Question about assigning permissions to an entire hierarchy

[ism...@gmail.com]

Good morning, we have permissions on specific archival descriptions assigned to some users. These users can edit these descriptions although they do not have permission to do the same with their "child" descriptions. Would it be necessary to give permits to each of your children?

The number of them is quite high and it would be very laborious. I hope you can help me, thanks and greetings.

[Dan Gillean]

Hi Isabel, 

Can you give us a bit more information? For example:

• What is the full version number of your AtoM installation, as shown in Admin > Settings?
• Are you using the Bootstrap 2 or Bootstrap 5 templates currently?
• Are these users members of a group? Or have you assigned permissions to the individual user accounts?
• If they are members of a group, is it one of the default groups (to which you have added some per description customizations), or is it a custom group? i.e. in general, please tell us more about how the current permissions are configured
• Have you altered any of the security.yml configuration files to extend permissions for any of the groups, as described in the docs here? If yes, which and how?
• Anything else that you think will help me recreate this issue locally?

It has been a while since I have thoroughly tested the permissions module, but my recollection was that it is supposed to inherit permissions for lower-level descendants. That said, as you know AtoM's permissions module is quite old and very much in need of an overhaul as there are a number of known issues. Hopefully we can sort this out or find a workaround, because I suspect that adding all the lower-level description permissions manually also would not scale well, even if you wanted to do all that tedious work! 

When I have a bit more information, I will see if I can reproduce the issue and find an answer for you. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

On Fri, Aug 4, 2023 at 6:54 AM ism...@gmail.com <ism...@gmail.com> wrote:

Good morning, we have permissions on specific archival descriptions assigned to some users. These users can edit these descriptions although they do not have permission to do the same with their "child" descriptions. Would it be necessary to give permits to each of your children?

The number of them is quite high and it would be very laborious. I hope you can help me, thanks and greetings.

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/12066347-1a71-4d66-95a0-f77a7452a879n%40googlegroups.com.

[Portales Municipales]

Good morning Dan, I answer the questions you ask me:

• The AtoM version is 2.6.1. - 184
• Uses the default version of Bootstrap, version 2
• Users do not belong to groups, they are authenticated users with specific permissions on some funds. I have also tried to assign them any of the existing groups as editor, contributor or publisher without success. Only the administrator can edit the descendants of the funds assigned to him.
• The authenticated user has permissions on a particular fund. For example, http://archivo.dipusevilla.es/index.php/seccion-de-pergaminos but it cannot manage descendant descriptions such as http://archivo.dipusevilla.es/index.php/hospital-de-las-cinco -llagas-pargaminos and their descendants: http://archivo.dipusevilla.es/index.php/escritura-de-venta-de-tribute-y-censo-perpetuo.
• I have not modified any security.xml file

I don't see anything else to add, the permissions are simple. I hope you can help me, the truth is that I don't see the logic that it is necessary to assign permissions to all the descriptions either.
Thanks and regards.

[Dan Gillean]

Hi Isabel, 

I've run a couple tests now, and have not been able to reproduce the issue you report, unfortunately. I tested across two different instances - both are a bit later than yours (one was a development branch that would lead to the 2.7.0 release, though the internal schema was still at 2.6.0-192; the other was a stable 2.7.1-192 version), however, in reviewing the intervening release notes, I don't see any notable changes to the permissions module or to users/groups. 

In any case, using the data found in our demo site and this particular hierarchical description as the basis for my tests, here is how i configured the permissions for an authenticated user (test1) who was not part of any user groups: 

The "Passports and Travel Documents" series has both Files and Items nested beneath it. With the above configuration, I was able to edit that series and all of its descendants, but not any of the other records in the hierarchy, as I expected. This held up in both test instances. I haven't done it myself, but I suspect you could also recreate this experiment in our 2.7.3 public demo site. 

Does your site have any further customizations? Are you applying many different custom per-description rules to each user, or just a couple? How many users are getting these custom permissions? I'm trying to determine what might be the important differences between my test instances and your production site. Though I don't think it will necessarily help (since I didn't find any issue tickets directly related to permissions - though I could have missed some!), is upgrading to a more recent version soon an option?

As I believe you will know by now, AtoM's permissions module does have some known issues, and the way it handles inheritance-based permissions adds a lot of complexity and can produce some strange results. For further details on some of the known issues with the permissions module (including some links to some known bugs), see some of our previous responses on this topic in the forum, such as:

• https://groups.google.com/g/ica-atom-users/c/Vq4fv8Vkr1M/m/i_e8ogk1AwAJ
• https://groups.google.com/g/ica-atom-users/c/ot8ufFi-ZWY/m/0t2fPuBNAwAJ
• See also the second half of this post: https://groups.google.com/g/ica-atom-users/c/La3usWtSSns/m/SGeedxSFBAAJ

Sorry this is not much help, but perhaps with more information we can narrow down the cause. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/d5e7a46c-a0b5-4ca7-81d2-09c4c5362a7fn%40googlegroups.com.

[ism...@gmail.com]

Good morning, I have set the permissions exactly like the ones you send me (although I think mine were fine too) and I still have the same problem. Indeed I can manage the description for which I give the permissions and all its descendant descriptions, but I cannot manage the final child without descendants, in my case it is a scanned page or PDF. For example in the following image:

YES I can manage " 23 - Sección de Pergaminos ", "23/01 Hospital de las Cinco Llagas, 1338-1797" but I can NOT manage any of its descendants that are individual scrolls without descendants. should this be so? greetings.

[Dan Gillean]

Hi Isabel, 

Based on my tests - no, it should not be so. 

But: I also could not reproduce the issue locally across two different test sites, which is what has led me to conclude initially that there is something in your local instance causing the issue. I don't know if this is an AtoM bug based on a variable we haven't accounted for, some local customization, a deployment issue, or a scalability / performance issue with how you are trying to use the permissions - this is why I asked a number of additional questions in my last email after showing my tests. 

If you can revisit those questions, maybe together we can figure out what is different and determine next steps. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/55df82ab-a9df-49f0-a73c-7aaddb9240b9n%40googlegroups.com.

[Mohamed vall]

Hi again ,

I have a laptop dell with processeur Intel Core(TM) i7-4600U CPU @ 2.10GHz 2.70 GHz with RAM 12,0 Go  , I have already instaled in my laptop kaspersky , Bitnami , wampserver I mentioned this for help so what I want is to try atom archive on my laptop first because there is an Organization that have server Linux Debian they want to use atom an I would use it and try it before I proceed to their server . 

thanks again.

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAC1FhZKqd2taKoKQEeRamMN_SYrar-1n81MvCUt9AWkKB6YA2g%40mail.gmail.com.

--

IT

[Mohamed vall]

This is the result for those two commands 

--

IT

[Dan Gillean]

Hi Mohamed, 

It will be much easier to help you if you continue to reply on the same user forum threads as previously, rather than replying to a new one. That way, all our conversations will be in one place instead of spread around, and it is easier for me to ask others to look and provide suggestions. Thanks in advance!

Some responses: 

I have a laptop dell with processeur Intel Core(TM) i7-4600U CPU @ 2.10GHz 2.70 GHz with RAM 12,0 Go, 

Okay, this should be fine to run the Vagrant box. Just remember to shut it down when done, as it may slow down other processes on your laptop when not in use otherwise. 

what I want is to try atom archive on my laptop first 

One suggestion: if you just want to try AtoM and we cannot easily resolve this issue via the user forum, then instead of trying to install something, you could try our free online demo site instead. See:

• https://demo.accesstomemory.org/

The login credentials are listed on the homepage. The demo site will automatically refresh every 2 hours, so you can freely add to, delete or change the sample data that is included, and try creating your own. Just remember all your changes will disappear periodically!

Also, uploads of all kinds are disabled for security purposes. Otherwise, you can try nearly everything you can do with AtoM in the demo site, with no installation needed!

there is an Organization that have server Linux Debian they want to use atom an I would use it and try it before I proceed to their server . 

It's always a good idea to test out a project to decide if it is right for your organization! 

However: please note that we do NOT maintain documentation for installing AtoM on Debian - we do all our testing and development on Linux Ubuntu LTS releases. 

This means that whoever installs AtoM for your organization will also face challenges that we will not be able to assist with. I know there are others in the community who have successfully installed AtoM on Debian -  you can see user forum posts tagged with the "Debian" label here - but there might be dependency incompatibilities and other issues that you will need to solve creatively. 

What I mean is: either you will need an experienced system administrator who has previously installed server-based software in Linux environments to install and maintain it for you, or else I STRONGLY recommend that your organization consider finding a hosting provider instead. Artefactual offers international hosting options, but there are also other providers out there. 

As for your screenshot: 

The Vagrant version is the latest version - it looks correct! 

As for the other command - it's possible that VBoxManage is not supported in the Windows command prompt. Are you able to open the VirtualBox user interface, go to Help > About Virtualbox... and see what version you have installed that way? You should ideally have VirtualBox 7.0 installed. 

Finally, as to your original issue encountering an error when trying to run vagrant up: 

After a bit of research, it seems that in some cases Kapersky or other antivirus programs can interfere with the download of the virtual machine. I would suggest that you try disabling Kapersky termporarily and try again. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/CAA0%3D6udRE627f3Q9DEozLK%2BErxVOpWyVctSso4pDge2bQh20MA%40mail.gmail.com.