>
>> The effect is that nothing I've done prevents PartnerY
>> from viewing any bug in Product B.  PartnerY cannot see
>> any bugs in Product A (which is as we want it).
>> I've tried Mandatory Mandatory and various other combinations
>> which I think migh be appropriate but nothing has the
>> desired effect.
>>
>> Bugs in Product B now have just one tick box
>>   [_]  PartnerY users
>> which by default is ticked, but if I untick and submit
>> PartnerY can still see all the bugs in Product B.
>> I guess what we need is to add a tick box for CustomerX
>> so that it can be ticked whilst the PartnerY box is
>> unticked, thus restricting viewing only to CustomerX?
>> But how?
>>
>> Thanks
>
> For Product A
> internal ENTRY, MANDATORY/MANDATORY
>
> For Product B
> B_access_at_all_group ENTRY, MANDATORY/MANDATORY
> B_morerestrictive_group Default/NA
>
> Then, include only  CustomerX and internal in B_morerestrictive_group
> and include PatnerY and B_morerestrictive_group in B_access_at_all_group

Sorry, but this doesn't work (or at least I have no idea in
what order one must apply the group controls).

I've followed the above suggestion absolutely to the letter, in the
order suggested, and also various other combinations of controls.
At first, following the above suggestion, it had almost totally
the reverse effect of what we want - internal and customerX
could only view a small subset whilst PartnerY could not only
view all bugs but they could control access by others.

I thus deleted the groups and started again reversing all the
instructions above in case you simply made a mistake.  That made
no difference - PartnerY could see/do everything whilst Internal
and CustomerX were severely restricted.

So I cleared all the groups yet again, set the ProductB controls
to Mandatory/Mandatory, then Default/NA, then Mandatory/Mandatory
again, and then went through your original instructions again.
This time it seemed to be closer to what we want. However,
I now have the exact set-up you suggest (I'll repeat it here):
 ProductA
    Internal        ENTRY, MANDATORY/MANDATORY
 ProductB
    ProdB_Access    ENTRY, MANDATORY/MANDATORY
    CustX&Internal         DEFAULT/NA

 CustX&Internal  includes CustomerX and Internal
 ProdB_Access    includes PartnerY and CustX&Internal

Result is:
 PartnerY cannot view ProductA at all (OK, fine).
 PartnerY can see all the bugs in ProductB and can tick/untick the
 box  "[_] CustX and Internal users" (which is ticked by default).
 (This is no good - we only want them to only see bugs which
 Internal allows them to see).

 Internal can see ProductA and ProductB (OK, fine).
 Internal can see all the bugs in ProductB and can tick/untick the
 box  "[_] CustX and Internal users" (OK, fine).

 CustomerX cannot see ProductA (OK, fine).
 CustomerX can see all the bugs in ProductB and can tick/untick the
 box  "[_] CustX and Internal users" (OK, fine).

There is only the one tick box on the bug display. The wording
with this says "Only the users in all of the selected groups can
view this bug (unchecked boxes make this a more public bug)".
Not only does this not seem to be the case (since when the box
is ticked, other groups can still view it) but the wording seems
contradictory. In any case, with only ONE tick box, supposedly
controlled by the members of CustX&Internal group, the only
group they can include/exclude from viewing the bug is themselves!

The group access controls only seem to be effective on PRODUCTS
rather than individual bugs. I'm sure this shouldn't be the case,
but its what I'm actually experiencing.

I've spent several hours playing with group controls and deduced
that the order in which one applies the controls has an effect
on the group membership applying to each bug (as indeed was
indicated in an earlier reply to the newsgroup saying to bulk
change the application of groups to bugs change to Mandatory/
Mandatory and then to Default/NA). However, I've tried this
between changing group controls in various different orders, but
I cannot get the desired effect.  Moreover, I still cannot get
my head round what is actually going on in the database and how
it limits/allows access.

This seems incredibly difficult! Its also extremely laborious
having to log out and log back in again as different users to
see what effect changes have had.

--
Mike Hobbs
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools
Reply | Threaded
Open this post in threaded view
|

Re: Product group access control problem

Joel Peshkin
Mike Hobbs wrote:

>  ProductA
>     Internal        ENTRY, MANDATORY/MANDATORY
>  ProductB
>     ProdB_Access    ENTRY, MANDATORY/MANDATORY
>     CustX&Internal         DEFAULT/NA
>
>  CustX&Internal  includes CustomerX and Internal
>  ProdB_Access    includes PartnerY and CustX&Internal
>
> Result is:
>  PartnerY cannot view ProductA at all (OK, fine).
>  PartnerY can see all the bugs in ProductB and can tick/untick the
>  box  "[_] CustX and Internal users" (which is ticked by default).
>  (This is no good - we only want them to only see bugs which
>  Internal allows them to see).
>
>  Internal can see ProductA and ProductB (OK, fine).
>  Internal can see all the bugs in ProductB and can tick/untick the
>  box  "[_] CustX and Internal users" (OK, fine).
>
>  CustomerX cannot see ProductA (OK, fine).
>  CustomerX can see all the bugs in ProductB and can tick/untick the
>  box  "[_] CustX and Internal users" (OK, fine).
>

Check the actual list of groups of which your PartnerY test user is a
member.  I suspect you will find that your user is also a member of
CustX&Internal.  (I would suggest you also avoid putting an ampersand in
the group name)

>
> This seems incredibly difficult! Its also extremely laborious
> having to log out and log back in again as different users to
> see what effect changes have had.
>
That is finally a good use for IE.  I keep firefox and IE logged in as
seperate users when I am jumping between users a lot.
_______________________________________________
mozilla-webtools mailing list
[hidden email]
http://mail.mozilla.org/listinfo/mozilla-webtools