Open
Description
gadamiak created Redmine issue ID 9063
The user groups can be nested one inside another. This is a nice way to keep order but has only organizational purpose as access policies can not be assigned in bulk to child user groups. It would work if members of nested user groups were treated as members of the parent user group.
To illustrate the case consider the following example. There are many contexts, which are owned by different users. The most natural way to manage access permissions is to:
- make a parent group, eg. "Context managers"
- make a child user group for each context, eg. "context"
This would allow to:
- define access policies based on roles for "mgr" for "Context managers" user group, ie. define what users can do in manager UI
- and define access policies based on roles for the specific context ("context"), ie. define what users can do in the context they have access to (load, list, view, save..., resource groups etc)
- hook form customization for all "Context managers" members
That way ACL don't need to be duplicated for "mgr" access or users wouldn't need to be duplicated in separate user groups (to achieve the above currently users need to be placed in both mentioned user groups).
To summarize:
- users should be members of containing (parent) user groups
- ACL defined for parent user group should be inherited for contained (child) user groups
- user roles defined in child user groups should apply for ACLs defined in parent user group unless overridden by parent user group membership.