make ACLs easier or provide wizard#

I'd like to give this topic a new discussion. I'm sure this had been discussed several times but anyway the problem still exists. I don't know any other CMS where permissions are that hard to set.

example:

I have a basic website with a blog. For the blog we want to have a different user who can only write and edit blog posts (Articles).
I don't want to create resource groups (btw: I don't know of a way to have a "default" user group for new root resources. This is very bad because if I create a new I then always have to change my resource group, right?). I don't want to define about 10 configurations to get this running.
Another problem I experienced: After doing that resource group thing etc. my (anonym) user group hadn't had access to the whole site anymore.

I just want to say: "User 1" belonging to "user group 1" can only edit this resource group. This shouldn't be depended from other resource groups etc.
This is one step better.

next step: Do I have to set all the settings on my own? Why not turning the other way round: I create a new premission-setting and MODX gives me all the default settings used most. If I have a big website where I need special settings I also would save time by just editing existing settings instead of writing all the stuff on my own.
e.g. I always have to give permission setting to web context and the same for mgr. Why not doing both in one step? I always can edit later and wouldn't loose one single click.

Of course it would be cool to have a wizard for all that stuff. Because normal websites need things like I've described before and for thus a wizard should be possible, right?
It should be clear that a wizard won't work for big sites with complicated rules here. But that's not the point. Point is, we need a speedy and easy way to set such basic settings and WP, Joomla or drupal users understand this immediately.

What do you think?

I Agree,

What would be nice is to be able to create a user, then have a list of check box's where we can select what they have access to and also what they can edit, I use interspire cart software and they have the user management down to a t where all access can be selected and makes it really easy.

If MODX is going to promote itself more to the client we really need to make user management easier as I struggle with setting these up never mind a client and it should be the client that can set users up with access restrictions.

Just my $0.02

I agree, I agree, I agree. The permissions issue has taken Modx from being the CMS of choice for my customers to the point that I am not actively developing in it or even blogging about it. Go check my blog, I haven't posted in 6 months. I used to believe that there was nothing better, or more flexible out there. Right now, that is not necessarily true. This is due, in large part, to the permissions system.

I simply cannot effectively manage customer access with this system. I think I have an issue addressed and another one is right behind it. I am unaware of it, but it is there. This is a source of frustration for me and friction from my customers.

In the spirit of being constructive I do have a couple of suggestions. When I am on a support call with a customer it is very difficult for me to "see" what they are seeing. I end up having to ask for their password so I can login through their account. The alternative is for me to set up another, identical account and that is too time consuming when on a support call. As a Super Admin It would be helpful if I could navigate to their account and login as that user.

I also feel that there is no feedback from Modx when I see an "Access Denied" message. I cringe when I see this because I have no idea why access has been denied or where to start for troubleshooting. It can turn what is essentially unchecking a box into an hour or two of expletive laced clicking around.

acls are 10,000 times more difficult than they should
GUI to easily create ACLs should be top priority for 2.2.1 release
current system IS wayyyyyyy tooooooooo complicated
thank you, tom

I came up to a quick idea with Ben Marte (while figuring out a ACL problem):

- keep resource groups (but offer a default one so we only set a new group to limit a resource)
- offer 2 options: allow / disallow. Nothing more like access policies, roles etc. You can offer extended features for edge-cases but normally we don't need more than yes/no.

At least it should be possible to create a function like the following in not more than 2 minutes:

- limit a user group to resource group
- so users of this group only get access to this resource group, no other resources.
- other users get access to all (even the ones in the resource group).

Having a finely adjustable security system makes IMHO always sense - but the majority of MODX users will never have the requirements to use the granularity. From a sysadmins point of view, it's necessary to provide group based security concept, not only a user based one. If you have a large amount of users and you have to change an elementary setting, you are f***ed.

Is it really useful, to have groups AND roles? Of course, you can build very big sites with lots of ressources and then it's good to have a groups and roles...ok. But in most cases you will need to have these different groups:

• Super-User
• Site-Admin
• Site-Developer
• Create/Edit Ressources
• Create/Edit/Publish Ressources
• Anonymous-User

Even if you need to have 5 more groups for your site, it's still possible not to loose the overview, isn't it?

What I want to say is: Don't make it more complicated as it is!

IMHO, the easiest solution would be like this:
Create a group, add settings what members of the group are allowed to do, then add the group to a ressource and add users to the group, done.

Btw, a major difference from e.g. windows security concept is, that if one rule allows access and another rule restricts the access (user has both policies), the user has access the the ressource. Windows handles this more restrictive, access is forbidden.

Having both roles and groups allows users in the same group to have different permissions, which can be very useful in certain situations.

That said, a Wizard would be a great idea. I've thought about creating one, but never seem to have the time.

---------------------------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using . . . PLEASE!
MODx info for everyone: http://bobsguides.com/MODx.html

I did some more thinking about ACLs and how they can be made more user friendly.

It would be nice if we could make user groups and each user group would have a resource group specific to it, then we can drag and drop as usual in the resource group.

This would be more efficient and help keep the resource groups organized by user group instead of having all resource groups in one page and not know to what group it belongs to.

Another thing that needs to be fixed is when you create a new resource you have to go and drag it to the specific resource group because everyone has access to new resources, this is a real PITA when you have multiple contexts and resource groups.

Everyone should be denied access to resources in the manager except the admin and the admin should then allow access to the user group of what resources they can have access to.

This would avoid having to make a user group for admins which I do not understand why you can restrict and admin user group, an admin account should always have access to everything, that's why you have user groups to restrict non admin users.

ACLs are very powerful and I understand that you want to give us full control but there's so many different thing in ACLs right now that affect what a user group can and can't do, roles, policy templates resource groups it's pretty confusing mix in multiple context and you got yourself a huge mess to deal with.

There's only 2 things I wish MODX had that I know if it did it would help MODX gain more users, easier permissions and a built in front end editor (even though many think it's not necessary)

Oh yes - please rethink the management of the permission system of MODX Revo!
My brain is simply not compatible with the current one! :-/

@menmarte: Exactly!