I’m on a Role

Posted on by

One of my main reasons for starting to use WordPress and becoming involved in the WordPress community was the desire by a client to be able to have more control over their website content.  The client in question has been really happy with the service they had been getting, but their expansion means they now have a number of autonomous areas who would really like to manage their own content.  This meant only one thing, a CMS (Content Management System) was required.

After listening to much advice and reading articles there didn’t seem much to choose from between any of the major blogging/CMS packages (Joomla, Drupal and WordPress).  It was finally the community around WordPress, particularly the Word-Up crowd in Scotland, that swung it for me and the serious business of researching WordPress begun.

The initial installation and configuration was a breeze and as you would expect, getting started with a blog was a doddle.  It was only when I started to look at how to restrict the ability for users to edit/manage different areas of a WordPress website that things started to get sticky.  There seemed to be lots of options regarding who could post to and edit different blogs but I needed to go further and apply controls to the editing of web pages as well.  Just as I was running out of steam it was time for Word-Up Scotland which gave me the opportunity to put the question to some long term WordPress experts.

All the guys at Word-Up Scotland were friendly and helpful as usual and happy to help.  Unfortunately, no one I talked to had actually implemented the level of control I was looking for.  There was lots of suggestions of using different blogs to create the individual pages I needed and using extended categories to provide granularity of control. It all seemed a bit complicated and I returned convinced that there must be an easier way and that there must be a plug-in that would give me what I needed.

The good news was that my conversations at Word-Up Scotland had provided me with some additional ideas for search criteria that might flush out the plug-in that I was looking for. As a result it wasn’t long before I found the Role Scoper plugin.  The description filled me with confidence…

CMS-like permissions for reading and editing. Content-specific restrictions and roles supplement/override WordPress roles. User groups optional.

I have now installed the plug-in and it gives me exactly what I need.

The way Role Scoper works is that it adds additional areas in the edit pages for each WordPress entity (blog or web page).  When you edit a page, for instance,each of the attributes (Readers, Contributors, Editors, Associates) has an area that shows all defined users or groups and allows each user or group to be assigned the attribute for the page by simply clicking a checkbox next to the user or group name.

The plug-in goes much further than this brief description but this is essentially the functionality I was desperately looking for.  It now means I can create a WordPress site where user A has the ability to edit pages 1, 2 and 3 whilst user B can edit page 4 and 5.  It also means I can have a “super user” that can edit all pages.  The fact that the control works at an attribute level means that I can also set up “private” pages that can bee seen by client staff but not by the general public.

Role Scoper has been really well put together by Kevin Behrens.  Kevin has put together a very good usage guide which was very helpful in getting me up and running really quickly.

Role Scoper is a free plug-in and gave me everything I needed.  However, Kevin also offers the Press Permit plug-in starting at $44.00 which is even more feature rich and includes….

Press Permit introduces some important new features, including custom post statuses, BuddyPress group role assignments and bbPress compatibility.

 

A new Role Based Access Control (RBAC) class (JOBROLE) in RACF

Posted on by

It was great to be at a GSE Security group again.  So many familiar faces and every presentation was a gem.

One of the issues raised at the group was Role Based Access Control (RBAC) and the proposition by Lennie Dymoke-Bradshaw that a new RACF class (tentatively dubbed JOBROLE) be added to allow roles to be more easily defined and controlled within RACF.  You can see Lennie’s original proposition in a presentation here

RBAC diagramFor more years than I like to consider, I have been an advocate of RBAC, regardless of what platform or access control mechanism is involved. It allows access to mirror an installations business model and their structure, in an unrivaled manner.

Having implemented RBAC a couple of times I can really see the value of a specific class that allows a role to be defined.  I do have qualms with one part of Lennie’s proposition however.  This is the premise that a user should only be associated with a single role.  Whilst, in theory, this is the best way forward, the practicalities I have previously faced in implementing RBAC suggest it is just too inflexible.

I’m sure that for many installations a single user/single role premise will work just fine and I cannot argue with the need to ensure that multiple conflicting roles are not allowed.  After all who wants another Nick Leeson on their watch?  I also concede that the majority of business areas have a simple single role structure.

My concern is that some installations will shy away from RBAC methodology because they will see the JOBROLE mechanism as the only way to implement RBAC in RACF and will shy away in the fear it won’t address their needs.

I have encountered two main objections to the “one user, one role” approach in the past….

  1. “It doesn’t match my business model”
  2. “I can’t afford the overhead of having to maintain thousands of roles”

The first of these usually surfaces when doing the investigative work to establish what roles need to be defined for a single operating area. The issue normally goes something along the lines of..

  • How do I define a role that will…
    • Allow “A” to look after “B’s” workload when they are on holiday.
    • Allow me to use someone from another area (role) part time.
    • Cater for someone that I want to take on extra responsibility in preparation for a possible promotion.

Additionally, every large installation I have worked within has a significant number of projects running.  During a project, the people assigned to it will invariably have their “home” role plus an additional “project” role.  In the case of project managers, they may be working on multiple projects at the same time and hence potentially need different roles on each.

These multiple role concerns invariably lead to the second objection. Comments along the lines of “I haven’t got the resources to define different roles for every possible combination of job function that someone may need to carry out”;  or even worse “I might as well just define a separate profile for every individual given the number of roles I will need to define”, invariably ensue.  These objections can lead to “lowest common denominator” roles being defined and security loosened rather than tightened.

I have addressed this in the past with “model” users for individuals and by defining groups for roles.  This way multiple groups (roles) can be assigned to individuals.  I have to admit to using third party products to allow models to be cloned and expiry dates added to groups to achieve temporary roles.

I have always been concerned however, that I have never found a way to lock out conflicting roles. This aspect has always had to be addressed via auditing. A sure way of allowing the stable door to be locked after the horse has bolted.  Perhaps this issue could be addressed via a mechanism whereby we can identify conflicting roles in a role definition.  Better still, some basic logic to define a conflict (e.g. Role A + Role B = Conflict with Role C). This would potentially allow multiple roles to be assigned but still give the ability to prevent role conflicts.

Finally, nearly every installation pilots RBAC within IT.  An area guaranteed to be structured in a way that makes one user/one role impractical hence making RBAC even less likely to be adopted if flexibility is not the order of the day

Word-Up Scotland

Posted on by

Saturday at Word-Up Glasgow was phenomenal!

Apart from the usual brilliant sessions by everyone, especially Heather Burns, Kevinjohn Gallagher and Kimb Jones, it was great to talk chat to guys like Jim Convey and Martin Young to get their take on how to best approach CMS user access in WordPress.

Unlike last year’s Edinburgh Word-Up, there were lots more WordPress newbies in attendance which made for a conference that felt a little less like experienced WordPress techies talking to other WordPress veterans.  As a result the level of questions and answers made the whole day much more worthwhile for myself and has made me enthusiastic to get more involved with the group.  It has also enthused me to do more posting as you can see.

I will be checking out the Scotland Word-Up site to see when and where the monthly meet-ups will be and go along if possible.  I have also suggested to Martin that we perhaps use a hack space to do some practical hands on sessions.

There is a rumor that there will be a Word Camp in Edinburgh this year as well.  I think I will definitely be up for that one.

GSE Security Group

Posted on by

With a move towards doing some RACF work in the near future I thought it about time I renewed my relationship with the GSE Security Group, So I’m heading off to Bromsgrove tomorrow and really exited to be meeting up with old friends and acquaintances.  I must admit to being a bit embarrassed about how long it has been since I talked with some of them, but I’m hoping that they will forgive the lack of contact.

Back in the RACF routine

Posted on by

My old friend Julie-Ann (mainframe security guru and general nice person) is putting together a team for a new mainframe RACF security project, and has asked me to be part of it!

How could I refuse?

I am both honoured and a little excited at the illustrious company that I will once again be keeping (Barry IBM mainframes with data passing between themSchrager is involved no less). It will also be nice to be doing some good honest hands-on techie work at the same time as project management. So it’s time to hit the books (including the ones Julie has written) and make sure that I don’t disgrace myself in front of my heroes.