Inherited group membership

Events happening in the community are now at Drupal community events on www.drupal.org.
baps11's picture
Posted by baps11 on January 14, 2015 at 5:06pm

Hi folks,

I'm starting to look at adding clients to an open atrium instance. Each of these clients will have a workspace, and multiple users. The intention was to create a group for each client, then add user to the group. Access to their space (and subspaces/sections) would then be facilitated by adding the group to the membership of the correct space.

This seems to result in the users having access, but the spaces are not listed as spaces for that user. E.g. I've added a Spaces and Groups pane to their dashboard, and this is empty. They also don't show up in the breadcrumbs. If I add each user distinctly to the space as a member, then the Spaces and Groups and breadcrumbs then contain the correct entries.

I thought groups were intended for this purpose without the need to specifically add users to each space individually? Any thoughts?

Baps.

Comments

Main menu (also: why Groups?)

Posted by kdmcguire on January 14, 2015 at 5:41pm
kdmcguire's picture

Hi Baps,

Can I ask why you chose to use Groups - and have the Spaces inherit those Groups - for Space membership? If you're adding users to a Group, that's not any more work than adding them to the Space directly...

Anyway, I think the breadcrumb menu was changed in one of the recent updates - it used to allow inherited Spaces, but now, as you know, does not. The concern is that managers who had inherited access to a large number of Spaces, but were only really active in a few, would find their breadcrumb menu overwhelmed by the inherited Spaces. There's an issue about it here: https://www.drupal.org/node/2141373

I think I recall that you can add links to Spaces into the 'Main menu' menu, and they'll still only appear for users who have the correct access permission. Worth testing that out for yourself, though, as I could be wrong.

Why not groups?

Posted by baps11 on January 14, 2015 at 6:34pm
baps11's picture

Hi kdmcguire,

Thanks for taking the time to post.

Groups are used in a helluva lot of other contexts specifically for this reason. Perhaps I've misunderstood the reason for their existence here, but it seems counter intuitive to me to have groups, and not use them for space membership.

Sure, if you are only occasionally going to add or remove people, no problem. What if you're not though? Like creating an unrelated space that the same set need access to. It may not necessarily be a child of the other space, in which case, manually add in each member again? Or if a set of people are reassigned, manually remove each and manually add to the new space? Not sure why you would arrange membership like this if groups worked as expected. Or am I missing something here and they are working as expected?

Had thought teams might be what I'm missing, but from the documentation, they seem to be limited in scope to setting permissions for sections within one space, so probably not appropriate in this context.

Anyway, I see the reason for the breadcrumb change. Would be nice to be able to configure that behaviour I guess. Will look into the main menu instead.

Thanks!

Baps.

I have a similar complaint.

Posted by couloir007 on January 14, 2015 at 6:58pm
couloir007's picture

I have a similar complaint. We have partners who manage many projects. It's a citizen science initiative. Each partner may have an infinite number of projects. Each project is set up as a space, and each project is public. But there are subspaces, sections, and content that is not necessarily public. Not all partner members are to be members of every project. There would essentially be teams, but teams can only be added to one space. I decided I would use groups as teams, but teams that could be added to multiple projects. The issue I'm having is that the project space is inheriting the permissions of the "Team Group", and causing problems. I hope I can resolve this, but I don't have much hope. Therefore we'll need to add individual members over and over again to each project. This will become a tedious task over time. I would argue the role of teams should be expanded to include the possibility of teams being members of multiple spaces, and team members being full members of the space. For the one project I experimented with teams, being a team member did not give you privileges of being a space member, even though that team was a member of the space.

Thank you,
Sean

If I make the group public,

Posted by couloir007 on January 15, 2015 at 11:24am
couloir007's picture

If I make the group public, it won't lock down the space. But I'm not sure I want to keep all the groups public.

Thanks!
Sean

No thoughts?

Posted by baps11 on January 26, 2015 at 9:19pm
baps11's picture

Noone else has come across this or finds this behavior odd? I'd have thought it was pretty fundamental in terms of access.

Thanks,

Baps.

Teams belonging to multiple spaces

Posted by gandhiano on January 26, 2015 at 9:36pm
gandhiano's picture

I also find the possibility of having teams belonging to different spaces very useful, as I have similar issues in a community based site. @couloir007 what about opening a feature request on the OA issue queue?

Teams/groups

Posted by kdmcguire on January 27, 2015 at 10:28am
kdmcguire's picture

It's fair to say that a Team that can belong to multiple Spaces is, essentially, a Group.

If you've set up a few Teams in one Space that are also relevant for other Spaces it would make sense to be able be able to have them belong - or work in - multiple Spaces. However, it also makes sense for the devs to a) avoid duplicating work unnecessarily, and b) to separate the roles of Groups and Teams so that site-builders don't duplicate unnecessarily.

It's worth submitting a feature request, but I can see them suggesting you just use a Group.

baps11,
In response to your original problem, there is an only-slightly clunky workaround. I've set up an intranet the same way you want to set up your client-based site, with Groups providing inherited membership to a variety of Spaces. I created a view that displays published Space-type nodes, sorted alphabetically, and added a block display. That block goes on the /spaces page, which I changed to the Radix Bryant Flipped layout. This means that users can see every Space they have access to alongside the normal lists of their favourite Spaces and Spaces that they are a direct member of. If a user does not have access to a Space, it will not appear in this list.

cuoloir007/Sean,
Apologies if I've not understood your issue correctly, or if you've tried this, but... in the top-level project Spaces, have you tried changing the 'Inheritance' settings to "No - subgroups of this group won't inherit its users" and "Child's permissions - inherited users in this group's subgroups will have the permissions of a generic member of that subgroup"? I haven't experimented with these very much but I think they're meant to provide a way to separate sub-Space membership from its parent Space... So you could have the parent Space be public, then set the sub-Space as private and inherit membership from a Group.

Also, as far as I can tell, you can't have private Sections within a public Space. Either the Space's Group will just have access all the same, or it'll be a combination of the Space's Group and the Group that you specify - the user will have to be a member of both. I think sub-Spaces are required for private Sections.

Kieran

Kieran, I will look into the

Posted by couloir007 on January 27, 2015 at 3:03pm
couloir007's picture

Kieran,

I will look into the Inheritance. I just don't want to make groups public, but the spaces they belong to I do.

Thank you,
Sean

Open Atrium

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: