We are working on setting up our LDAP authentication for dotCMS, and I am being asked what groups we are planning on using. I'm curious what some of you have decided works well for groups outside of the basic admin, CMSUser, and LoggedInUser groups.
We have tons of groups setup this way. I use the 3 basic groups depending on what tabs they have access to:
CMS User has Workflow, Website, and Content
Content Contributor has Workfolow and Content
CMS Administrator has everything
Then I have a 2 groups for each Department / Office / Service (aka Folders). One for the Developer (Read and Write on the folder) and One for the Publisher (Read Write and Publish on the folder). Then I just place the users in the groups based on which folder I would like to give them access to.
Good luck setting yours up. It wasn't too hard for us.
From what I've gained since originally posting this, I'm starting to think that I definitely do not need any custom groups really. At least in our environment, the basic set, combined with roles should serve enough. That's my hope anyway. In theory, each department/office will have two people, an editor and a publisher, kinda like you. At the very least, they will have a publisher. But both people would be in the same group, with roles controlling what they can do.
That is what we were going to originally do, however what I found was: until the person logs in once, you can't assign them a role. That is why I created groups for each. This also lets us control everything from the LDAP side of things .. as long as I have the groups assigned to a role and permissions for that role setup in DotCMS .. someone else can manage what groups in LDAP they are in.
We are trying to set up roles and permissions for our university. With the three groups named above, we have to create a role for each folder if we want a user to each have access to one specific folder, is that correct? How did you define your roles and associate them with different sites?
You are essentially correct. For instance, we create two roles for every folder in the system (for the most part): an editor and a publisher. We also have matching groups for those. The way that works is the groups have the roles attached to them, and the groups are assigned in LDAP. So someone gets the Department X Publisher group, which in dotCMS grants them the Department X Publisher role as well. And that role has publish rights on Department X's folder. Our generic CMS Users group gets access to things like view permissions on the domain, access to a couple basic structures and categories, and rights to use the default templates. The specific roles then control actual access around the site.
With every role we create we have to also give each role access to the correct the portlet so theyll be able to see them when they log into the cms? Is this correct? How long did it take you to implement these roles and groups?
I assign tabs/portlet/page permissions based on one group and folder/content/structure permissions based on another. I have one group "CMS Users" and that has the tab/portlet/page permissions. Users need to be entered into 2 groups in your ldap this way.
"Switching to a new CMS? Join our next webcast with Briana Johnson from @OSUIT to learn how to convince decentralized web content authors to tolerate the switch, actively participate, and enjoy it! http://bit.ly/2zhdcIt"
"Your website is the front door to your college or university. Your website design has to accommodate for the way that students interact with and use the information your institution provides. http://bit.ly/2P8VldR"
"Join us for our next webcast with OmniUpdate CEO Lance Merker, who will delve into key insights about Generation Z’s online search behaviors to help you refine your school's web marketing strategy. http://bit.ly/2zhdcIt"
"Our newest guide will help you learn what it means to be accessible, how to implement accessibility best practices, quick fixes to try as well as a long-term plan, plus tools to help you in your website accessibility efforts. Download it now!"
"Are online forms more efficient? Learn how El Camino College used Formstack to create online forms that expedited processing, improved communications, increased transparency, and promoted accountability across campus. http://bit.ly/2zhdcIt"
"If you’re struggling with web challenges such as accessibility, SEO, design consistency, workflow, content governance, or how to start a website redesign, you’re not alone. Join our next webcast to learn how other higher ed institutions…"
"Here’s an outline of everything you need to know about OCR compliance, including what it is, what your college or university can do to stay compliant, and resources for OCR compliance. #accessibility http://bit.ly/2rcPDgG"
"Join us for our next webcast with April Buscher from Montana State University Billings to learn how blind readers and people with hearing impairment view and read your website and how you can make it accessible to them. http://bit.ly/2zhdcIt"
"High schoolers spend more time on their digital devices than they do sleeping, doing homework, or participating in extracurricular activities. So how do you make your message stand out to them? #eexpect http://bit.ly/2MOIIWC"
"Want to increase digital engagement with high school juniors and seniors? Join our next webcast with Stephanie Geyer from Ruffalo Noel Levitz as she shares new data from the 2019 E-Expectations Trend Report on email, paid media, and social media…"