Group based Access Rights Main vs. Subwiki

Help / Discuss
, , ,
#1

Hello XWiki-Community,

I am exploring the features of XWiki since a couple of weeks, but now I got stuck. I hope somebody of you can provide some help?

What I wanted to do:

  • Configuring subwikis with access only for selected global users.

What did I do:

  • Created a subwiki allowing only global users.
  • Added global users to the subwiki, so they are added automatically to the subwiki’s Local:XWikiAllGroup.
  • Now I would tried to disallow viewing pages of the subwiki for all users that are NOT part of the subwiki’s Local:XWikiAllGroup.
  • My approach:
    • Admin > User & Rights > Rights > Show Global & Locals Groups
    • Explicitly Disallow Global:XWikiAllGroup to View
    • Explicitly Allow Local:XWikiAllGroup to View
  • Result:
    • A global user that is part of the subwiki’s Local:XWikiAllGroup is not allowed to view the pages of the subwiki.

I have checked the page https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/Permission%20types/
but that one is more about page vs wiki permissions, so it doesn’t apply to my case.

Also I flushed the JMX and XWiki caches in order to avoid any caching issues, as the output of the “Check Security Cache”-Extension was too complex for the first sight.

My Questions:

  • Is my understanding correct that the disallow permission on the Global:XWikiAllGroup is stronger than the allow permission on the subwiki’s Local:XWikiAllGroup or is the config wrong at all?
  • Is there an alternative approach to achieve my goal beside granting the view right on the user level (that actually works)?

Thanks a lot
Thorsten

#2

Hi Thorsten,

You don’t really need to use any “deny” right. What you need to do is set the “view, edit, comment” rights t the local XWikiAllGroup. This will be sufficient to deny global users access to the wiki.
Only pages which would then explicitely give rights to global users could be viewable.

Yes it’s the correct understanding. Disallowing is stronger than allow permission.

See up there. Unless you fear users would wrongly give right to global users in you wiki, you don’t need the disallow right… The standard allow right can be understood as

As long as one right is set for an area, only users (groups, individual users) can access the (wiki, space, page) with the specific (view, edit, comment) set

#3

Hi Ludovic,

thanks a lot for your response.

Most likely I messed up my test scenarios, because your described approach perfectly solves my problem. But I thought I had tested that already, causing me to explicitly deny the Global group the access.

Now the setup is absolutely straight forward and I also got a little more insight on how the permission system in XWiki works.

Thanks again and cheers
Thorsten