Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-49009

Provide ability to create Organization Roles with more fine grained user editing permissions than "manage user"



      Giving the "Manage Users" permission is too powerful in some scenarios. Here is how we would like to be able to define more fine grained permissions:

      1. Create an Organization Role, and Define Permissions:
      Users and Organizations -> General Permissions -> Access in Control Panel
      Users and Organizations -> General Permissions -> View
      Users and Organizations -> User -> Delete
      Users and Organizations -> User -> Update
      Users and Organizations -> User -> View
      Users and Organizations -> Organization -> View
      Users and Organizations -> Organization -> View Members (not sure if necessary)

      2. Create an Organization

      3. Create two users and assign them to this Organization
      (note: In the current master, I couldn't make the assignment from the users' menu, so I had to use the Organization's assign members feature)

      4. Assign your Organization Role to one of your users

      5. Log in with this user

      Issue 1: You cannot access the Control Panel with this user, even though you can see the Organization Role's permissions summary that it has "Portal: Go to Control Panel" rights.

      6. Create a Regular Role to workaround Issue 1, Define Permissions:
      Control Panel -> General Permissions -> Go to Control Panel

      7. Assign this Regular Role to your user

      8. Log in with this user

      9. Now you will see the Control Panel button, click on it

      Issue 2: You will get the following message: "You do not have permission to access any control panel applications. Please contact your administrator." Even though it has multiple Control Panel permissions.

      10. Modify your Organization Role to workaround Issue 2, Define Permission in addition:
      Users and Organizations -> Organization -> Manage Users

      11. Log in again with your user

      12. Go to Control Panel, choose your Organization, inspect the actions menu for the Organization members

      Issue 3: You are able to impersonate the additional user, even though we didn't set that permission to the Organization Role, so the "Manage Users" gave too much.

      Expected Result: The permissions defined in step 1 should be enough to access and edit Ogranization users.

      Additional Remarks:

      1. The "Access in Control Panel" permission for Organizations should be enough for Issue 1 and Issue 2.

      2. Since we can set "Delete", "Impersonate", "Permissions", "Update", "View" permissions separately for users, it is expected to be able to use one without the other.

      Test Results:
      ee-6.2.x@95315c9 - reproduced
      master@2e84633 - reproduced




            • Assignee:
              support-lep@liferay.com SE Support
              nimrod.papp Nimrod Papp
            • Votes:
              0 Vote for this issue
              0 Start watching this issue


              • Created: