Users, members, authorization and authentication

[Markus Johansson]

Hi!

I've been meeting clients that looks at Umbraco but have concerns with it's way of handling editors and writers.

One common question is: Why do we separate users and members? Why isn't just "back office user" a role that we could assign to a member?

Another common issue I tend to meet is that you can't give one user access to more than just one node. Sometimes you want to give them access to multiple parts of the app without having to create different users for this.

I've also done some testing with the permissions-settings i V7 and it feels like that this part is not getting any TLC...? Is this a non prio-thing or so we have anything on the roadmap to meet these kind of demands?

// m

[Douglas Robar]

I'm sure there are technical reasons for differentiating between users and members but from a practical level I love that distinction. For instance, the umbraco.com site has a LOT of members, who have various rights based on their membership group(s). Very flexible. And typically you'd have a boat load of members. Users are people who log into the back office. Completely different and by comparison you'd have fewer in most scenarios. If you wanted to use Active Directory for users you might not want to use it for members. By separating you get the benefit of that separation... flexibility and specialization. 

It might be nice to have some way to make a member from an existing user, or vice versa but that's not a common need is it?

It's not difficult to give a single user access to multiple parts of the site. You just need to use the User > User Permissions section to set what's browsable and what is editable. Granted, this could be made easier (and having user groups would be awesome and is discussed at https://groups.google.com/forum/#!msg/umbraco-dev/g87G4_Kcv4I/2K9_nQJe7oQJ and elsewhere) but it's totally possible today and has been since at least v4. Even if it isn't entirely elegant I've found it adequate.

[Jason Prothero]

Your second point I totally agree with and with, like Doug said, that there were permissions by groups.

To the first point, I actually feel that its a benefit to have members and users separated.  For one, its a much more secure scenario as a member cannot be magically promoted (through something nefarious) to be able to edit content.  Also, like Doug said, we can apply Active Directory to the Users area and have something completely different like Oath for the members.  I feel like its actually a benefit to have both types of logins.  

Thanks,

Jason Prothero

[Shannon Deminick]

As far as the umbraco back office goes, it's been made in a way that the code should not interfere with a normal ASP.Net website. Therefore the users in the back office are governed by a back office membership provider which does not interfere with another membership provider that someone wants to use in their front-end. Authentication and authorization in v7 is done with Forms Authentication, but not based on the standard ASP.Net implementation because again we wouldn't want to muck around with how people would like to handle the default forms authentication in their site. Similarly in v6 authentication/authorization is done as a bespoke solution as to not interfere with how someone wants to setup their default forms authentication.

An upgrade to how back office permissions are handled/assigned are in the roadmap and has been discussed at length, though it is quite a large change and something that probably won't fit into the schedule until v8+. 

[Sebastiaan Janssen]

Did you email it Markus? Or did you go through the web interface. It doesn't appear in the spam list either.. If you mailed it, just copy from your sent items.

On Tue, Jun 24, 2014 at 2:38 PM, Markus Johansson <mar...@enkelmedia.se> wrote:

I posted a long answer here two days ago... seems like it did not appear?

--
You received this message because you are subscribed to the Google Groups "Umbraco development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to umbraco-dev...@googlegroups.com.
To post to this group, send email to umbra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/umbraco-dev/7f03d377-1a65-4403-94c6-38f57735bc71%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Markus Johansson]

Hi everyone!

Thanks a lot for the feedback and your ideas. And to be honest, Douglas –I’ve never used the “Browse node”-setting but it seems to work. =)

One of the biggest show stopper for “bigger” clients here in Sweden is how Umbraco handles the users and members and its lack of groups for Users. They often compare Umbraco with the commercial EPI Server CMS so I’ve spent some time together with an EPI Server developer to get to know more about how they are handling this.

First, in EPI Server all “actors” on a webpage no matter if they are front end members or backend users (in Umbraco terms) are stored using either the SQL membership provider or the Active Directory provider. If a site needs both they have something called a “MultiplexMembershipProvider” that will use two different membership providers and fallback to provider2 if provider1 cannot serve the request. The right to logon to the backoffice and perform actions are determent based on which groups the user is a part of.

I’m not sayting that this is something we should do but it could have positive effects as it would require less redundant code for handling users and members separately. But anyway let’s focus on the thing that I feel is critical for Swedish enterprise companies to work more with Umbraco.

--- Add groups for back office users ---

--- Change the permissions-dialog  ---

In V7 the dialog was made even worse and “squeezed” into the slide out menu. Why not make this a third tab in the UI? Or at least make it a bigger view that floats of the whole page? And also get back to the design where we have the “Permissions” as columns and the different users (or user groups) in the rows.

V46: http://imgur.com/g7KPKDX 

V7: http://imgur.com/8cuvVXJ 

EPI: http://imgur.com/9WtWj7W

The default view should show permissions and groups but it would also be very useful to add permission settings for an individual user as well – much like how it works in windows.

--- Add  a permissions overview ---

Like this http://imgur.com/9WtWj7W

Where you can click in the tree an get an instant overview of the permission settings for this node. What are the default permissions for a each group and is there any special individual permissions in place?

 

On Monday, April 14, 2014 1:32:51 PM UTC+2, Markus Johansson wrote:

[Shannon Deminick]

We definitely would like to upgrade the permissions model + user groups, it's been discussed for well over a couple of years now. Unfortunately it is a fairly large task but should be scheduled on the road map at some stage!

You are aware of the permissions editor in the User Section right ? It is much easier to manage users' permission there instead of on a per node basis. But yes, the per node assignment permissions dialog needs an overhaul as well.

[Markus Johansson]

Thanks Shannon!

If probably boils down to the fact that user groups would be really useful =D

I have seen the User Permission-node in the Users-section and I do agree - its a lot easier!

// m

---

Från: umbra...@googlegroups.com [umbra...@googlegroups.com] för Shannon Deminick [sdem...@gmail.com]
Skickat: den 25 juni 2014 02:09
Till: umbra...@googlegroups.com
Ämne: Re: Users, members, authorization and authentication

We definitely would like to upgrade the permissions model + user groups, it's been discussed for well over a couple of years now. Unfortunately it is a fairly large task but should be scheduled on the road map at some stage!

You are aware of the permissions editor in the User Section right ? It is much easier to manage users' permission there instead of on a per node basis. But yes, the per node assignment permissions dialog needs an overhaul as well.

--
You received this message because you are subscribed to a topic in the Google Groups "Umbraco development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/umbraco-dev/CbeA9ETAudc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to umbraco-dev...@googlegroups.com.

To post to this group, send email to umbra...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/umbraco-dev/544ca84c-10af-4cf1-933b-ec615c944380%40googlegroups.com.