Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:documentation:fd_acls [2017/10/31 10:32]
127.0.0.1 external edit
en:documentation:fd_acls [2018/03/22 15:27] (current)
Côme Chilliet
Line 1: Line 1:
-=====FusionDirectory ​Acls=====+===== FusionDirectory ​ACLs =====
  
-FusionDirectory ​1.0 comes with a completely new ACL handling, which is much more flexible but complex too. Here is a small instruction about how the ACLs work and how they should be used. +**:!: FusionDirectory ACLs are not LDAP ACLs **
  
-  ​[[en:​documentation:​fd_acls:​fd_acls_introduction|Introduction to ACLs]] +FusionDirectory ACLs can be used to give rights on FusionDirectory content to other users than the admin. They can be used to allow users to edit their own information for instance, or to allow a project manager to edit the users from his team. 
-  * [[en:​documentation:​fd_acls:​fd_acls_create_assigne_role|How ​to create and assign ​the ACLs]] + 
-  [[en:​documentation:​fd_acls:​fd_acls_use_role|How use a role in ACLs]]+To give rights to users, the first step is to define an ACL role which will list the permissions you want to give.\\ 
 +The second step is to assign this role to the users concerned, on the base you want to give rights on. 
 + 
 +To help you get started, FusionDirectory setup can insert default ACL roles for you. Appart from the admin one (giving read/write access to everything),​ there is: 
 +  ​manager: this role gives full read/write access on users main and POSIX tabs 
 +  * editowninfos:​ this role gives full read/write access on the user’s own main and POSIX tabs 
 +  * editownpwd: this role only gives access to the user’s own password so that he can change it 
 + 
 +==== Assign a role to a user for a given base ==== 
 + 
 +So, let’s say you want to give all rights on users from the branch **ou=accounting,​dc=example,​dc=com** to the user **John Smith**.\\ 
 +Start by going to the **Departments** page by clicking it in the left menu.\\ 
 +Then open the department named accounting and go to the **ACL Assignments** tab. 
 + 
 +{{:en:​documentation:​fd_acls:​acls-department-tab.png}} 
 + 
 +  ​- Click **Add** (under ACL assignment field) 
 +  - Select role manager 
 +  - Select mode subtree 
 +  - Click **Add** (under members field) and select John Smith in the dialog 
 +  - Click **Add** (bottom right) 
 +  - Click **Ok** 
 + 
 +{{:​en:​documentation:​fd_acls:​acls-department-assignment.png}} 
 + 
 +It’s done. You can now see that this assignment shows up in ACL assignments,​ which allows you to manage existing assignments and modify them. 
 + 
 +{{:​en:​documentation:​fd_acls:​acls-assignments.png}} 
 + 
 +==== Give rights to users on their own information ==== 
 + 
 +Now let’s say you want all users to be able to edit their profile.\\ 
 +Go into **ACL assignments** and click on " . [ACL Assignment]"​ which allows to manage assignments on the LDAP root.\\ 
 + 
 +Click on **Add** and configure a new assignment giving editowninfos role to all users: 
 +{{:en:​documentation:​fd_acls:​acls-assignment-owninfos.png}} 
 + 
 +Add it, save it, and this is it!\\ 
 +If you log as a normal user, you should be able to edit your information through the **My Account** menu. 
 + 
 +Of course if you want to give this right only to some user you can do the assignment on a department, or you can select users and groups as members of the assignment. 
 + 
 +==== Create your own ACL role ==== 
 + 
 +Now let’s get more into the details of which kind of permission an ACL role can give. 
 +Go to ACL roles and create ​a new one. 
 +{{:​en:​documentation:​fd_acls:​acls-new-role.png}} 
 + 
 +Fill name and description as you see fit.\\ 
 +Click **Add** to add some ACL rights in this role, you will see a screen listing ​the ACL categories: 
 +{{:​en:​documentation:​fd_acls:​acls-categories.png}} 
 + 
 +Most categories should match an object type, some may match several or a whole plugin instead.\\ 
 +Let’s edit rights on **Users** category for instance, you should see a "​Object:​ User" part first which manage rights on user main tab. 
 +Giving **Create** right on this part will give the right to create users. For read/write, you can give global rights on the whole tab or you can expand the advanced settings and control read/write rights field by field: 
 +{{:en:​documentation:​fd_acls:​acls-object-user.png}} 
 + 
 +Then you have part for each user tab depending on your installed plugins. The **Create** right on a tab allows to activate it while the **Remove** one allows to deactivate.\\ 
 +The **Grant permission to owner** checkbox allows to give rights only on the user’s own node as in the editowninfos ​role we used earlier. 
 + 
 +==== Special cases ==== 
 + 
 +=== Template === 
 + 
 +The template part is available for objects which support templates and allow to give rights on templates, and control rights on the template_cn field. 
 + 
 +To be able to create a user using a template, the connected user needs: 
 +  * Read right of user/​template:​template_cn on the template object (or any parent department) 
 +  * Create right of user/user on the base the user is created ​in (or any parent department) 
 +  * Write right of the fields required by the templates on the base the user is created in (or any parent department) 
 + 
 +=== Snapshot === 
 + 
 +Starting from FD 1.3, there is a Snapshot part for objects which supports snapshots. 
 +  * Create right means the user will be able to take new snapshots 
 +  * Delete right means he will be able to delete existing snapshots 
 +  * Write right on restore_over field means he will be able to restore snapshots of an existing object 
 +  * Write right on restore_deleted field means he will be able to restore snapshots of deleted objects 
 + 
 +==== Assignment mode ==== 
 + 
 +ACL assignment mode defines the scope of the ACL.  
 +Following modes are available:​ 
 +  * **Subtree** \\ The ACL will be valid for all sub departments. In other words, if this ACL is assigned to the LDAP base, it will be active on the complete LDAP directory. 
 +  * **Base only** \\ Assigns the set of ACLs to one single object. This may be useful in rare cases. (Note that you can activate the ACL assignment tab for all object in the configuration screen. You can also create assignments on arbitrary DNs from the ACL assignments page. Use with care.) 
 + 
 +==== Assignment members ==== 
 + 
 +When creating/​editing an ACL assignment, members may be users, groups, POSIX groups or roles.
en/documentation/fd_acls.txt · Last modified: 2018/03/22 15:27 by Côme Chilliet
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0