Rights problem in subwikis with global-ldap-users in local-subwiki-groups

hi folks,

perhaps it is just me, but i cannot get this thing to work:

We have some subwikis, each with a different owner and i want the owner to manager their groups and rights themselves. my idea was\is:

The main wiki gets users from ldap and holds all the users and some global groups. (e.g. CEOs, CEO-Assists… and so on.) These global users and groups can therefore be used in any wiki.

The numerous subwikis are managed by leaders of different organization units. (e.g. HR, Legal… and so on.)

These subwikis should use local groups, but with global users in it.

But it seems, that the local groups in the subwikis with global users in them are not respected\regarded by the “rights mangement”. So the rights “do not work”.

The users in the subwikis get: you are not allowed to…

I hope it is clear, what I mean. Else: please ask.

Any Idea?

Else I have to create all groups in the main-wiki an the whole groups list would “explode”, as any subwiki would have the whole list from the main-wiki.

Regards,
Johannes

They are definitely supposed to be (this is how the “join a wiki” feature works). Would be great if you could give a detailed scenario to reproduce the issue you have.

That are great news. I’ll write it down very, very soon!

So. My try to describe the situation

This is the basic setup.

• Users come from LDAP to the Main-Wiki and we have some XWiki-Groups (not from LDAP) in it.
• The Users are shared with the subwikis and the groups are available in the subwiki, too.

If I use the XWiki-Groups from the Main-Wiki, set the rights, then the users are allowed to view the document. If I add the Main-Wiki-Users to a Subwiki-XWiki-Group and set the rights, then they cannot see the document.

Page viewable on site ABC:

Page not viewable on the same site ABC:

We have no local-only-users in any subwiki.

Users are all from the main-wiki and they are not members of the subwiki, as they are authorized through the global XwikiAllGroup. (We remove XwikiAllGroup-rights und restrict to certain groups, if something should be hidden.)

Local-XWiki-Group in subwiki with global users:

Please ask if anythings unclear.

It’s still a bit generic.

For example on a local instance I was able to do the following:

• create wiki “subwiki”
• create user “globaluser” on main wiki -> “globaluser” has view right on “subwiki” home page (inherited from main wiki)
• create group “subgroup” on wiki “subwiki”
• give view right to “subgroup” at “subwiki” level -> “globaluser” cannot see “subwiki” home page anymore (because setting the view right broke inheritance)
• add “globaluser” to “subgroup” -> “globaluser” can see “subwiki” home page now

What would great is an exact scenario one can reproduce on a fresh XWiki instance (create subwiki “wiki1”, create global user “user1”, etc.) that reproduce the bug. That way we can reproduce and debug it.

Note: no need to include LDAP in the scenario since once it created the users it does not have any say in the resolution of the rights.

Thank you very much.
We are investigation some irregeularities at the moment:

I’ve been admin for the farm. But now i am removed from the XWikiAdminGroup and even after clearing the group-cache, i still can act like an admin. i am not the owner of that wiki.

I am in panic mode. It seems something is totally messed up in our wiki. We have some other strange things:

Til now we added user-1 to a group-1 and allowed this group-1 to access site-a. We removed the rights for the xwikiallgroup for site-a and then everything was fine.

Now: When disallowing access for xwikiallgroup, group-1 is not allowed to access the site, too.

I think we need a professional support as it seems we are have massive rights-management problems since 12.x or the creation of local groups.

Global rights:

my groups:

my possibilites in the main and subwikis:

@tmortagne
I tried a lot, but I cannot get rid of my admin-rights. And therefore we are struggling at the moments, as we have the fear, that other rights do not “work” as well.

Do you have an Idea where to start?

If you are talking about admin right on the main wiki this can come one of from the following:

• your user directly have ADMIN right
• your user directly have PROGRAMMING right
• your user is part of a group which have ADMIN right
• your user is part of a group which have PROGRAMMING right
• your user is set as owner in XWiki.XWikiServerXwiki page (the main wiki descriptor), this is generally the case of the user which was created during the first installation of XWiki if it was not changed

In the main-Wiki I am the owner, so it is correct, that I have admin rights.

But in the subwikis:

• I have no admin rights
• I have no programming rights
• I am not in an group with admin rights
• I am not in an group with programming rights
• I am not the owner.

I’ve been the owner, but I removed myself from XWikiAdminGroup. In the subwiki we use global groups on, so my admin-rights should have been gone

But in fact I still do have admin rights.

To sum it up:

First thing: Setting rights in subwiki with local Xwiki-Groups and global uers in them is working now. Until now we assigned rights with global groups and disallowed the global XWikiAllGroup. With local groups that does not work. Don’t touch the global XWikiAllGroup and everything is fine.

Second thing: I still don’t not why I am admin in subwikis, even all possible sources for admin-rights are not set.

• I have no admin rights
• I have no programming rights
• I am not in an group with admin rights
• I am not in an group with programming rights
• I am not the owner.

BUT I am the owner of the main-wiki. Could that be a thing?

My list was related to “admin right on the main wiki”. For the subwikis one thing you are probably missing is that global admins have admin right on all wikis.

Oh, I did not knew this. Thank you very much. Case closed!