[Phpgroupware-tracker] [ 100483 ] User visibility and domain support

[nobody]

Support Request #100483, was updated on 2002-Feb-25 15:23
You can respond by visiting: 
http://savannah.gnu.org/support/?func=detailsupport&support_id=100483&group_id=509

Category: Question
Status: Open
Priority: 5
Summary: User visibility and domain support

By: passionplay
Date: 2002-Dec-06 20:32
Logged In: NO 
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)

Easy. When you log in, every single user that has an 
account in the system is visible to every single other 
user. Not only that, but you can tell what groups a user 
belongs to, and because the original system uses membership 
groups for role administration, belonging to a group 
automatically determines the role the user has.

The patches I created have the following attributes:

a) Opaque groups where membership is not visible, so rights 
can be assigned anonymously, so that users can't complain 
that one user has a higher level of access than another.

b) All users can see each other in the directory. In my 
patch, only users in common groups other than opaque groups 
can see each other.

There really is no need for all users to know who is in the 
Ops group.

And if users are from 2 separate domains on the same 
machine, there is no need to have 2 separate databases. 
Since membership visibility is governed by common 
membership, if all users for each domain belong to a 
particular group, then only those users that are in that 
particular group can see each other.

Example:

Corporate system: Purchasing, Quality and Accounting.
Although each of these groups is part of the same 
organization, they each have their own administration 
protocols, and so they shouldn't necessarily be able to see 
everyone in the contact database. Just those people they 
should be able to get in touch with. Should there be a need 
to email directly, they can do so, but not just at random.

Privileged system: Different users on a dating site in 
different areas, romance, or just plain dating shouldn't be 
able to see each other unless they belong to the right 
community.

And so on and so forth.

The HR application, just assumes that everyone should be 
visible. Period.

What if some users should remain privileged???

Am I shedding any light?

P.S. As far as domain support, how do you support multiple 
domains in PHPGroupWare natively in the same database????

And if it's not in the same database, you DO realize you're 
setting up a headache for maintenance now, right? :)

Thanks!!! :)

Shamim

----------------------------------------------------------------------

By: passionplay
Date: 2002-Aug-30 06:20
Logged In: NO 
Browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)

If you look in patch 434, I have created groups that allow 
opaque membership, so that only transparent groups allow 
you to see who else is in the group.

This allows for groups that assign 'roles' to not have to 
broadcast their members to the users.

Most applications honor the groups and the memberships 
therein.

The HR application on the other hand does not. It simply 
shows you everyone in the system.

When PHPGroupware is set up for multiple domains, do you 
need multiple databases to support the extra domains?

And how do you prevent users of one virtual domain from 
seeing users in a different virtual domain?

One way would be to make the HR application honor the group 
membership and to automatically make all users of a single 
virtual domain, belong to a initially to a group with the 
same name as their domain. when the account was created. 
This group would be ONLY for HR group usage and those 
people in the HR group would be visible to others in the 
same group. Just like we have for the Time_Track facility.

P.S. How do I get patch 434 incorporated into the main 
tree??

Thanks!!!

----------------------------------------------------------------------
You can respond by visiting: 
http://savannah.gnu.org/support/?func=detailsupport&support_id=100483&group_id=509