Security

Here we have supposed the readers are familiar with the Permission model of the Orchard CMS. If  you are not, you can visit the Orchard documentation about it here. The security model in OrchardCollaboration includes two different layers. The first one is Roles and Permissions which is defined by Orchard itself and is just extended by OrchardCollaboration using custom Roles and Permissions. The second is the Access Management Control defined by OrchardCollaboration. In short summary, Roles and Permissions are related to the users only, but Access Management Control connects users with the ContentItems in the OrchardCollaboration.

Terminology

By item in the rest of the post, we simply refer to any kind of ContentItem in OrchardCollaboration such as Ticket, Task, Issue, Discussion or Wiki page.

Roles and Permissions

Orchard CMS by default has a bunch of roles and permissions. Unless you use the CMS features, you will not deal with them in OrchardCollaboration.OrchardCollaboration uses a set of its own permissions and roles in order to protect data integrity and privacy in the system. It adds the following Permissions to the permission set of the Orchard.

Operator Permission

This permission allows a user to:

  1. create new items.
  2. edit the items that the user has access to them,
  3. share the items assigned to (coordinated by) the user to another user or Business Unit,
  4. grant other users or Business Units to access items assigned to (coordinated by) the user.
  5. accessing  unassigned tickets and assigning them to someone else.  

The permission doesn’t allow a user to:

  1. delete items,
  2.  viewing/editing items that the user doesn’t have access to them.

By default, the Operator role has this permission.

AdvancedOperator Permission

This permission grants users unrestricted control to the items. With this permission, user can assign/edit/delete any item in the system. By default, only admin users have this permission.

BasicData Permission

This permission grants user changing the Basic data of the OrchardCollaboration such as list of Priorities, Ticket Types, Email Templates .etc. By default, only admin users have the permission.

Customer Permission

 Users with this permission can create new tickets and edit the tickets that are created by themselves. The permission allows users assigning tickets to only Business Units in the creation time of the ticket. In the edit mode, user can not reassign the ticket anymore. It also doesn’t allow user to assign the ticket to the other users. User with the permission can not view the child tickets of his/her tickets too. This permission allows a user to create a new discussion in case of having access to the project.

Access Management Control

Orchard Collaboration provides a simple but effective model to grant users access to the items. There are three different AccessType in the system. (Assignee or Coordinator, Shared, ReadOnly).  Users with Operator or Customer permissions can only access items that they have AccessType on them, but, users with AdvancedOperator permission have unlimited access to the items. Users without any permissions of the OrchardCollaboration, can not access any item of OrchardCollaboration.

Assignee or Coordinator AccessType:

If a user has Assignee accessType to an item, he/she can edit the item, change its properties, add  new comments to it, grant/deny other users or Business Units accessing it, or create sub-items for it. Each item can have only one Assignee/Coordinator. The Assignee/Coordinator can be a Business Unit too. In such case, all of its members can do the mentioned operations on the item. This AccessType can not be assigned to users with Customer permission.

Shared/Edit AccessType:

If a user has Shared/Edit accessType to an item, he/she can edit the its properties, add  new comments, or create sub-items for it. The only things that a user with Shared/Edit AccessType can not do, is changing the permissions of the item and deleting the item. If a Business Unit has the Shared/Edit AccessType, then all of its members inherit the AccessType from it.

ReadOnly Access type

This Access type gives the user a read only access to an item. User with this Access type can view the item, and adds comments to it, but he/she doesn’t have permission to edit it or assign it to someone else or delete it. If a Business Unit has the AccessType, then all of its members inherit such AccessType from it.

How to Change AccessType of items in the system

Tickets

In the search page of the tickets, one can easily select the tickets and then click on Assign button.

The “Assign ticket window” will be opened. Here you can select operator users/ Business Units and the Access Type. If you select Assignee AccessType, the system automatically creates a Shared AccessType for the previous Assignee of the ticket. By ticking “Remove old Permission” the system will not create a new AccessType for the previous Assignee. By clicking on “View in Full Detail”, you will be navigated to the “Detail page of permissions” where you can see the selected tickets with all of the permissions they have.

Folders, Projects, Discussions and Wikis

For such items, you have to navigate to the item, in the toolbar menu of the item, there is “People” button. By clicking on it, you can change the people (users and groups/business units) who are associated with the item as well as their access right.

Note 1:

For items that belong to a project like Discussion, Folder or Wikies, the list of the users, groups/business units who can have access to the item is limited by the ones who has access to the project.

Note 2:

In the “Detail Page of Permissions” for a project, you can grant customers to access the project. In order to grant a customer to access a project, you must navigate to the list of customers and invite the customer to the project.