dev.onlyoffice.org

[Moinois]

Hi,

I'm trying to figure out how the folder permission model is implemented. I have a requirement to have several groups with sub-groups with different folder permissions.

Simplified example:
Groups:
Common group - a larger group
Core group - a smaller group consisting of some members of the Common group

Users:
User1 is in the common group
User2 is in both groups

Folders:
Common folder1, Common group have read access, Core group have read/write
/ Subfolder1, Common group is denied access, Core group have read/write (used for working documents that later will be moved to the outer group)

My problem is that as soon as I deny the Common group access to Subfolder1, Core group also is denied access to Subfolder1 since the users in the Core group is in both.

My worries is that I might have to move Subfolder1 to the root to be able to control the folder permissions the way I want it, and since I have an elaborate structure where the folders contains subfolders in several levels and it would practically require me to flatten the entire structure and the whole folder-in-folder strategy would be lost.

I looked at http://helpcenter.onlyoffice.com/admini ... ation.aspx but I couldn't find any answers on how the permissions are supposed to work.

Regards,
Magnus

[Maxim]

Hello Moinois!
The problem is that the same user is in two groups, "no access" permission is highest priority rule than "read/write", I think this is the right decision. Try to give permission "read/write" for subfolder1 to users, not to group.

[Moinois]

But.. That is really hard to work with. In most (all?) permission systems more allowing rights trumps less allowing rights. To give specific users access is a really, really bad option since it requires micro-management of the rights and in general opens up for rather hard to find permission issues. I would like to create a folder structure and then assign a specific group a specific access right so that I easily and reliably can control who has access to what by looking at the members of the group. Imagine having hundreds of folders in nested structures combined with tens of user groups. The access administration will be a nightmare if a user leaves or joins a group.

And why would it be any difference if I give access to a user directly rather than a group? Shouldn't it at least work the same? If I give the user access even if it is in a group that is denied, the user should still be denied, right?

Any solution on how to build a folder structure with access rights using groups, at all? Since it seems that as soon as you deny a group, all the users in that group is blocked no matter how many groups that any user in the first group is part of that does have access to the sub folder...

Best regards,
Magnus

[Maxim]

Hello Moinois!
There is no group hierarchy, groups are equal. The user permissions have highest level in comparison with group permissions. Also permissions for subfolders have higher level than parent folder.
Anyway the user should not be denied. For some reason it goes wrong way.
Thank you for your feedback! If you have any suggestions related to permissions please inform us.

[Moinois]

Just let me know if this scenario is supposed to work and in that case if you are looking into fixing it:

GroupA: User1
GroupB: User1, User2

Code: Select all

Root folder
  FolderX: GroupA [Full permissions], GroupB [full permissions]
    FolderY: GroupA [Full permissions], GroupB [read permissions]
    FolderZ: GroupA [Full permissions], All [deny permissions]


Should User1 have full permissions in FolderX, FolderY and FolderZ while User2 will be able to edit in FolderX and see FolderY but FolderZ will be hidden?
Currently denying will affect all in GroupA and hence User1 will not see FolderZ (and can only read in FolderY if I'm remembering correctly). So the permissions model seems upside down from my perspective, Default should IMHO be to deny all and then you add permissions, where the order is deny -> read -> full and full will overrule all (bitwise OR to be talking programmer lingo).

[Maxim]

Hello Moinois!
Permission priority model looks like

Code: Select all

User, Departments (Groups), admin, everyone (All)

[Moinois]

Ok, good to know. I presume that User has the highest priority and everyone has the lowest? Just to make things clear.
How are the permissions handled when there are conflicting ones? E.g. one group grants the user access and another is prohibiting access? How is everyone handled in that case? If I have understood you correctly denying someone access has higher priority than granting someone access in that case? That is my experience so far at least and is the problem in my opinion. If I want to create a folder where everyone is denied, but then add groups that should have different permissions, one for those that should have read only permissions and one that should have read/write while the groups has some members shared between them - how should that be done? Can you give us an example?

One way to work around this (even if it isn't a pretty one) is to create groups that are denied access to specific folders when there are groups with shared members. It will be more workable than setting rights on specific folders for specific users (something that no one really want to do since it will be hell to revoke those rights later on if the user for one reason or another shouldn't have access to those folders).

I'm really sorry for continuing asking about this, but a robust permissions model is a key feature that we really would like have in place and the way it works today doesn't seem to work as expected (compared to any other folder structure permissions system at least).

[Maxim]

Hello Moinois!

User has the highest priority and everyone has the lowest?

Yes

E.g. one group grants the user access and another is prohibiting access? How is everyone handled in that case? If I have understood you correctly denying someone access has higher priority than granting someone access in that case?

If someone has been granted access but after denying than he is supposed to have access permissions.

If I want to create a folder where everyone is denied, but then add groups that should have different permissions, one for those that should have read only permissions and one that should have read/write while the groups has some members shared between them - how should that be done? Can you give us an example?

Let's imagine we have two groups and one shared folder. One group has read only permission and the second one has read\write permissions also there is one user who is a member of two groups at the same time, in that case he will be granted stripped-down permissions - read only.

[Moinois]

If someone has been granted access but after denying than he is supposed to have access permissions.

How do you mean with after? Does the order of the applied groups matter and how do I set that in that case?

Let's imagine we have two groups and one shared folder. One group has read only permission and the second one has read\write permissions also there is one user who is a member of two groups at the same time, in that case he will be granted stripped-down permissions - read only.

Okay, this is an issue. How would you suggest that I should solve it using groups only? Normally it is the highest access level that is applied if there are multiple groups but in your example it is the lower that is applied. What if a third group is used where the user is denied access as well? Will the user be denied access? Or have read-only access?

But most important: If you have a structure with sub folders, how can you handle permissions using only groups where users might be members of several groups with different permissions on different sub folders and levels? Maybe I can create an example structure somewhere where you can see that I'm trying to achieve and you can show how it can be done, if it even is possible in the current implementation.

Best regards,
Magnus

[Maxim]

Hello Moinois!

How do you mean with after?

I mean that permissions will be applied those which were set up last time.

Maybe I can create an example structure

Yes, i'd like to see, it would be great.