Archive
Monthly
Go
|
|
DNN Blog
Jul
14
Posted by:
smehaffie
7/14/2008 11:40 PM
One of the changes in the upcoming 5.0 release is the fact that the core admin modules & tabs are treated just like other tabs/modules. This means that an admin can give other users access to these tabs/modules at the tab/module level. Although this is a very powerful feature, it is also a very dangerous feature if an administrator does not understand the implications.
When you give a user edit rights to an admin tab or module you are giving the user "administration" permissions. So what does this really mean?
Tab Level: Giving user edit permissions is the same as on tabs that are manually created. The user will be able to edit the tab settings (including permissions), add modules to tab, delete modules from tab, etc.
Example (You give user edit permissions to the users tab): The user can now edit permissions for the tab, change skin of tab, delete modules from the page, etc.
Module Level: Giving user edit permissions is the same as on 3rd party modules that are added to a tab. The user will be able to plus access all the functions of the module. In addition, if the user is also given edit permissions for page the user will then also be able to edit the module settings.
Example (You give user's edit permissions to the user's module): The user have access all the functions of the user's module (adding/editing/deleting users, editing profile settings). If the user also has edit rights to the tab then the user will also have access to change the module settings (permissions of module, container used by module, etc).
Basically, edit permissions given to a user on module gives then access to all the functionality of that module. Giving a user edit permissions on the tab and module is the same permissions adminstrators are given. The difference it that administers have access edit access to all admin tabs/modules, and this new feature allows to to assign additional access to admin tab/modules to fit your business needs. This is something to keep in mind when assigning permissions to the admin tabs & modules. IMO, this is a great new feature and makes DNN management very flexible. In addition, it opens the door for the admin core modules to use the custom permission capabilities of DNN in future releases. This would then allow admininstrators to grant permissions at the feature level (which would be awesome).
13 comment(s) so far...
Re: DNN 5.0: Breakout of core admin modules
Could you clarify something about module permissions? In DNN 4.x and prior it seems that DNN treats the Administrator role differently from roles that have edit permission on the module. So, even if you grant a role edit permission on a module, that role will never have access to the module settings page, or Delete and Move, only Administrators see that.
Is that distinction still present in DNN 5.x? It is actually a useful distinction, because as the administrator, you might want to make a module fully editable by a particular role but not allow it to be deleted, moved or basic settings changed.
By lneville on
7/15/2008 11:06 PM
|
Re: DNN 5.0: Breakout of core admin modules
This tops my list of tasty enhancements, but are you certain about the second example? It implies that having module edit permissions allows a user to access the module settings page, which normally requires page edit permissions to view. Module edit permissions normally only exposes specific management options that have been specifically enabled by the developer... e.g. items on the action menu and action buttons.
The description in the post suggests there is no permissions granularity provided for the former admin modules... "edit permissions = administration permissions". I would be very surprised if this were actually the case.. because if module editors=admins, then the whole point of breaking these modules out would be moot.
By robax on
7/15/2008 11:07 PM
|
Re: DNN 5.0: Breakout of core admin modules
I am drooling over DNN 5.0 just for this piece. We have around 30 people that need rights to add / create tabs, but no other rights from the admin menu. I have had to go in and add work arounds to solve for this, will be really nice to get rid of those work arounds though. It will also be a blessing for me as a host service, cause I can offer my clients more control over the host control panel for things like SQL input box, etc but won't have to give up full host control over to them, for things like Host settings, where I have restrictions on modules etc.
By keeperofstars on
7/15/2008 11:07 PM
|
Re: DNN 5.0: Breakout of core admin modules
I think this is obvious. Is there somewhere more info about DNN5 to read?
Thanks
Vlado
By Starlogic on
7/15/2008 11:07 PM
|
Re: DNN 5.0: Breakout of core admin modules
Great feature, thank you.
By brian on
7/15/2008 11:07 PM
|
Re: DNN 5.0: Breakout of core admin modules
2nd question, and maybe a bit off topic. This is regarding allowing the Users and Roles modules to be used by non-Administrators.
Allowing non-Administrators to manage users & roles is for me the biggest payoff in DNN 5.0. However if there are no restrictions in what can be done, it could be "dangerous". For example, I would not want a non-administrator to be able to promote themselves or anyone else to administrator. I might also want to restrict the administration of certain roles to certain users.
So, are there any restrictions an administrator can implement? My ideal would be a rule of the form:
Role X is allowed to administer roles {A,B,C...}, which means (i) edit users who are in these roles, (i) add users to these roles & (iii) remove users from these roles, but only if those users are NOT already members of roles {P,Q,R....}
The reason for the exception is, for example, to prevent the editing of users who are Administrators (but who are also in one of the roles {A,B,C...} that role X is allowed to administer).
By lneville on
7/16/2008 11:14 AM
|
Re: DNN 5.0: Breakout of core admin modules
lneville and robax: The post above has been updated. In going over the new features to double check the information in the post. I must have not cleared the edit permissions from the tab before adding the edit permissions to the module. I apologize for the confusion.
lneville: To answer your second question, right now if you give a user edit access to administer users they get access to all the functionality of the module. Narrowing done the functionality even more is what I was referring to this opening up the user of customized permissions, but it still doe not cover what you are wanting. But now that are moving in this direction, the functionality would be a great feature and you should enter it into Gemini as an enhancement.
By smehaffie on
7/16/2008 11:13 AM
|
Re: DNN 5.0: Breakout of core admin modules
I agree this will be very useful, especially as it is refined and enhanced. Allowing delegated user management was something important to me when I first started using DNN 4. Fortunately, I found WorkControl User Manager, which allows very good granular permissions on exactly what a delegated user is allowed to do, including preventing the editing of Admin accounts.
By rralston on
7/17/2008 12:33 AM
|
Re: DNN 5.0: Breakout of core admin modules
Cool, thanks for checking this and updating the post. You had me worried there for a bit.
By robax on
7/18/2008 10:53 PM
|
Re: DNN 5.0: Breakout of core admin modules
As smehaffie suggested I have written my proposal up as an enhancement request in Gemini. The ticket is DNNP-8123 (http://support.dotnetnuke.com/Default.aspx?p=23&i=8123).
By lneville on
7/18/2008 10:54 PM
|
Re: DNN 5.0: Breakout of core admin modules
Footnote:
I understand that the scope of DNN 5.0 is now frozen. However my feeling is that this feature is going to cause a lot of upset in the community. People will rush to use the feature and will assume that it is "safe". They will then discover that, for example, it is possible for users to elevate themselves or others to administrators. I think this will cause a lot of bad press for DNN, and be regarded as a security loophole.
By lneville on
7/18/2008 10:54 PM
|
Re: DNN 5.0: Breakout of core admin modules
Ineville: That is the reason for this post, to make sure that community members understand that with this new ability comes additional understanding about using the new abilities and the security implications. This though is more secure in some instances because a lot of site admin, would just make users administrators even though they only needed access to specific admin modules (thus giving them access to a lot more than they needed including users, roles, and site settings). I will use more for the non security related modules (Site Logs, Event Logs, Newsletter, Solution Explorer, Vendors, etc). I would only give limited users access to the users/roles modules, and people who I gave this access to would be trusted users and just not anyone.
Also you stated one thing incorrect in you Gemini enhancement request, giving a user edit rights to the users module would not enable them to elevate there permissions. The only way they would be able to do that is if you gave them edit permissions to the roles module as well. Otherwise a user would get the following message if he only had edit rights on the users module (but not the roles module).
"Either you are not currently logged in, or you do not have access to this content."
Not all users will use this new capabilities, but those that do just need to make sure the understand what implications giving a user edit rights on each of the adminstration modules gives the user and decide if they want to do that. As part of that decision process they might decide to not use the additional feature and buy a third party module like WorkControl that does a lot of what you request in you enhancement request (plus some).
By smehaffie on
7/18/2008 11:16 PM
|
Re: DNN 5.0: Breakout of core admin modules
Thanks, I corrected and clarified the Gemini ticket.
I do get your point that administrators ought to understand, and be fully responsible for, the consequences of giving away permission to the users & roles modules. The trouble is, what ought to happen and what will predictably happen are 2 very different things!
Briefly, my point is that I think you are going to get 3 outcomes from releasing this feature as described: (i) people who use it taking responsibility for its limitations , (ii) people who are disappointed that they can't use it the way they thought they could (i.e. to delegate work with no risk), and (iii) people who are really upset because they assumed it was "safe" and then an "incident" occurred.
I am a huge advocate of DNN. The reason I am speaking up about this not just that I want DNN to have great features, but I think outcome iii above will hurt DNN's reputation.
By lneville on
7/20/2008 10:30 PM
|
|