Separated groups with separated accesses

#1

Hello,

I’m just starting to experiment with Pydio Cells and consider it a wonderful piece of software!

In order to evaluate the possibilities of the system, I’m trying to implement quite a simple use case as follow:

  • A Pydio Cells server is deployed by someone who wants to share files with different entities.

That is the very purpose of the software of course :rofl:

  • Each entity should have a dedicated space to access the files intended for it and should not be able to access files intended for other ones.
    It seems logical to consider that, in Pydio Cells, each entity would then be represented by a Group created under Identity Management > People.

It would then seem obvious to create a folder for each Group and adapt the Workspaces Accesses of this Group to only allow Read or Read/Write access to this folder. Unfortunately, I discovered that, in the Home Edition, one would have to create separated datasources for each entity as I commented in the Simple folder access use case - Cannot make it work topic…

  • Users of the respective entities would be assigned to their respective Group. Those users should have specific possibilities, like the ability to create Public Links, or Cells but only accessible to other users of their own Group

At this stage, using the Home Edition as a testing ground, I’m facing two main difficulties:

  1. The Address Book that is presented to the user contains all users of the system. I looked for a way to restrict that to only the users in the same Group, as presented in the Users/teams visibility section of the documentation. Unfortunately (again), and contrary to what one might think reading this page, this Visibility option doesn’t seem to be accessible in the Home Edition. :unamused:

  2. Based on the Roles and inheritance documentation page (cannot link since I can only use 2 links as a new user :grimacing:), I also tried to understand how to create a Role that would apply to a certain Group. Creating a Role named after the same name as the Group didn’t work. From the documentation I though that maybe using a starting “/” before the name would work (i.e. rolename = /groupname), but it didn’t either.

Thus I came to this forum to ask if someone could:

  • Tell me whether it is possible, in the Home Edition, to control (limit) users visibility to only their own Group (restricted address book)?
  • Help me understand how to create a Role that would apply to a specific Group?

Any help would be welcome.

Thank you very much.

#2

Hi,

At the moment it’s not really possible without disabling the address-book (for a group for instance), it’s something that is on our bucket-list.

About the role/group process, so lets define the group & role to see the differences,
basically roles are applied (automatically if you wish) to user with a profile (usually admin, regular users, external-user,…) for instance the Root Group is applied to every regular user existing in Cells, whereas the External Users is applied to temporary user form share links, or address book.

Now groups is to enable you to sort users by department(for instance) and manage access rights to their specific resources.

If you want a hint on what’s the best for you, i could guide you given a specific context.

#3

Thank you @zayn for taking the time to reply.

That is indeed the conclusion to which I came from the few experimentation I did. As said in the initial post, from reading the documentation I was expecting to e able to selectively hide some groups from the others (in their address book).

Am I right in understanding that this feature might be made available in a future release?

I think I get it now.
I probably was mislead by reading, on the Roles and Inheritance (I don’t understand why I cannot post a link :disappointed:) page, under the Groups section, that

Each group is attached with a canonical role that takes the group Uuid as Uuid.

And thus I was thinking of creating a Role that would bear a name that would “automatically” relate it to a Group bearing the same name. I now understand that the quoted statement simply relates to the fact that one can define specific Workspaces Accesses, Application Pages and Application Parameters for each Group that is defined under Identity Management > People > + GROUP

This obviously makes more sense than defining a separated, specifically named, Role to control those parameters for a specific Group.

That is very kind of you and I appreciate!
For the moment I’ll keep exploring Pydio Cells’ interface and capabilities by myself before I come back and bother you again :wink:

Thank you once more for paying attention to my questions, it’s nice to feel supported during the discovery of a software like this!

Best regards.

#4

Hi,
i wanted to add furthermore that in our enterprise edition we just released a feature to restrain the scope for groups, but when you enable the feature it is applied to every group (as long as they match some criteria) and you cannot choose which group is going to be secluded.