Permissions - Limiting element access w/categories

So I've back stepped (after doing it wrong) and am following the guide for limiting access to resources in the manager from Bob's book. I decided to do this instead of work on a CMP because I need to understand permissions and ACL's better anyway.

But I've hit a bump with the category method of hiding elements. I'm not understanding these points:

1- Move all TV's, snippets, and chunks into an Admin only category. One by one... ummm... seriously? Every TV, chunk, and snippet that I've got in a multitude of categories already must be placed in this new AdminOnly category jumbled up together?

What use is that for when I need to access them? I'll never find what I'm looking for. Plus, what a PITA to have to a) move every single element one by one, and b) now I've got to remember to move every new TV, chunk, and snippet into that category when I create them so that one or two users don't have access. This doesn't seem effective to me, nor sensible when it comes to keeping all these elements separated in categories of their own. Plus, if I install a new package, then I have to remember to move all the elements into the AdminOnly category? (insert frustrated and confused frog here...)

2- Every new resource has to be protected now by placing it into the resource group of Editors, correct? If I don't do this systematically as I create new resources, should I grant access to another user for any specific section or page, the resources I don't want them to access could be available. What if a user creates a resource and doesn't associate it with the Administrators (allDocs from the book - renamed) resource group? Hunting down all the resources that aren't in the the Admin resource group isn't going to be fun.

???

I'm sure I'm missing something obvious. Or, this is a case where a custom manager would be a better option and I should focus on that instead.

I've stopped, book open waiting for clarification because I really do not want to move hundreds of objects into one category today. Or ever...

The book's advice is somewhat oversimplified and that technique makes more sense for resources (which can be in more than one Resource Group) than elements. First, you only have to move elements you want to hide into the AdminOnly Category.

Second, if you don't want to give up the elements' current categories (and who would), you can leave put them in whatever collection of categories you like and then create a new Category Access ACL entry for each category. That's probably what the book should advise.

There's really no way around it that I know of, because elements are unprotected unless they are in an Element category that's connected to some User Group with an Element Category Access ACL entry.

As you probably know, you can also hide the entire Element tree just by unchecking the element_tree permission in the appropriate Policy.

You can install the DefaultResourceGroup plugin to automatically put all new resources in the AllDocs (or whatever) Resource Group when they are created.

I've thought of creating a DefaultCategory plugin to do the same thing for elements, but as you say, who'd want all of their Elements in one category on a big site.


------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using.
MODX info for everyone: http://bobsguides.com/modx.html