It seems ACLs are a stumbling block for many, and the worst thing that could happen for MODX now that it is building momentum, is to pick up a bad reputation of being difficult to work with because of it. Hopefully we can make ACL creation simpler and also generates a better understanding of it.
So, I'm going to have a shot... I've been thinking about this idea of simplifying the process of ACLs, and have made a little prototype form page that allows you to set permissions for an Access Policy. Before we go any further can I just point out that I am aware I am not addressing some of the bigger issues here that need to be solved for wizards, or applying this to specific use cases but, who knows, it might be a stepping stone on the way there.
Just looking at the huge list of permissions settings it seems they could be more easily handled by categorising and grouping, so thats what I have done. And to avoid having to go these settings one by one, I've allowed turning on and off sets. We start by giving blanket access for different categories of permissions eg 'Use Chunks' - which will allow you to view/create/delete/update/save chunks, but if we want, we can also refine these settings - its just a click deeper.
Hopefully, this makes it easier to establish broad patterns of permissions, but retain the granularity.
Categorising
As many of the settings relate to showing menu items and pages in the manager, it seems obvious that if we can group all of them into this system, we get an already familiar structure for people to work with.
If you give access to a group to access, upload or use files, you should naturally have access to the files tab in the left nav by default, the same for resources or elements. For this reason, I have put all settings to do with resources, objects and files under the Manager Left Nav area, under their respective tab view setting.
Though this works in most cases, for some settings it seems unclear whether they should be grouped by the objects they relate to or where they sit in the menu (eg create_resource - in menu under Site, or with resource functions in Left Nav?).
I don't consider myself an ACL expert, so if I've missed something important, or not understood the consequences of a setting, please point it out, and offer a solution if you can. As an example, there are some settings which I dont even understand why they exist - like why you would want to restrict logging out of the manager? (or perhaps this is more to do with the display of that item in the manager site menu??)
And what is the difference between 'database' and 'view_sysinfo' - both say System Info page?
HTML
All input names use the actual system setting names, other than new ones I have created which form a global switch for a group. These input names start with 'GROUPCHECK_', and only serve the purpose of switching on and off several settings at once.
Questions
Should Object settings be abstracted away from this interface?
Arn't they implicit if you are using resources/elements?
I've put it on jsfiddle so anyone can mess with it:
http://jsfiddle.net/christianhanvey/UM5bN/4/
So the final question is, does this help make it any easier to manage Access Policies?