Description

The actual rights/users/groups management system is too difficult to use. What is needed is mostly graphical interface improvement. The actual system will become "advanced" rights management system at first and maybe unsupported latter if new system support all needed features for XWiki Enterprise.

Needs

• Rights wiki hierarchy

Actually only wiki Administrator can manage rights, we want to set Space Administrator that can acces Space rights management without general wiki Admin rights.

• Easy to use

Lots of work here is about design more usable user interface to modify rights. We need the following improvements:

• 
  
  • Easier access to user and groups. Select or add any user or groups. Add to groups on the fly.
  • Easier understanding of view/edit/comment/admin rights
  • Visual understanding of rights inheritance (rights from the upper level replace or not at the current level) 

Proposed implementation

After a few meetings and discussions about user rights we propose the following implementation:

General

The interface needs to support XEM specifics (multiwiki). In XEMs users and groups can be either managed in the global wiki (xwiki: prefix) or in the local wiki, or in both. We need clean APIs to get the list of groups and users depending on these settings. If the mode is mixed (users and groups global AND local) then the global groups should be presented first. We need a visual way to distinguish the global and local groups (hidding the xwiki: prefix)

When viewing a user in the list which should see it's pretty name (first name last name). But we need to be carefull because they could be empty. We need also to view it's page name in a tooltip because we could have duplicates.

Space preferences and rights

We propose to support the same admin for space management with only the "prefs" and "rights" tab. This admin would be available from the same link (alternate solution is to replace the "Documentation" link in the top toolbar with a question mark icon and add an "Admin" drop down menu allowing to access the Global admin or Space admin). If users only have the space admin right then they are only directed to the space admin. They cannot switch space from this admin. Global admin are directed to the usual interface which gives access to the global and space admins.

Users and Groups

We need to integrate user and groups management in the current admin interface. There should be:

• List of users, ability to delete a user, Ability to create new user.
• List of groups, ability to delete a group, Ability to create a new group, easy way to add a user to a group (ajax auto complete). Ability to add a group inside a group.

Here is a sketch of the group management interface:

Note: the group management interface should be available from an AJAX popup (lightbox) in the rights page when clicking on a group.

Rights

After a long discussion we have decided on a table based interface. Groups and Users are presented in columns. Groups are presented first, then users. Columns are for rights (view, edit, comment, register, admin, programming). Admin should only be present at the global and space level (not page). Programming should only be present at global level and only in the global wiki in multiwiki mode. 

You can see an example of the proposed UI here: ImproveRightsManagementUITest

The interface should show a column "greyed" if no rights are set for this column (it means rights are inheritated). We should see the inheritated rights checked (we need an API to find an inheritated right since it does not exist now). At the global level we heritate rights from the default (always authenticate in view, always authenticate in edit, admins are heritated from global wiki in multiwiki mode or are not heritated)

When you ungrey the column then we can start from the heritated rights. If you grey again the column no rights should be saved for this column.

There should be settingts to decide if all groups and users are shown or only the one with rights. By default all groups are shown, but only users with rights. Groups and users can be added using AJAX unless all are already there. It is possible to click on a user to have a quick view of his profile page. It is possible to click on a group to view it's member and add more users and groups to it. It is possible to create a group or a user directly from this UI.

Also we could are a rights preview page (we would need to decide how to make it accessibe). This preview page could look like this:

ImproveRightsManagementPreview

Admin Panel

An optional admin panel can give quick acces to admin actions (global rights, space rights, user management, groups management, etc..)