Type: Feature Request
Affects Version/s: 6.2.X EE, 7.0.0 M3
Fix Version/s: None
Similar Issues:Show 5 results
LPS-15016 Fine grain control of user permissions in a user's personal community LPS-24545 Split "Site -> Update" permission into few more fine-grained permissions LPS-13445 Support in Journal for fine grain edition permission over structure fields. LPS-27620 Giving User Organization Role Permission to Manage Users Does not Work if Organization is a Sub-organization LPS-28180 Organization assign user role will not allow users to assign org roles to users
Giving the "Manage Users" permission is too powerful in some scenarios. Here is how we would like to be able to define more fine grained permissions:
1. Create an Organization Role, and Define Permissions:
Users and Organizations -> General Permissions -> Access in Control Panel
Users and Organizations -> General Permissions -> View
Users and Organizations -> User -> Delete
Users and Organizations -> User -> Update
Users and Organizations -> User -> View
Users and Organizations -> Organization -> View
Users and Organizations -> Organization -> View Members (not sure if necessary)
2. Create an Organization
3. Create two users and assign them to this Organization
(note: In the current master, I couldn't make the assignment from the users' menu, so I had to use the Organization's assign members feature)
4. Assign your Organization Role to one of your users
5. Log in with this user
Issue 1: You cannot access the Control Panel with this user, even though you can see the Organization Role's permissions summary that it has "Portal: Go to Control Panel" rights.
6. Create a Regular Role to workaround Issue 1, Define Permissions:
Control Panel -> General Permissions -> Go to Control Panel
7. Assign this Regular Role to your user
8. Log in with this user
9. Now you will see the Control Panel button, click on it
Issue 2: You will get the following message: "You do not have permission to access any control panel applications. Please contact your administrator." Even though it has multiple Control Panel permissions.
10. Modify your Organization Role to workaround Issue 2, Define Permission in addition:
Users and Organizations -> Organization -> Manage Users
11. Log in again with your user
12. Go to Control Panel, choose your Organization, inspect the actions menu for the Organization members
Issue 3: You are able to impersonate the additional user, even though we didn't set that permission to the Organization Role, so the "Manage Users" gave too much.
Expected Result: The permissions defined in step 1 should be enough to access and edit Ogranization users.
1. The "Access in Control Panel" permission for Organizations should be enough for Issue 1 and Issue 2.
2. Since we can set "Delete", "Impersonate", "Permissions", "Update", "View" permissions separately for users, it is expected to be able to use one without the other.
ee-6.2.x@95315c9 - reproduced
master@2e84633 - reproduced