Roles & Groups

[Daniel Hoffend]

Well sure it's easy to run an ldap query on nsrole to see all the users 
or limit the scope for $app as "login filter". But in the webadmin you 
currently only see all members of a group, but you can't see all members 
that have role X.

Some LDAP servers supports the memberOf attribute or overlay for 
example, to provide the something similar to what the nsrole attribute 
can be used to.

But when you start from scratch it can be hard to choose if you should 
use Groups or Roles to achieve X. For example you use groups to organize 
your org structure, teams, etc. But when you start creating shared 
folders in imap, do you want to use groups for this or to you want to 
use roles for this. I know this is a design decision, but for first time 
users it's getting hard to understand the differences.

I totally understand that Roles are the perfect choice to for assign 
admin roles, application access roles, or suspend a user (like suggested 
in the hosted kolab scenario). But for everything else it's gets fuzzy 
and there're multiple ways to achieve your goal. I'm totally aware that 
most things can be done using groups or roles, that's why I opened the 
discussion for "best practices" (example: and the reason why nsrole was 
used for imap groups in the default configuration instead of real 
groups). Just to make it easier to understand for first-time users who 
might be overwhelmed with LDAP in the first place.

--
Regards
Daniel


------ Originalnachricht ------
Von: "Liutauras Adomaitis" <adomaitis at kolabsys.com>
An: "Daniel Hoffend" <dh at dotlan.net>
Gesendet: 05.09.2014 08:34:01
Betreff: Re: Roles & Groups

>On Thursday 04 of September 2014 10:10:44 Daniel Hoffend wrote:
>>  It would be good to have an actual documentation section about what's
>>  the philosophy behind
>>  groups and roles and what would be the best practices to use them. 
>>Sure
>>  everyone has an idea
>>  or vision how they should be used or are limited to their current
>>  existing directory (for
>>  migration) but some ideas about best practices would be helpful.
>
>I would say roles are kind of groups, then each user has a list of 
>roles it is
>assigned to, while groups are the list of users belonging to the group.
>
>Say if there were only groups, then if you want to list all the groups 
>the
>user belongs to, you have to query all the groups and check if user is 
>in
>them. With roles it is more easy, as you have to query nsrole attribute 
>for
>particular user only.
>
>The philosoohy here is that role if you want to make some users 
>kolab-admins,
>you assigne a role for them, as that is easier to check if user can do 
>kolab
>admin work.
>
>Liutauras
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5714 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20140905/011dfbd1/attachment-0001.bin>