Tribune

Home » Liferay Portal » English » 2. Using Liferay » General

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
toggle
Raymond Gardner
Roles or User Groups, which one should I use? What's the final answer?
6 agosto 2011 14.57
Risposta

Raymond Gardner

Punteggio: Regular Member

Messaggi: 108

Data di Iscrizione: 14 luglio 2011

Messaggi recenti

Haha. The subject is a little play on Jorge Ferrer's outstanding blog Organizations or Communities, which one should I use? The final answer. That cleared up my confusion on the differences between Organizations and Communities. I was hoping somebody could do the same on Roles and User Groups?

To me, they are both groups. Let me guess, they are both stored in the Groups table in the database and both are accessed in the API via the groupId, no?
They are just differenciated by different types/classes/models, no?

You create a Role. You add users to the Role. Then, you associate the Role to one or many portlets.
As a page is being rendered for the user, a page in the user's community/site, a portlet configured to display on the page first inspects the user's associated Roles to see if the user has rights to access the portlet. The portlet compares those user Roles to the Roles that have been defined for itself. If there is a match, then the portlet is rendered. If there is no match, then an access denied message is rendered. (Unless that property has been set to hide access denied messages for portlets. In which case, nothing would be rendered.)

For a User Group, it is pretty much the same thing. You create the User Group. You add users to the User Group. But here you associate User Groups to Pages/Sites(?) rather than portlets.

Does that sound about right? To me they are the same thing. There should be no reason you can't have Roles associated with pages, and just use Roles. Or, have User Groups associated with portlets, and just use User Groups.

I'm just trying to grasp my head around it as my company/team are new to Liferay. We are trying to figure out the best way to build out our Users' structure and groupings and permissions to pages and portlets.

Any input will be greatly appreciated!
emoticon
Jeffrey Paul Handa
RE: Roles or User Groups, which one should I use? What's the final answer?
6 agosto 2011 18.27
Risposta

Jeffrey Paul Handa

LIFERAY STAFF

Punteggio: Expert

Messaggi: 456

Data di Iscrizione: 1 dicembre 2008

Messaggi recenti

Hi Raymond,

In Liferay, a Role is all about permissions. Starting with Liferay version 5 and above, the only way to assign permissions is through a role. So, if you are trying to apply permissions you have to use a role. In Liferay, permissions are a combination of an action and a resource. The action might be the ability to view, edit, delete, etc. The resource might be a portlet, a blog post, a message board thread or a user. So yes, you can use roles to control who can view a portlet on a page, but you can also use roles to control what blogs or message board categories a user can see or which pages in a Wiki the user can edit. You have a variety of options when adding users to a Role. You can add an individual user, you can add an entire Community or Organization or you can add a User Group.

A User Group is all about a collection of Users. It is often mapped to a Group in your LDAP and it's used to help manage a large number of users. Unlike Communities or Organizations, a User Group doesn't contain any content, it is only a grouping of users. What would you do with a User Group? Well, if you are mapping an LDAP group that contains North American employees to a NA-Employee-User-Group in Liferay, you would then add that User Group to the North American Employee Organization and then as you add users to the LDAP group they would also be given access to the North American Employee Organization in Liferay. You could also add that same User Group to the Employee Role and then all of your North American Employees, as determined by LDAP, would have all the permissions that an employee should have.

I hope that helps clean things up a little bit and welcome to the Liferay Community.
Raymond Gardner
RE: Roles or User Groups, which one should I use? What's the final answer?
6 agosto 2011 21.39
Risposta

Raymond Gardner

Punteggio: Regular Member

Messaggi: 108

Data di Iscrizione: 14 luglio 2011

Messaggi recenti

I guess I have to keep reading.

I hear what you are saying and it makes sense, however, when looking over the Control Panel I still get confused on how it should be laid out and applied.

I'm just trying to get the best and deepest understanding I can about all the features and capabilities provided by Liferay for user management and access rights.
I'm trying not to make a wrong assumption here and then build off it. That can lead to complications I'd like to avoid up front.
Jorge Ferrer
RE: Roles or User Groups, which one should I use? What's the final answer?
7 agosto 2011 13.26
Risposta

Jorge Ferrer

LIFERAY STAFF

Punteggio: Liferay Legend

Messaggi: 2757

Data di Iscrizione: 31 agosto 2006

Messaggi recenti

Hi Raymond,

My usual recommendation is to consider User Groups only when you are using everything else and you still need another level of indirection. For example, your portal is being used within a university and you want all teachers to have a couple of roles (one of which is shared with other staff members, but the other is not) and three sites. In this case I would create a User Group for teachers (and probably for the other "types" of users) so that by making a user member of that user group he will become member of the sites and roles desired with a much smaller administration effort.

A second typical use case is when synchronizing with an external user storage such as LDAP. Mapping an external group to a Liferay User Group instead of directly to a site or to a role is often preferred since that additional level of indirection provides more freedom and avoids tying the portal structure to the external structure.

Hope that helps.
Raymond Gardner
RE: Roles or User Groups, which one should I use? What's the final answer?
8 agosto 2011 15.39
Risposta

Raymond Gardner

Punteggio: Regular Member

Messaggi: 108

Data di Iscrizione: 14 luglio 2011

Messaggi recenti

So, I guess a Role is a Role is a Role. Roles define access rights and, no matter what, you need a Role defined in order to grant a particular access right.
(I guess access rights can be defined/configured? I'm still looking into that.)

User Groups are just an "indirect" way of grouping users together. It's a flat grouping instead of the hierarchical grouping provided by Organizations.
You can associate pages to a User Group. But, if you wish to grant more or grant less access rights(Permissions) to the members of a User Group then, you
have to define a Role and make the User Group a member of the Role?

Still looking into it but hopefully that is accurate.
Hitoshi Ozawa
RE: Roles or User Groups, which one should I use? What's the final answer?
8 agosto 2011 17.06
Risposta

Hitoshi Ozawa

Punteggio: Liferay Legend

Messaggi: 7990

Data di Iscrizione: 23 marzo 2010

Messaggi recenti

FYI, roles also have portal (global), community, and organization scope. I think the "global" here implies portal instance rather than portal server.

User Groups are just an "indirect" way of grouping users together.


I prefer to think of user groups as a "direct" way of grouping users together who have "something in common" while role is a "direct" way of grouping permissions together.

I think your question is more about whether this "something in common" should be base on permission rather than other attributes.
Should a user group be created for each role? If not, when should a user group be created corresponding to a role?
Raymond Gardner
RE: Roles or User Groups, which one should I use? What's the final answer?
10 agosto 2011 14.19
Risposta

Raymond Gardner

Punteggio: Regular Member

Messaggi: 108

Data di Iscrizione: 14 luglio 2011

Messaggi recenti

Yes. I think a 'direct' way of grouping users together is a better way of stating it.

The thing is, you can assign members to a Role. At this point, a Role is a group.
I guess my confusion is, why have the two when you can do the job with one.

Keep in mind, I'm just exploring concepts and possibilities. I'm just trying to get a
better understanding of what can be done and why to do it.
Michael Harper
RE: Roles or User Groups, which one should I use? What's the final answer?
17 agosto 2011 14.47
Risposta

Michael Harper

Punteggio: Junior Member

Messaggi: 56

Data di Iscrizione: 10 agosto 2011

Messaggi recenti

Personally the main reason I think to have both is, in one of the example posts above, you are getting the users and their groups from an LDAP.

When a new user is imported into liferay they are automatically in the user group because of being in that group through the ldap. So if you already have a specific role assigned to that user group, the user automatically gets the permissions from that role for being in the group and you don't have to individually assign roles each time you get a new user added to liferay.