Spaces & Groups inheritance & permissions

Events happening in the community are now at Drupal community events on www.drupal.org.
nkanderson's picture

Apologies if this is redundant with other documentation out there, but honestly, I've scoured every source of OA documentation I can find and can't come up with a clear answer on how to set up a very basic site in terms of spaces and groups.

I've taken over an OA site where the permissions and group inheritance were set up such that there is one space and 3 groups. The space inherits members from 2 of the groups. Is this an intended use of group-parent structures, or is the intent only to have parent relationships between like OA types of groups (i.e. Space to Space, Group to Group, but not Space to Group)?

If that's the case, what does this post mean when using language like "assign that Group to a Space" (in the implementation example)?

I understand from the documentation that spaces are for organizing content creation and groups are for organizing content access, but none of the documentation I've found provides clear, succinct examples for setting up space and group relationships. If anyone has specific examples of a simple space to group inheritance relationship, and the resulting functionality, that would be much appreciated!

Comments

Open Atrium Groups

Ed Carlevale's picture

Hi, I can help you with this, but might need more information. You say you're trying to set up a basic site but also that you've taken over a pre-existing site. What exactly are you trying to do and what problems are you running into? In general, out of my own experience (and the Phase 2 pros are likely to have a different perspective), I don't use the "groups" functionality. It's the only Atrium functionality I never use. I just don't find it useful. (I do like the "team" content type and functionality a lot, however.)

-- I've found the "site map" functionality (http://drupalgroup.mit.edu/sitemap/#/) to be a hidden gem in Pantheon when it comes to setting up the basic structure of a site, and also when trying to explain Atrium to other users.

-- Which version of Atrium are you running? If it's not 7.x 2.60, can you update to that easily?

But provide a bit more information and I can help walk you through some of this. I've been meaning for the longest time to set up an Atrium Users Group (http://drupalgroup.mit.edu/), so any questions you ask may push me to do that.

Ed Carlevale
Drupal Developer, MIT Energy Club

A bit more context to answer

nkanderson's picture

A bit more context to answer your first question - I am taking over a site, but it's in an unfortunate state currently: someone involved in the original build set the incorrect upstream repo within the Pantheon configuration, so it hasn't been possible to push OA updates (Pantheon told me you can't change the upstream repo, so...). I'm working to migrate that site over to a new OA install, and in the process want to make sure I've got a solid baseline configuration.

So I am working on configuring the new site within a 7.x 2.60 install, but I need to match the current permissions and access structure that's in place on the old / current site. One problem I've run into is that our content manager group (one of the two that the main space inherits from) did not initially have content creation permissions in my new build mirroring the space-group relationship from the old site. I've been able to grant those users content creation permissions by either adding individual members to the space, or setting the "Group user permission inheritance" to "Child's permissions". I'm not sure which of these is preferred, or if there are implications for using one method over the other.

And a little more context on the nature of the site - this is our company's intranet site, so no public-facing content. We have content managers who need to be able to add any type of content; everyone else who accesses the site should be able to view the content, but only needs to be able to add one type of content. It's fairly simple in its current state, but I'd like to configure things in such a way that we could take full advantage of OA's granular permission structure as needed down the road.

Thanks for your help!

You sound like you're making

Ed Carlevale's picture

You sound like you're making good choices.

  1. Even when I start with an Atrium distribution on Pantheon, I sometimes make a change that breaks the connection for automatic updates from Pantheon. When Atrium doesn't recognize something in profiles/openatrium, it treats the distribution as a Drupal distribution, not Atrium. In other words, the person who came before you may not have done anything wrong. He just made a change that prevents Atrium from recognizing itself. In general, the only change I make to the default Atrium distribution is to move the current theme from profiles/openatrium/themes to sites/all/themes. (I use drush to delete it first, then add it.) Everything else I leave completely alone and the Pantheon/Atrium updates go through perfectly. Those updates are a gift from the development gods and you definitely don't want to get in their way.

  2. Migrating to a fresh install that you yourself have built is generally the best strategy, I've found. Tedious, but you will really understand everything perfectly when you're done.

  3. "But I need to match the current permissions and access structure that's in place on the old/current site."

That's exactly what I wouldn't do. Over the past hour I set up a sandbox site (http://dev-open-atrium-sandbox.pantheonsite.io/) to explore the whole Groups functionality more carefully, and the site just crashed -- in self-defense, I would say, because it realized that the Groups functionality doesn't bring anything to the table. Worse, there are so many possible combinations that it's more Rubik's Cube than site building.

Basically, the idea behind the Groups and Teams content types has little to do with content types per se, but rather with using those content types with Atrium's notification system. When you create new content, whether it's a blog post, a news item, or an event, you can use Atrium's notification to send an email to a team, to a group, or to a individual users. But this notification structure really should be one of the last things you set up. The same is true for permissions and roles and all that sort of stuff. It's important to get that stuff right, but not right now.

  1. "I've been able to grant those users content creation permissions by either adding individual members to the space..."

That's the simplest approach, and best imo. Don't forgot that you also make those members administrators, and then they have access to do everything within the group. You can adjust the permissions that are given to the two default group roles (administrator and member) or add new roles with their own permissions.

  1. "...or setting the "Group user permission inheritance" to "Child's permissions".

I find that too tedious to keep straight in my head. I like users to have a specific roles and specific permissions. Nesting roles within this or that group is just not worth it, in my opinion. And whoever takes over the site after you move on will not be singing your praises either.

  1. "a little more context on the nature of the site..." So I gather that your site is not using Notifications at all. I don't see any reason for your site to be using Groups. Just configuring the roles so that users with a given role can add the content they need to add, is all you should worry about. But you should check out the Team functionality, as I find that really cool, and it solves a problem that comes up often in my own site building, which is keeping track of team members s they change from year to year.

Ed Carlevale
Drupal Developer, MIT Energy Club

Thank you, this is all super

nkanderson's picture

Thank you, this is all super helpful!

I'm glad you brought up notifications - this is actually a piece of functionality that is desired, but was never implemented on the first version of the site. So it sounds like groups and teams are important for managing notifications? I also wanted to ask you something from your initial post - you mentioned that you don't use groups, but you do like the team functionality. I'm under the impression that teams are subsets of OA groups - are you using them differently?

Related to teams & groups - how are you setting up simple content access, if not through Groups? Simply being an authenticated user?

To clarify on my comment about matching the current permissions and access structure - this is in reference to the end user's experience. I'm not tied to using the exact same configuration behind the scenes, but it should function more or less the same.

Oh, and regarding the upstream repo - this is not within the OA install, it's a setting on the Pantheon site itself. It's one that I've set to OA on a sandbox site, so it doesn't change with any configuration changes you could make on the site.

Thanks again for your input!

"So it sounds like groups and

Ed Carlevale's picture
  1. "So it sounds like groups and teams are important for managing notifications? "

Yes. Notifications allow you to send an email to let a user, team, or group know about changes on the site, pretty much exactly as we're both receiving emails when one of us posts a comment to this thread.

  1. "I'm under the impression that teams are subsets of OA groups..."

No. Teams is simply a content type called "Team," which allows you to easily add a bunch of users to create a "team." So you create teams like "2016 Leadership Team," "Program Administers," etc. Go to the members page for any space you've created (eg, node/1/members) and then click the tab Teams. Create a new team and add members of the current space to it. You can then use that team with the notifications system.

  1. "How are you setting up simple content access...?"

You should be managing this through roles and permissions managed by Organic Groups. Organic Groups has fantastic configurability and makes it very easy to add and modify and configure access for various roles (/admin/config/group/group-membership). You'll find the full set of organic group configurations here (admin/config/group).

  1. "it doesn't change with any configuration changes you could make on the site."

You're right. I was thinking of when I created a backup of an Atrium site on Pantheon, and then used the three backup files (code, database, and files) to quickly clone a new site. It works perfectly and is very quick, but Pantheon considers it a Drupal upstream repo, not Atrium.

But in any case, your original comment was that you originally couldn't use the automatic updates with an upstream Atrium repo. And that's the reason: something has been changed from the original distribution that Atrium is expecting to find in profiles/openatrium.

Ed Carlevale
Drupal Developer, MIT Energy Club

The upstream repo is set to

nkanderson's picture

The upstream repo is set to Drupal 7 core within the Pantheon site configuration (under Settings > About Site > Upstream), which is why I can't, or maybe more accurately shouldn't push the commits that Pantheon automatically adds to the dev site. It's not related to changes in the original distribution or anything that Atrium is expecting to find, more likely the developer initialized a Drupal 7 site, then installed OA manually.

Good distinction on Teams vs. Groups - I misinterpreted the importance of the statement "Teams as a subset of User-groups and Sections as a subset of Content-groups," in this post. So do you use Teams mainly for notifications, or are you also using them to assign private access to control to different sections?

Under Organic Groups membership types (/admin/config/group/group-membership), I'm only seeing options to add or import an og membership type, or edit a default one. Can you provide an example of what you would create or edit here? Or if that's too big a topic, could you link to documentation or an example elsewhere? I'm not really sure where OA stops and plain OG begins, since they are so entwined.

No, I don't use teams for

Ed Carlevale's picture

No, I don't use teams for either notifications or for access. As I said, I think Organic Groups roles and permissions should be used to control access, and the teams-notification functionality I hope to use once my sites are more intensively used by their communities. Rather, I use teams to solve a problem that I can't easily solve otherwise: Say your company has an executive committee and every year new people are appointed to it. That's the functionality I need: "2015-2016 Executive Committee", "2016-2017 Executive Committee." There tricks you can play with taxonomy and views to handle this, but it's effortless with Atrium's team functionality.

The link to add a new Organic Groups role is a bit buried. Go to this page (/admin/config/group/roles) and edit the Node-Space group type. Add a new role, then configure the permissions. Next, to assign the new role, or any OG role, to users who are already members of a space, go to the space you're dealing with and select the Bulk Manage setting (/group/node/1/admin/people) and assign them the new role.

Ed Carlevale
Drupal Developer, MIT Energy Club

I think I may not fully

nkanderson's picture

I think I may not fully understand your use case for Teams - what purpose are the executive committee teams serving?

I will take a look at the OG roles and see how they match up with my needs for content access and creation permissions.

Thanks!

Teams

gandhiano's picture

I do use teams for both access control and notifications and find them very useful.

In my particular case, on a production site with ca. 5000 members, I use them in different logics: the one Ed described (temporary groups of people); project teams (although here you can of course also opt for different spaces/subspaces - we use it for "small/short-term" projects); different teams within a project.

Thank you all for this inspiring and enlightening discussion, we definitely need more of these to grasp and document the full potential of OA.

Thanks, @gandhiano! Do you

nkanderson's picture

Thanks, @gandhiano! Do you feel similarly to Ed regarding Groups, or have you found them to be useful? If you have a moment, would you mind elaborating on your Groups - Spaces configuration?

I just did a couple of

Ed Carlevale's picture

I just posted a couple of short screencasts, one on Groups (https://youtu.be/fh5YKWv89uk), the other on Teams (https://youtu.be/ll7JHWMx2QI). Putting them together helped me understand Groups much better than I did before. Now I see that Groups could actually be quite useful. They help you manage the visibility of sections, members within a space, and all notifications. That's pretty powerful.

Ed Carlevale
Drupal Developer, MIT Energy Club

Groups can span multiple

Argus's picture

Groups can span multiple Spaces where Teams are ment for (ad hoc) grouping of members within a Space. That's their key difference as far as I understand. Ofcourse their use is implemented differently aswell.
Thanks for your input on this, I always have found Access rights within OA the most difficult to understand part, including heritance etc. Thats why I made an effort to document it. This discussion will surely contribute to that, I will try to update the documentation accordingly as I found more people have difficulty understanding the subject even after reading the documentation (multiple times...).
Any help is welcome, you are free to edit the documentation! Perhaps we should discuss the content in a parralel issue on d.o., can't remember if there is already one or not.

Thanks, @Argus, the post of

nkanderson's picture

Thanks, @Argus, the post of yours that I've linked previously to is one that I've gone back to a number of times in trying to make sense of Space to Group relationships. Can you confirm whether or not I'm understanding it correctly, when you say to "assign" a Group to a Space, that's referring to inheritance?

The Groups vs Teams distinction is helpful, but the original intent of the post was to get some specific examples of Space to Group relationships. Do you have a moment to add a specific example (or two!) of a Space and Group configuration, and how that functions?

Open Atrium

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: