CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Pre-installation Questions (Moderator: Dave Greenberg) »
  • Using Organic Groups for access control
Pages: [1]

Author Topic: Using Organic Groups for access control  (Read 3140 times)

mdavid

  • I post occasionally
  • **
  • Posts: 31
  • Karma: 0
  • CiviCRM version: 4.2
  • CMS version: Drupal 7.15
  • MySQL version: 5.1.63
  • PHP version: 5.2.17
Using Organic Groups for access control
August 23, 2012, 02:20:54 pm
I'm evaluating CiviCRM for a large project and seeking advice on controlling access by organization.

The use case is this:

The database contains about 40,000 individual contacts (Students) each of whom is related to one of 3,000 child organization contacts (Local Unit). Each local organization belongs to one of 15 parent organizations (Regional Unit). The individual (Student) contacts will have no login access.

Each Local organization has a Manager who is the only person (other than the Database Admin) who can login and add or edit the contacts in their organization. Managers cannot view, add, or edit contacts in other organizations.

An additional 42 individual contacts (Directors) have permission to login, search on, and pull reports about all individual (Student) contacts in the entire database. Directors have no editing permissions.

There is no need for separate web identities for each organization or OG. All Managers and Directors will login to the same site.

I'm thinking about using petednz' idea (posted at http://forum.civicrm.org/index.php/topic,22282.msg93416.html#msg93416) to use Organic Groups for access control for the 3,000 Managers and 42 Directors.

Can Organic Groups be used for Access Control only so that each OG contains only one member with a Drupal username (the Manager or the Director) and all the contacts entered by the Manager are stored only in CiviCRM and don't need to be Drupal users?

Any other factors I should consider?

Thanks!

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: Using Organic Groups for access control
August 23, 2012, 02:28:13 pm
Hmm - so you mean you would purely use the OG as the way of creating the CiviCRM Groups and ACLs.
I suspect others will point out this is a poor approach - though I like it ;-)
But to be honest I think the way to go would be via another route - though I don't recall seeing anyone suggesting how to create ACL groups simply.
Also it may be that an ACL 'group' is not the way to go either rather than an ACL hook on to whatever field it is that is helping you determine who should be in which group.
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

mdavid

  • I post occasionally
  • **
  • Posts: 31
  • Karma: 0
  • CiviCRM version: 4.2
  • CMS version: Drupal 7.15
  • MySQL version: 5.1.63
  • PHP version: 5.2.17
Re: Using Organic Groups for access control
August 23, 2012, 02:38:24 pm
Thanks for the quick response! Yes, I was hoping using OG would be the simple answer to providing and limiting access to each local organization within the larger database.

Can you say more about why you think others may think it's a poor approach - or why you like it? I'm trying to evaluate the pros and cons of the options.

Thanks!

petednz

  • Forum Godess / God
  • I’m (like) Lobo ;)
  • *****
  • Posts: 4899
  • Karma: 193
    • Fuzion
  • CiviCRM version: 3.x - 4.x
  • CMS version: Drupal 6 and 7
Re: Using Organic Groups for access control
August 23, 2012, 02:48:34 pm
Because if you aren't actually using OG for the purposes for which OG was made, then you are kind of mis-using it for an outcome which should probably be delivered more directly.
If the issue with ACL Group creation in civi is trickier, then some effort should be put in to improving it - and may already existing via the API Generator
Sign up to StackExchange and get free expert advice: https://civicrm.org/blogs/colemanw/get-exclusive-access-free-expert-help

pete davis : www.fuzion.co.nz : connect + campaign + communicate

mdavid

  • I post occasionally
  • **
  • Posts: 31
  • Karma: 0
  • CiviCRM version: 4.2
  • CMS version: Drupal 7.15
  • MySQL version: 5.1.63
  • PHP version: 5.2.17
Re: Using Organic Groups for access control
August 23, 2012, 02:54:21 pm
Ah, I see your point. I'll look at other options for access control.

Thanks!

davem

  • I post occasionally
  • **
  • Posts: 60
  • Karma: 0
    • Circle Interactive
  • CiviCRM version: 3s and 4s
  • CMS version: D6, D7, J!, WP
Re: Using Organic Groups for access control
August 24, 2012, 03:54:01 am
I like this solution, and you can also do group->role sync so some of the permissioning can happen in Drupal which can be easier and less overhead than lots of ACLs. But then you'd have both to play with as well as some kind of private content structure for managers and directors. Bear in mind that OG on D7 is not so simple as it was on D6 but if all you need is the permissions, this is an easy way of managing who can do what for the administrator.

Jason W

  • I post frequently
  • ***
  • Posts: 197
  • Karma: 12
  • jason@civitrainingtutorials.com
  • CiviCRM version: 4.2
  • CMS version: Drupal 7
  • MySQL version: 5.x
  • PHP version: 5.x.x
Re: Using Organic Groups for access control
October 11, 2012, 10:41:54 am
Hello mdavid,

After mulling this over for a while, I think regular old CiviCRM groups would work better for you. For example:

3 Drupal groups:
Managers - No Contact based Permissions checked (except perhaps Import).
Directors - View all contacts checked, no other contact based Permissions.
Database Admin - All Permissions Checked.
.
you would set up one of your Local Units (Including it's manager) as a Child group of your Regional Unit group in CiviCRM. Then create an ACL that allows all operations for it's own group. Since the manager is the only one in the group who can log in, by default he would be the only one who can edit Contacts in the group.

A director's group would need to be set up in CiviCRM, but since they can already view all contacts, they can Search for all contacts; therefore, no ACL needed here.

This eliminates the need for 3000 groups in Drupal, only requiring you to set permissions for 3 User groups.

Don't get me wrong, The OG idea is a good one, I just think this way would cause less hassle and hair loss.

Cheers!
Jason
civiTrainingTutorials
"Helping You Help Others"

Calliopebrook

  • I’m new here
  • *
  • Posts: 1
  • Karma: 0
    • http://www.pandoracharmsale.ca/
  • CiviCRM version: 2.0
  • CMS version: 2.0
  • MySQL version: 3.0
  • PHP version: 1.0
Re: Using Organic Groups for access control
November 02, 2012, 12:50:52 am
Quote from: Jason W on October 11, 2012, 10:41:54 am
Hello mdavid,

After mulling this over for a while, I think regular old CiviCRM groups would work better for you. For example:

3 Drupal groups:
Managers - No Contact based Permissions checked (except perhaps Import).
Directors - View all contacts checked, no other contact based Permissions.
Database Admin - All Permissions Checked.
.
you would set up one of your Local Units (Including it's manager) as a Child group of your Regional Unit group in CiviCRM. Then create an ACL that allows all operations for it's own group. Since the manager is the only one in the group who can log in, by default he would be the only one who can edit Contacts in the group.

A director's group would need to be set up in CiviCRM, but since they can already view all contacts, they can Search for all contacts; therefore, no ACL needed here.

This eliminates the need for 3000 groups in Drupal, only requiring you to set permissions for 3 User groups.

Don't get me wrong, The OG idea is a good one, I just think this way would cause less hassle and hair loss.

Cheers!
Jason
Can you say more about why you think others may think it's a poor approach - or why you like it? I'm trying to evaluate the pros and cons of the options.

Jason W

  • I post frequently
  • ***
  • Posts: 197
  • Karma: 12
  • jason@civitrainingtutorials.com
  • CiviCRM version: 4.2
  • CMS version: Drupal 7
  • MySQL version: 5.x
  • PHP version: 5.x.x
Re: Using Organic Groups for access control
November 05, 2012, 02:10:46 pm
Hello Calliopebrook,

It's not that I don't like the approach, I'm all for using things in ways that they aren't necessarily meant for... provided they work. As Pete said previously: "if you aren't actually using OG for the purposes for which OG was made, then you are kind of mis-using it for an outcome which should probably be delivered more directly." That's why people might not like the method. However, if it works for you, do it. Maybe even document it and propose it as a viable alternative. Civi isn't carved in stone (just yet). Being open source, you have the opportunity to really get in and try some things.

That being said, organic groups would probably work, I just personally prefer the way CiviCRM uses it's groups as opposed to Drupal's. Rather than having 6000 groups to work with (3000 in Drupal and 3000 in CiviCRM), it seems to me that that using three groups in Drupal to set basic permissions and then using CiviCRM to fine tune with ACLs is logistically more sound.

I hope this helps, if you try something new that works, please share. After all, Helping others is what Civi is all about.

Cheers,
Jason
civiTrainingTutorials
"Helping You Help Others"
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Pre-installation Questions (Moderator: Dave Greenberg) »
  • Using Organic Groups for access control

This forum was archived on 2017-11-26.