make ACLs easier or provide wizard

Just chiming in here after reading through the posts. I just spent over 3 hours trying to set up a user in Revo 2.2 with no success. I followed a few tutorials and nothing worked. I had to reschedule a client meeting because it's not working. I'm very frustrated.

Mark and Bob I really appreciate your input and I am thankful there are a few people around who know how this works but it's clear that even some pretty savvy MODX users don't get the ACLs and that says it all.

This is no longer something for the back burner. It needs to be addressed ASAP by the MODX team (thanks for listening and doing all you can to make this a great CMS!).

I will spare you the frustration I have right now but just say that it makes the most sense to me to have the majority of case uses as the default and then provide other methods for the more granular (it's the other way around right now). And super admin should definitely have full rights as default.

I am going to think about what these most common cases would be and try to visually express them. Off to the drawing board.

@crunch - I think that's a good suggestion for improving the policies and templates. IMHO, the Revo has been too much based around database structure, and not around user needs and experience. This seems like a great example. Of course it doesn't necessarily improve the whole process, but its an incremental improvement on this part of the process.

Can I suggest to the MODX that this forum thread is one of the most important things going on in MODX right now - and because of the way the forums work, most serious users won't be aware of it.

So flag it on the front page for a week or three.

"We're rethinking MODX security and ACLs. Have your say."


Yes, it'll be a little embarrassing. You'll tell the world that MODX isn't perfect. But your potential users mostly know that anyway. On the plus side, you'll get more feedback from serious CMS users, and you might get the bright idea that helps to solve the problem in the best possible way. And whatever happens, you'll be sending the signal you should want to send, and which I think is what you guys are about, which is:

"We're building the world's best CMS, we have the smarts and the heart to do it, and we'll go through and embarrassment and discomfort and tough feedback and hard thinking in order to get there." [ed. note: shorewalker last edited this post 12 years, 2 months ago.]

Quote from: crunch at Jan 29, 2012, 10:51 AM

Just looking at the huge list of permissions settings it seems they could be more easily handled by categorising and grouping, so thats what I have done. And to avoid having to go these settings one by one, I've allowed turning on and off sets. We start by giving blanket access for different categories of permissions eg 'Use Chunks' - which will allow you to view/create/delete/update/save chunks, but if we want, we can also refine these settings - its just a click deeper.
Hopefully, this makes it easier to establish broad patterns of permissions, but retain the granularity.

I've had a stab at implementing something like this into the ACL panel, see attachment for an actual WIP (the work so far is on git).

It doesn't have the group-level enabling/disabling yet, nor is the categorization done (only did a few quick ones) and I'm not planning on doing tabs - I think the grouped view is great as-is, and keeps everything on one screen.

Also didn't label / translate the groups yet, just imagine that when it would be done it'd have "System" instead of "group.system" and stuff like that.
[ed. note: markh last edited this post 12 years, 2 months ago.]

Quote from: shorewalker at Feb 02, 2012, 10:39 AM

Can I suggest to the MODX that this forum thread is one of the most important things going on in MODX right now - and because of the way the forums work, most serious users won't be aware of it.

So flag it on the front page for a week or three.

"We're rethinking MODX security and ACLs. Have your say."

Second the motion.

Quote from: bridgecourt at Feb 01, 2012, 06:50 PM

This is no longer something for the back burner. It needs to be addressed ASAP by the MODX team (thanks for listening and doing all you can to make this a great CMS!).

I will spare you the frustration I have right now but just say that it makes the most sense to me to have the majority of case uses as the default and then provide other methods for the more granular (it's the other way around right now). And super admin should definitely have full rights as default.

Once again, second the motion!! Thank you, Tom

Quote from: markh at Feb 02, 2012, 07:57 PM

I've had a stab at implementing something like this into the ACL panel, see attachment for an actual WIP (the work so far is on git).

It doesn't have the group-level enabling/disabling yet...

Looks great, makes good sense, once you configure group-level enable/disable that would be good.
Each policy could then be presented this way and people would then better learn permissions etc.
Thank you, Tom [ed. note: TomMLS last edited this post 12 years, 2 months ago.]

So here's my take on how the wizard might work. I've attached a pdf of wireframes.

I'm running with ideas picked from this thread that people seem to agree on such as:
- a few pre-defined roles within the manager
- that one user group is tied to having one role (for simplicity's sake)
- that we are not dealing with contexts other than mgr and web (or 'all' contexts)

However, I'm with Mark and others in not linking user group and resource group together.

Feedback and suggestions are welcome, of course!

Good stuffs around!

Just beware of contexts.
Revo allows us to have more than Manager and Web contexts.
Revo surpasses the Evo 's limitation to this kind of permissions.
IIMW, revo is intended to break the Manager and Web barriers.

Who said that user could not create/edit/delete any resources/elements/users, change settings, from front-end?
Revo allows the permission to do so.

What is Front-end or Back-end in MODX Revolution?
We can delete the Manager folder, and change the Administrator's side to the "front-end".
Although we are being attached forcely to the current Manager's script into the core, but that doesn't mean that we can not only use the core/ as our framework to build a new administration system.

That was the original roadmap of the beginning of the Revolution.
(At least, I believe so.)

Just throw another coin. [ed. note: goldsky last edited this post 12 years, 2 months ago.]

Working with Access Policies is confusing for a number of reasons. Access Policies are based on Policy Templates, which in turn are based on five Template Groups. They are Admin, Resource, Element, Object and Media Source. When setting User Group Access Policies, selectable Policies are restricted to those based on Admin + Object (Context Access), Resource + Object (Resource Group Access), Element + Object (Element Category Access) and Media Source (Media Sources Access) Template Groups. How these Policies interact is somewhat of a mystery. Admin Policies contain a lot of Permissions that refer to working with Resources, Elements, Objects and Media Sources. Object Policies only contain generic Permissions which will make them inevitably overlap with any specific Policy. So what happens when Policies conflict? What hierarchy is applied?

Trying to unravel the mysteries of the ACL system, I'm beginning to understand why I and so many others are struggling to get a grip. Why doesn't MODX use the basic separation of Admin, Resource, Element, Object and Media Source as a guideline for everything that happens with security? And use it in a consistent and transparent way? It would reduce conflicts and allow for tying Policies to MODX elements in a more logical way.


Reorganising Permissions and Policies


First, the separation between Admin, Resource, Element, Object and Media Source should be consistent on the most profound level.

1. The Manager Context (mgr) should be treated as a distinct entity, separate from any other Context. This will allow us to separate Permissions applying to the Manager from those applying to something else.
2. Permissions in the Admin Template Group that apply to anything else but access to the Manager or any of the Top Menu items should be moved to another, appropriate Template Group.

Once this is done, the separation needs to be reflected in the UI by reorganising the Access tabs in the User Group settings.

3. Add a Manager Access tab. This will contain the Admin Policies. These will only apply to the Manager Context and not to any of the other Contexts.
4. On each Access tab there should be a single mandatory Generic Policy and any number of Specific Policies. Specific Policies will always overrule Generic Policies in case of a conflict. This should clarify the hierarchy between Policies.
5. When setting a Specific Policy, it should be possible to make it apply to 'Any Context', meaning any Context visible in the Resource Tree, not the Manager. This should prevent an excessive amount of Policies in a setup using many Contexts. (It might even be preferable to have Access rules applying to a specific Context, overrule conflicting rules applying to All Contexts.)

Now we can further organise and streamline the UI to support the above changes.

6. Policy Templates are based on Template Groups. Currently all preset Policy Templates have all available Permissions activated. That more or less implies Policy Templates are obsolete. Let's say we remove them and base Access Policies on Template Groups instead.
7. To simplify creating Access Policies we need to group the lists of Permissions. The jsfiddle document of crunch is a good example of how this could be done.
8. To make Permissions sort in a logical and consistent way and make them more readable, they should be given a title reflecting their action and the element they apply to.
9a. Some Permissions are obsolete. For instance: what use is it to restrict a User from logging out?
9b. Some Permissions are redundant. For instance: what does a Permission like 'Save' add on top of 'Edit'? I know sometimes it's possible to edit settings without saving them, but the basic principle is the same: you adjust a setting. Distinguishing between the two merely adds confusion, not more control.
9c. Some Permissions could (or should) be added. In the jsfiddle document of crunch there's some suggestions.


Some additional thoughts


I've suggested to include a mandatory Generic Policy for each Acces tab in the User Group settings. This assumes Object Permissions and generic Permissions specific to the Manager, Resources, Elements or Media Sources could be combined to form a single Policy. This may not be the case, I'm not sure how they relate to each other. Essential is that you could set a single, simple rule to cover all (unexpected) situations and divert from that rule with more specific ones.

When setting User Group options, it may be possible and desirable to combine the Context Acces tab with the Resource Group Access tabs. In fact, I sometimes wonder if it would make sense to restrict access to Contexts using Resource Groups, but that might lead to technical or logical problems.

Finally I'd like to say that everytime I try to bend my head around this problem, I get more convinced that a separation between the Manager and the other Contexts (at least in the UI) is essential to setting things straight.