Thread

There have been a number of questions/requests/demands over the years for individual users to be able to belong to more than one user group. I have the following questions - just questions, no answers. I am hoping for answers to appear in this thread.

1. Considering that different groups are most often set so that they contradict each other in some way, what would you expect from the ability to allow membership of more than one user group? For example, you have User Group A with access to Channel 1 but no access to Channel 2, and you have Group B with access to Channel 2 but no access to Channel 1. Now what do you expect to happen with respect to Channel 1 and Channel 2 access if you grant a user membership of both Group A and Group B?

2. Assuming you have a preferred way to resolve the question in 1 above, do you think that multiple group membership permissions affecting Control Panel functions should be treated differently from multiple group membership permissions affecting content? - What about Design?

3. If you think that multiple group membership is desirable, why do you think the existing EE capabilities are inadequate when EE imposes no limits on the number of groups you can create, each with a unique set of permissions, to which you can assign individual members to your heart’s content?

4. The number of ways in which combinations can be made will escalate rapidly with an increase in the number of groups. For example, there are 1,023 ways of assigning users to just ten user groups. Given that this is the objection most often voiced against using the native EE abilities (3 above,) what would you suggest that a multiple group capability should do about this potential proliferation of possibilities:

- Ignore it and leave it up to the admins to manage?
- Keep track of it and issue warnings?
- Restrict the number of memberships for each user?
- Some other idea?

5. The EE group permissions system lumps a large number of permissions together in one interface for each group. Channel access, module access, CP access - count them! For a three channel site with two template groups, 6 modules and 5 user groups, you already have to keep track of 390 individual permissions. In what way would an ability to assign users to more than one group make this job easier?

- Or do you think that the whole permissions system needs to be overhauled first? In what way?

6. How important is the ability to assign members to multiple groups? Why do you think that?

7. Are these the right questions to ask about multiple group membership? If not, what are the right questions?

I am new to EE and considering conversion of a system on another CMS to EE.  Group memberships and privileges is one of the first things I was looking into.  I saw that in your requested features forum there is a request for “mass editing” of group memberships rather than having to go through the Profile Edit for members on a one by one basis.  But looking at your database in PHPmyadmin, it became apparent that a given member could only be in one group at a time.  So I searched and found your post, and I can see the dilemmas intrinsic in allowing multiple group memberships in your current structure—especially since so many different privileges are associated with each group.  Even if technically you could AND the privileges if someone belonged to more than one group and only grant a specific privilege if it was turned on for all groups, the results could be unpredictable and difficult to manage. 

The way I use group membership in my present system is something like this ... in PHP code I see if someone belongs to a specific group (group X say).  If they do I will echo out a specific section of a form (say functions to administer a module) and if not the user won’t even see that section.  In other cases group membership will determine what options they see or where they are directed say in the action clause of a form.

But I don’t need 50 different privileges for this ... usually just one privilege that’s implicit in the group.  So maybe what you need is a “specific_groups_privileges” table that is limited to a single privilege (or perhaps a small set that would be defined along with the group name).  And you’d want to satisfy the mass editing request for both this and the “normal” group memberships so that you don’t need to go through user by user.

As a newbie, I recognize that there may be other ways to meet my request in EE that I don’t know of.  I realize that this is a different “construct” from the way you use groups now but maybe that’s what’s needed.

Hi John, Here’s my answers *as they relate to* my current problem:

1) That user can access both Group A and Group B – as access should take precedence over restriction.

2) Yes they could be different, for my problem control panel access is not as relevant as content access.

3) It’s inadequate because I have one login per user, and the need to grant some users access to more than one group’s content. A senior company manager for example, as opposed to her single-point-access underlings. EE cannot offer that user a simple solution (ie just login once and you can see all of these things)

4) Ignore and leave up to Admins - i know I could easily manage my client’s setup request (handful of groups, less than 100 users, and only a few members who have multiple groups)

5) It’s not about easier for me - it’s just about allowing a user to belong to more than one group. It can be harder - fine - as long as it’s possible.

6) It’s really important to me right now - because the client wants it! And I was a little surprised that it didn’t exist (as nearly everything else is solvable). A company that manages lots of content from several divisions will nearly always have users who can cross over from one group.

7) Not sure there – it’s obvious I’m glazing over technical headaches for the person/team who needs to challenge it.

Does it have to be the master-solution first time around? Can it not be broken up into smaller functional bits? Impose a ton of limitations, that’s cool. As long as you solve *my* problem of course!

What if a user can only have one group’s control panel access, but if added to multiple groups could obtain all those content privileges? Or some little step in the right direction?

As you can see my problem is about users logging in to see protected content (sort of intranet(ish) in concept). Not really about the conflicts of admin / content creation.

Thanks!

@daverayner - thank you for your insights. I particularly agree with your point no 6.

@fkelly - I am not sure that I understand what you are saying. If you are saying that you would prefer to confine permissions for a given group to a single permission, you would need a different group for each permission.

This clearly is well outside of the scope of EE’s architecture. Perhaps a compromise might be to have different classes of groups. For example, groups dealing with channel access and only channel access, groups dealing with template access and only template access etc. In such a design, combining group memberships would not be such a stretch as it is in the current system.

For my money, there is nothing about the richness of access control that EE provides that I would want to do away with. But I would like to see the access system restructured. Access control is far too widely and illogically dispersed, and desperately needs consolidation into a coherent scheme, more along the lInes of an access gatekeeper that arbitrates all accesses.

What do I mean. Well, if you read the dev docs, for example:

ExpressionEngine uses the Session class for storing information about the user currently visiting the ExpressionEngine site. If the user is a member and is logged in, then their various preferences and privileges are loading into variables, which are then immediately available throughout the entire program without the use of a query

you might get the impression that all permissions are controlled via the sessions object for each user. You would, however, be wrong, because when it comes to a number of important access permissions such as category groups, file upload access, template access and others, EE goes back to looking at dispersed table content, based on a group pointer in the associated member group table entry, bypassing the session object altogether.

Since the sessions object relies on the member group table content to begin with, I would have thought that a bit of DRY might have been a good idea.

One final point - having asked my questions almost seven months ago, with only two persons other than myself showing any interest, should I conclude that multiple group membership is just a low priority issue for the EE community, or should I conclude that it is perceived to be “just too difficult?”

I would like to chime in and say that this is the one single biggest feature request I have. To be able to assign a member with a single login to multiple member groups. ( content side much more important than control panel side )

It is hugely important for our company to be able to do this.

I would have pretty much the same answers as @daverayner to the topic opener.

To be honest, I don’t see what the questions above are even for.  I agree with the previous respondents, but this is a very common paradigm and could easily be implemented by any competent coder.  In addition, many of us are using the system the same way and only giving channel access to clients, so it doesn’t need to be the case that there are a zillion things attached to the permission groups at that level.

We have 75 websites live using one installation of ExpressionEngine with a Varnish Cache frontend handling the heavy lifting.  There are 87 user groups, and MANY of them are of the “Site A + Site B” variety.  Some are even “Site A + Site B + Site C” and we’ve nearly reached the point where we’re going to start just naming them after the individuals who are using them.  In addition, we are beginning to use statuses to provide some workflow abilities, and so we have other sites that are of the “Site X Editors” and “Site X Publishers” variety.  Very soon, there will be a need to have individuals from groups “Site A + Site B” and “Site A + Site B + Site C” and MOST of the other groups join some of the larger site “Site X Editors” groups.

So, in short, we are stuck wondering if ExpressionEngine is going to work for us as a content management solution moving forward, despite the fact that it’s practically engineered to meet our exact use case.  We’re going to be forced to find another system if this continues to be a problem, which would be a real shame considering how useful (albeit buggy) ExpressionEngine has been so far.

If anyone from Ellis Labs wants a look at our solution, I’d be happy to show them our development environment.  However, what I expect from Ellis Labs is that they will fix this obvious and restrictive issue.  It would be trivially easy for them to do so, simply by extending their existing user tables.  In fact, it’s bordering on a bug, given the functionality and intentional abstraction present in the remainder of the system.

Anyone still interested in this topic might want to take a look at http://www.debeer.com

For ongoing development see

and for a full description