CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site

This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • ACL catch-alls and acl by exclusion ?
Pages: [1] 2

Author Topic: ACL catch-alls and acl by exclusion ?  (Read 2822 times)

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
ACL catch-alls and acl by exclusion ?
September 12, 2011, 08:19:27 am
Hi.
I have a request from my users that seems simple, but I don't see an easy way to do it :

We have a test civicrm install for evaluations purposes. Only staff users can log in the crm, and all authenticated users can view/edit all contacts and view/edit/create all groups at the moment.

Now I got a request to make some contacts private to the management team : all contacts in a group or with a certain tag should be viewable and editable only by a select few users.

I read the ACL docs and the ACL demystified blog post, but I must have missed something :
If I understood well, I have to
- create a group to store the privileged users (priv_management_admins)
- create a group to store the contacts to be made private (priv_management)
- create an acl role (priv_management_admins_acl)
- assign it permission to edit the contacts from priv_management.
(I did not find a way to use a drupal role for fine-grained permissions)

But if I do this, any user can still edit the groups priv_management and priv_management_admins.
If I remove the 'edit all groups' permission from all users in drupal, two problems arise :
- I have to recreate an acl set for each existing group in the system (it could be hundreds in the long run)
- users can no longer freely create and manage groups, this does now systematically require an admin's intervention
- any users allowed to create groups can edit and override ACL groups
- I found no way to define an acl targeting an exclusion (like !='priv_management'), so each time they create a new group, acl's must be modified by an admin to include it

If I then need to add a private custom field or fieldset to all contacts, it gets even worse...

So, did I misread the documents, or missed an important point somewhere, or is it impossible to use ACLs for a specific group and still let all users create/manage all other groups (acl by exclusion) ?

Also, as drupal roles are not used, users will have to be manually added to groups. We use ldap for drupal authentication and roles mapping, did I miss an option to auto-add drupal users to civicrm acl groups ?

We use drupal 6 + civicrm 3.3.1, if these features are not possible in 3.3.1, are hey present in 7.x/4.x ?

(We're still trying to convince the management and it staff here that civicrm is a good idea, but it's an uphill battle. Any help or pointers are welcome! )

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACL catch-alls and acl by exclusion ?
September 12, 2011, 08:47:04 am
Hi,

Like almost all ACLs, that's an inclusive/whitelisting approach (eg you always grant an extra right, never remove an existing one). I remember a very long and very mathematical explanation about why it was the only sane way ;)

What you can do is adding a custom module with a hook that adds a validation so you reject any request from a non admin user that tries to add to one of the "_admin" groups. Not super complicated, but not out of the box either.

I seem to remember having read about a module to synchronise a drupal role to a civi group, but not not 100% sure. Try searching if something comes up.

X+

P.S. No matter what, you should update your civi, either to the latest version on D6 or migrate to D7 (if you don''t have too many custom modules, that's probably the best option)
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL catch-alls and acl by exclusion ?
September 12, 2011, 09:25:55 am

check:

http://svn.civicrm.org/hrd/trunk/drupal/hrd.module

basically only people with the drupal permission: "access secure contacts" can access that specific group

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 12:56:51 am
Too bad  :'(
We can't really ask for a developper while at the evaluation stage.

I'll re-evaluate the whole project, maybe we picked the wrong product.

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 01:07:35 am
Hi,

Let us know if you find something better suited, but I'd suggest to focus first on the features, knowing there is a solution for your specific acl needs.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 01:11:49 am
Thanks for the help.
Don't get me wrong, civicrm is a very nice and capable product.
However, It's already an uphill battle to propose an opensource product. If this requires custom development, specific resources for functionalities that are present out of the box in other products it's hard to sell internally.
(I'm sure there are good technical reasons and all, but put yourself in the manager's shoes for a minute : "what, it's either everyone has access to everything or people cannot create new groups without the IT team ? You're kidding, right ?")

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 04:14:10 am
Assuming the competing closed source products aren't free:
- I'd review the spec see what is on both sides and what missing on both sides
- compare the associated cost of adding them (not even sure that's an option to add it on a closed source product, no matter the price),
- add the licenses/other maintenance cost for the close source product

I my experience, that's a mistake to assume open source is free. Some of the cost you have paying the licenses for a closed source product you will pay for custom development or adding new features.

For what I've seen, it often ends up being (much) cheaper using an open source product and with better fit solution, but it won't end up being free, neither open source nor closed source.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 04:22:18 am
It's not a price problem. I've been using open source products for years and know very well using open source products for price reasons ends in a dead end most of the time.

It really is a features set problem : why would management, used to pay for software with the belief that they will have great support (no matter how actual support might fall short of that promise), accept to use free but unsupported software ? Well, only if it provides equal or superior features and does not require lots of support.
So when at evaluation time it turns out that not support but development is required to get what is perceived as basic features...

Again, no hard feelings here, just a reality check. This is presented as 'enterprise level' CRM, so features such as fine grained permissions are to be expected.

Furthermore, for such sensitive software, setting and managing permissions must be obviously easy to do otherwise you have the constant risk of accidental exposure of data you thought was protected.
Requiring lots of permissions micromanagement as the system is used multiplies that risk above acceptable levels.
« Last Edit: September 13, 2011, 04:24:07 am by ehanuise »

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 05:34:03 am
Quote from: ehanuise on September 13, 2011, 04:22:18 am

It really is a features set problem : why would management, used to pay for software with the belief that they will have great support (no matter how actual support might fall short of that promise), accept to use free but unsupported software ?

Well, only if it provides equal or superior features and does not require lots of support.


Why would you want to go unsupported? Check out the list of professional providers, Got quite a few that can support it. Added benefit, if the support fall short of the promise, you can switch to another provider.

Might be me that don't understand the distinction you make between support for close and open source?

Also, not quite sure what distinction you make between support and development. Say you go with SAP, your "support" provider/integrator will develop custom functions for you, as part of the support.

As for the features, the latest reports I've read said Civi is competing very favourably, I'm genuinely curious to see what competition you'll find better suited.

Quote from: ehanuise on September 13, 2011, 04:22:18 am

Again, no hard feelings here, just a reality check. This is presented as 'enterprise level' CRM, so features such as fine grained permissions are to be expected.


No hard feeling on my side either, and we like that kind of feedback, hence all the questions ;)

Quote from: ehanuise on September 13, 2011, 04:22:18 am

Furthermore, for such sensitive software, setting and managing permissions must be obviously easy to do otherwise you have the constant risk of accidental exposure of data you thought was protected.
Requiring lots of permissions micromanagement as the system is used multiplies that risk above acceptable levels.

My experience is that it's easier to have an extensible system that allows you easily to customise to do what you want than a one size fits all with a bazillion of options, especially for security.  And things like who can put whom in which group based on their permission (and they type, how old is the record, how many modifications, the phase of the mood...) is something that every organisation seems to have a very different idea and different rules.

Well, at least I find much secure to have one custom module that will check based on my specific rules if the user can or can't add the contact to the group in a few lines of code than being faced with an interface that contains every single option to cover every single need. So Civi is made so you can put the permissions and complex rules you want, offers an UI to cover the common needs, and a clear system to extend it via the hooks to cover the rest.

This being said, I think that's a quite common need to be able to request a different permission to add a contact to a "ACL group" than to add to a normal group. If this can be made generic enough, could be contributed back to the core, and it doesn't sound like a complex/expensive one to code.

X+
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 06:01:49 am
Yup, using generic groups for acl's is a big duh!

Regarding the evaluation thing, I'll state it otherwise so you might better understand the situation :

client : I want a central contacts database for the whole entreprise, we'll ask our IT to develop one using their usual tools
me : it'll be a very big development, why not first assess existing tools ? That kind of tool is called a CRM, and there are several on the market.
client : ok but you get no budget, limited time, and if this doesn't work from the get go we'll scratch that test and develop one internally

So after a short assessment, civicrm looked like a good solution because it's based on drupal (and we have some drupal expertise), because it's made for nonprofits, and because it's presented as industrial-strength.
I set up a test site, and we have a group of staffers assessing the tool.

So there's very little wiggle room here, small obstacles like this permissions management thing can very quick turn into an either/or problem.

Requiring custom development at this stage simply is out of the scope.
« Last Edit: September 13, 2011, 06:05:50 am by ehanuise »

xavier

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4453
  • Karma: 161
    • Tech To The People
  • CiviCRM version: yes probably
  • CMS version: drupal
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 06:52:37 am
Quote from: ehanuise on September 13, 2011, 06:01:49 am
Yup, using generic groups for acl's is a big duh!
Quote

Not sure I'm a big fan either, but it has advantages too.

As for the evaluation, I don't understand why you can't evaluate at all because one user could add a user to a group she wasn't allowed to. ie. that's mandatory to know it can be blocked later, but it's  pretty much irrelevant for user acceptance and feature, isn't it?

If I understand you, the alternative is between a system that is used and tested by 5000 org at least, that has 10000th of man/months of development already and that needs a few more hours and developing and testing everything from scratch?

btw, they are probably at least 20 persons working full time on CiviCRM, meaning that they will be quite a few more features added to Civi than a custom development, and likely some could benefit.
-Hackathon and data journalism about the European parliament 24-26 jan. Watch out the result

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 07:21:17 am

Am curious as to which products give you fine grained permission control at the contact level. Links to the documentation for such products would be great.

In general when u evaluate products, u evaluate the areas where there is an exact match between the product and your needs, and see how it fits there. If there is a good fit, you move onto the next stage etc.

Trying to match ALL your needs without any customization is an exercise in futility for you and us

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 07:40:58 am
Quote from: xavier on September 13, 2011, 06:52:37 am
As for the evaluation, I don't understand why you can't evaluate at all because one user could add a user to a group she wasn't allowed to. ie. that's mandatory to know it can be blocked later, but it's  pretty much irrelevant for user acceptance and feature, isn't it?
This amounts to show people something that partially works, and telling them 'it will work better than that when we'll use it, trust me'. This is very bad in terms of trust and user acceptance.

ehanuise

  • I post occasionally
  • **
  • Posts: 85
  • Karma: 2
  • CiviCRM version: 4.1.3
  • CMS version: Drupal 7.17
  • MySQL version: 5.1.49-3
  • PHP version: 5.3.3-7+squeeze3
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 07:46:11 am
Quote from: xavier on September 13, 2011, 06:52:37 am
If I understand you, the alternative is between a system that is used and tested by 5000 org at least, that has 10000th of man/months of development already and that needs a few more hours and developing and testing everything from scratch?
If I was to put it in these terms to management, the immediate reply would be
"what ? it took them so long and it doesn't even have a flexible user access control that does not require further development ?"

Of course it's an unfair argument, but then it does still hold some water.

Donald Lobo

  • Administrator
  • I’m (like) Lobo ;)
  • *****
  • Posts: 15963
  • Karma: 470
    • CiviCRM site
  • CiviCRM version: 4.2+
  • CMS version: Drupal 7, Joomla 2.5+
  • MySQL version: 5.5.x
  • PHP version: 5.4.x
Re: ACL catch-alls and acl by exclusion ?
September 13, 2011, 07:46:49 am
Quote from: ehanuise on September 13, 2011, 07:40:58 am
This amounts to show people something that partially works, and telling them 'it will work better than that when we'll use it, trust me'. This is very bad in terms of trust and user acceptance.

Its an EVALUATION. not end user training or acceptance testing. You are checking for how close a match things are etc ..

maybe might make sense for you to find something that is better suited for your needs. Would be great if you can report back and let us know what it was so we can potentially learn and improve civi

good luck

lobo
A new CiviCRM Q&A resource needs YOUR help to get started. Visit our StackExchange proposed site, sign up and vote on 5 questions

Pages: [1] 2
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • ACL catch-alls and acl by exclusion ?

This forum was archived on 2017-11-26.