Multiple workspaces and access control question

[aimran <ai...@gmail.com>]

hi,

Maybe I am approaching this the wrong way; but here's what I am trying to
do:

My app will have 1-n workspaces. 
Requirement 1: Each workspace will have its own set of users. User's from
one workspace cannot access other workspaces. 
Requirement 2: In some exceptional cases, users may access other workspace

To highlight this with an example: say the workspaces are Legal, Marketing
and Sales. They will have their own users and they cannot see each others
stuff. Now a new workspace Cafeteria is added, that users from all other
workspaces should be able to see [and perhaps write comments on the menu
etc] that workspace.

Since, Jackrabbit gives everyone read access to all workspaces, using the
DefaultSecurityManager was not an option. I ended up using
UserPerWorkspaceSecurityManager, which now allows me to fulfill requirement
1. 
However I am puzzling over how to get to requirement 2.

I tried giving a user from workspace 1 access to workspace 2, but obviously
it does not work, since users are per workspace. I tried using
DefaultSecurityManager, but that then gives everyone access to all
workspaces.

So, is there a mechanism to fulfill the requirements or is it asking too
much of jackrabbit ??

PS: Please don't ask me to use a single workspace. Due to requirements of
total isolation, strong file system level security requirements and possible
future migration of workspaces independently to other machines, our
architects have decided on separate workspaces per community of users. I
cannot change that requirement.

--
View this message in context: http://jackrabbit.510166.n4.nabble.com/Multiple-workspaces-and-access-control-question-tp3445683p3445683.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Re: Multiple workspaces and access control question

[aimran <ai...@gmail.com>]

Angela,
thanks for your response and detailed explanation.

--
View this message in context: http://jackrabbit.510166.n4.nabble.com/Multiple-workspaces-and-access-control-question-tp3445683p3454523.html
Sent from the Jackrabbit - Users mailing list archive at Nabble.com.

Re: Multiple workspaces and access control question

[Angela Schreiber <an...@adobe.com>]

> My app will have 1-n workspaces.
> Requirement 1: Each workspace will have its own set of users. User's from
> one workspace cannot access other workspaces.
> Requirement 2: In some exceptional cases, users may access other workspace

userperworkspace usermanager would be the right option. if you combine 
it with the corresponding security manager then users will only be
allowed to access the workspace if the user exists therein (in contrast 
to e.g. the simple-workspace-ac-mgr which allows everyone to access
every workspace, see below).

> To highlight this with an example: say the workspaces are Legal, Marketing
> and Sales. They will have their own users and they cannot see each others
> stuff. Now a new workspace Cafeteria is added, that users from all other
> workspaces should be able to see [and perhaps write comments on the menu
> etc] that workspace.

you can either create users with the same userID in the cafeteria
workspace (the user nodes will be 'corresponding' to those in the other
workspaces based on the nodeID which stores the hashed identifier) or
simply clone the nodes.

> Since, Jackrabbit gives everyone read access to all workspaces, using the
> DefaultSecurityManager was not an option. I ended up using

this configurable (omit-default-permissions parameter with the access
control provider which can be configured for each workspace) and not 
related to the user manager at all.

> UserPerWorkspaceSecurityManager, which now allows me to fulfill requirement

see above. that's fine but not related to the default permission
setup which depends on the per workspace ac provider.

> 1.
> However I am puzzling over how to get to requirement 2.

see above.

> I tried giving a user from workspace 1 access to workspace 2, but obviously
> it does not work, since users are per workspace. I tried using

as stated above you have to make sure that the users are present
in the workspace. that's the default if you use the u-p-w-security
manager.
if you can't deal with this, you optionally could change the the
security configuration to use a different workspace-access-mgr
that applies a different logic to determine if a given user can
access the workspace... but that you potentially have to fiddle
around with a custom loginmodule and/or principal provider if the
users were not present in the cafeteria workspace but still
need to have access and access control entries assigned.

> DefaultSecurityManager, but that then gives everyone access to all
> workspaces.

see above.

> So, is there a mechanism to fulfill the requirements or is it asking too
> much of jackrabbit ??

not at all.

> PS: Please don't ask me to use a single workspace. Due to requirements of
> total isolation, strong file system level security requirements and possible
> future migration of workspaces independently to other machines, our
> architects have decided on separate workspaces per community of users. I
> cannot change that requirement.

that shouldn't be a problem from my point of view.

regards
angela