I've thought about this a fair amount, and don't have any universal solution, but in the interest of fostering discussion, here are some ideas I've had:
1. In the UI, make a clearer separation between the process of controlling what actions users can perform and the process of hiding and showing resources and elements. Having these intermingled in the UI quadruples the complexity from a cognitive standpoint.
2. Make the admin Super User invincible. I don't think this would break any reasonable existing install. I don't think many sites intentionally restrict the rights of the Super User. The obvious question is whether to make *any* admin Super User invincible. That would create some issues about users with different roles in different groups and might break some existing sites, but my gut feeling is that it's a good idea, since you don't *have* to create extra admin Super Users if you don't want to.
3. In the UI, tie what actions users can perform in the Manager directly to roles, like in Evo. This makes intuitive sense to people, and the concept of authority levels really doesn't, because in the present system, whether a user can perform a specific action depends on a very complex interaction between roles, authority levels, user groups, resource groups, contexts, and potentially a whole raft of ACL entries and Form Customization rules.
Users could have one role for the manager in general and one role in each other user group they belong to. I think this is equivalent to the system we have now, but it would be much easier to understand if the permissions were tied directly to the role. We might lose the ability to control actions by context, but I think it would be worth the price, since few people understand how that works anyway.
As I envision it, this would mean doing away with resource and element policies (and their permissions) so there would only be one kind of policy -- that would simplify things immensely. The user's ability to perform actions on specific resources and elements would depend on their role in the group that had access to those objects.
4. Make all rules that pertain to contexts other than 'mgr', apply only in the front end. If there were a "hide_contexts_in_manager" permission with a list of contexts the user shouldn't see in the Manager, it would hide those contexts, which would be visible by default. The fact that a user needs an explicit Context Access ACL entry to see any resources in the 'web' context in the Manager is a huge stumbling block for many users, especially after we tell them that the 'web' context is the front end.
5. Hiding Resources - I would keep this largely as is (as it was in Evo). If resources groups are tied to user groups, the resources are protected from access by members of other groups. We wouldn't lose the ability to control what users can do with particular sets of resources, because users could have different roles in different groups.
6. Member pages - There has to be an easy way for users to do this. Creating a user group for each user, a resource group for each resource, and a separate ACL entry for each pair just isn't workable. I think the best way to do this without breaking anything is to enforce the tree_root_id user setting in all permission checks.
It might make sense to have a separate tree_root_id setting for the front end and the Manager. It might also make sense to put this setting in the user form, make it a right-click option in the tree, and/or provide a way to set it by clicking in the tree as with setting the parent.
----------------------------------------------------------------------------------------------------------------
The current system is immensely granular and powerful, but apparently unusable for an awful lot of users. Even when they understand it (and many don't), they don't have a lot of confidence in their abilities. It was our hope that with good enough documentation, people would come to understand the system, but I don't think the documentation can be improved much further and it clearly isn't working.
I don't have trouble with the permission system, though I often accomplish what I want with custom snippets and augment the system with custom plugins. That's not an option for the vast majority of users and potential users, though. Eventually, all CMSs have to face the issue of usability by non-technical users. Even when a web site is built by a tech-savvy user, it often is maintained by a secretary and the permissions system is a significant part of that maintenance when new users and new content are added. IMO, we're definitely going to have to do something to make the system easier to use and understand.
---------------------------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using . . . PLEASE!
MODx info for everyone:
http://bobsguides.com/MODx.html