Multi-level ACL Setup

[newbie01]

Hi, Colin,

I am trying to set up ACL for what should be a relatively straight forward nesting category structure.  I have gotten everything to work, except the container categories (for other subcategories), in which no files are to be posted, are not showing up in the dropdown box under Category for Publishing Options.  I would like to ensure that these container categories are shown in the dropdown box since that is the only way my users will be able to distinguish where they are posting the file, given the subcategories have duplicate names.

Below is a sketch of the structure of my categories -

DocType1
|- Cat1
|-|-Region1
|-|-Region2
|- Cat2
|-|-Region1
|-|-Region2
|- Cat3
|-|-Region1
|-|-Region2

DocType2
|- Cat1
|-|-Region1
|-|-Region2
|- Cat2
|-|-Region1
|-|-Region2
|- Cat3
|-|-Region1
|-|-Region2

As it stands now, the dropdown under Category for Publishing Options would show the tree as follows, which is really confusing because DocType is missing -

|- Cat1
|-|-Region1
|-|-Region2
|- Cat2
|-|-Region1
|-|-Region2
|- Cat3
|-|-Region1
|-|-Region2
|- Cat1
|-|-Region1
|-|-Region2
|- Cat2
|-|-Region1
|-|-Region2
|- Cat3
|-|-Region1
|-|-Region2

The ACL is currently setup on the following basis -

   
• DocType1 and DocType2: Container categories in which no files can be posted or downloaded by any group
• All other categories/subcategories: All groups can view and download files
• Cat1, Cat2: Only members of User Group1 can upload files to Cat1.  Similarly, User Group2 to Cat2.
• Cat3: Members of both User Group1 and User Group2 can upload files

ACL settings are as follows -

   
• Default: Not Allowed
• DocType (1, 2, etc.)
     --> Create: Inherited (i.e. Not Allowed)
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own: Inherited  (i.e. Not Allowed)
     --> Download: Allowed (for both User Group1 and User Group2)

   
• DocType (1, 2, etc.)/Cat1: User Group1
     --> Create: Allowed
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own: Allowed
     --> Download: Inherited (i.e. Allowed)
• DocType (1, 2, etc.)/Cat1: User Group2
     --> Create: Inherited  (i.e. Not Allowed)
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own: Inherited (i.e. Not Allowed)
     --> Download: Inherited (i.e. Allowed)
• DocType (1, 2, etc.)/Cat1/Region (1, 2, etc):
     --> Create: Inherited (i.e. Allowed for User Group1 / Not Allowed for User Group2)
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own:  Inherited (i.e. Allowed for User Group1 / Not Allowed for User Group2)
     --> Download: Inherited (i.e. Allowed)

   
• DocType (1, 2, etc.)/Cat2: User Group2
     --> Create: Allowed
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own: Allowed
     --> Download: Inherited (i.e. Allowed)
• DocType (1, 2, etc.)/Cat2: User Group1
     --> Create: Inherited  (i.e. Not Allowed)
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own: Inherited (i.e. Not Allowed)
     --> Download: Inherited (i.e. Allowed)
• DocType (1, 2, etc.)/Cat2/Region (1, 2, etc):
     --> Create: Inherited (i.e. Allowed for User Group2 / Not Allowed for User Group1)
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own:  Inherited (i.e. Allowed for User Group2 / Not Allowed for User Group1)
     --> Download: Inherited (i.e. Allowed)

   
• DocType (1, 2, etc.)/Cat3: For both User Group1 and User Group2
     --> Create: Allowed
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own: Allowed
     --> Download: Inherited (i.e. Allowed)
• DocType (1, 2, etc.)/Cat3/Region (1, 2, etc):
     --> Create: Inherited (i.e. Allowed for both User Group1 and User Group2)
     --> Delete: Inherited  (i.e. Not Allowed)
     --> Edit: Inherited  (i.e. Not Allowed)
     --> Edit Own:  Inherited (i.e. Allowed for both User Group1 and User Group2)
     --> Download: Inherited (i.e. Allowed)

As you can see, the ACL was set up based on the best practice of defaulting to "Not Allowed" and adding "Permissions" by exception.  I would have liked to "Allow" access at the DocType levels, except this will require me to use the "Denied" setting at the subcategory levels (i.e. Cat1 and Cat2), which will functionally disallow both User Group1 and User Group2 access to every single category/subcategory except DocType1/Cat3 and DocType2/Cat3.

Could you please suggest what I may do in this instance so that DocType will be shown in the dropdown box under Category for Publishing Options?

Many thanks again for your support, as always!

Warm regards

[Arno]

It would be useful to send Colin a download link for a jD backup from  your website (via PM).
So he can save much time. 

[ColinM]

Hi
I will look into this.  Structure looks good. And thanks for clear exposition as that really helps.
First reaction is what View Access Levels have you setup as that governs what is visible. 

With a jD backup as Arno suggested allows me to set up an XAMPP version of your arrangement.  Also  might need SuperU access (also by PM of course).

Colin
EDIT:  It might help if you look at the last section, entitled  "An extensive multi department arrangement where each department has multiple sections" , of
http://www.jdownloads.net/documentations/item/controlled-access-to-categories-and-downloads
That shows the importance of the view levels
C

[newbie01]

Hi, Arno and Colin,

Thank you for the quick response!

I have sent Colin a PM with a link to the following files -
1) jD Backup
2) Assets table (so that you can see the ACL configuration)
3) User Group table

I did read the set of instructions you sent before posting the original message but found that it does not address the type of configuration I have.  View Access is set to Registered for all levels, which I understand should be correct since both Group1 and Group2 should be able to view all contents.

In case you need any additional information, please let me know.

Thanks again for the help and guidance!

[newbie01]

Thank you again for working with me!

jDownloads is a great product and the support you guys provide is superb!

[ColinM]

Hi
I have been a bit concerned about the ease with which users who are adding Downloads will select the correct category. Because every UG has Edit Own (EO) capability in all the admissible Cats then all categories will appear for every 'uploader'.
With the exception of multi- disciplinary a 'map' of the second level cats versus User Groups(UGs) is like a square matrix with the diagonal having  Create,Edit Own And Download  permission and all off diagonal elements having C & EO only.

It then occurred to me why should all the off diagonal items have EO capability when users only create in the permitted 'diagonal' elements.  So I have reset the EO permission in the Globals to Inherited and put it back  as allowed in the 'diagonals'.  Thus users should only be able to EO where they can Create.
NB I saw that is what you originally intended anyway

Note I Have only checked the first two principle Categories
This makes things simpler for the Users

Colin

Colin

[newbie01]

Thanks, Colin!

Let me give that a try and give you an update.

Cheers!