Breaking the Kubernetes Kill Chain: Host Path Mount
Joomla! 1.6 Access Control Proposal
1. Joomla! 1.6
ACCESS CONTROL PROPOSAL
9/7/2009 AmyStephen@tamka.org 1
2. Joomla! 1.6 Access Control
EXISTING SITUATION
9/7/2009 AmyStephen@tamka.org 2
3. Joomla! 1.5
Access Control
• One role per User
• System-wide Scope
Four types of
permissions:
• System Access
• System Administration
• Content Development
• View Access
9/7/2009 AmyStephen@tamka.org 3
4. Joomla! 1.5 ACL
System Access
Two types:
A
• Registered – Frontend
access only
• Special – Frontend and B
Administrator Access
9/7/2009 AmyStephen@tamka.org
1
4
5. Joomla! 1.5 ACL
System Administration
Special Access Level –
Ability to Logon to the
Administrator:
• Manager – Backend
Publisher
• Administrator – Users
and Extensions
• Super Administrator -
+ Site Template, Cache,
Check-in and Global
Configuration
9/7/2009 AmyStephen@tamka.org
2
5
6. Joomla! 1.5 ACL
Content Development
Three levels of permission:
• Author – Create and Edit what
they created
• Editor – + Edit all
• Publisher – Plus Publish
9/7/2009 AmyStephen@tamka.org
3
6
7. Joomla! 1.5 ACL
View Access
Access Levels:
• Public
• Registered – Logged on
• Special – Backend access
Defined for:
•Categories
•Content
•Menu Items and Modules
9/7/2009 AmyStephen@tamka.org
4
7
8. Joomla! 1.6 Access Control
GOALS AND OBJECTIVES
9/7/2009 AmyStephen@tamka.org 8
9. Joomla! 1.6 UX Access Control Goals:
Don’t design it poorly.
Don’t make it complicated.
Don’t make something stupid.
9/7/2009 AmyStephen@tamka.org 9
11. Joomla! 1.6 ACL Objectives
System Access
Ability to provide
Administrator Access to
Frontend users.
9/7/2009 AmyStephen@tamka.org
1
11
12. Joomla! 1.6 ACL Objectives
System Administration
Ability to set up System
Administration Groups and
assign permissions that fit
organizational roles.
Examples:
• Advertising – Banners
• Designer – Templates and
Modules
• Site Developer Team –All
Extensions, Modules, Menus
9/7/2009 AmyStephen@tamka.org
2
12
13. Joomla! 1.6 ACL Objectives
Content Development
Empower organizations School
to segment Content with
Groups and Access
Control Rules that fits
Elementary Administration
their needs.
1st Grade 2nd Grade Principal
9/7/2009 AmyStephen@tamka.org
3
13
14. Joomla! 1.6 ACL Objectives
View Access Products • Customers
Augment View Access
Levels to facilitate
sharing information Timesheets
based on roles, interest and
Assignments
• Employees
areas, responsibilities,
or whatever the needs
might be.
Financials • Accountants
9/7/2009 AmyStephen@tamka.org
4
14
15. Joomla! 1.6 Access Control
USER MANAGER
9/7/2009 AmyStephen@tamka.org 15
16. Joomla! 1.6 User Manager
Options
Suggest moving Global Configuration –
System – User Settings here.
A Legacy parameters that will continue to be
used. Note: The fourth parameter, New User
Registration Type, is defined on Group List
page. A
B Suggest adding three new parameters:
• Enable Users as Groups
• Enable Content Creator to Update
• Enable New Group Creation for View Level
B
The first new option helps with Group
Creation when establishing the Access Level
for the Frontend.
The second option enables Web masters to
decide if updating is allowed after creation
since updates post-Publishing has been
problematic.
The final option is described in the View
Access Level section, and is used to enable
creation of new Groups when needed for
Access Level in Content development.
9/7/2009 AmyStephen@tamka.org 16
17. C
B
A
User Manager: Users List
A - Remove Groups Column, problematic
since Users can be in multiple groups
B - Groups listbox can filter by Groups,
including Custom Groups
C – Also, the proposed Members list will
display one row per Username / Group
9/7/2009 AmyStephen@tamka.org 17
18. User Manager: Edit User: Groups
User may be a member of
multiple Groups. Groups can be
added and removed on page.
Note: consistent Widget UX
object discussed in Group Edit.
9/7/2009 AmyStephen@tamka.org 18
19. A
B
User Manager Groups –
A – Default User
C Registration Type
B – System Groups
C – Custom Groups
9/7/2009 AmyStephen@tamka.org 19
20. A
Joomla! 1.6 User Manager
Default User
Registration Type
Used to specify the Default value
assigned to new Users
Registered is default Legacy value
Remove from Global Configuration.
9/7/2009 AmyStephen@tamka.org 20
21. B
Joomla! 1.6 User Manager
System Groups
Public
Frontend Visitors
No Membership Editing
Can create rules
Take Action on Assets associated with
Public Access Levels
Exceptions? Concerns?
Registered
Logged on Users
No Membership Editing
Can create rules
Take Action on Assets associated with
Public and Registered Access Levels
Super Administrator
Full Control
Cannot delete
No Rule Editing
Can manage membership
Do not recommend adding Legacy System
Groups: Author, Editor, Publisher,
Manager, Administrator due to System
Wide capabilities and confusion
9/7/2009 AmyStephen@tamka.org 21
22. Joomla! 1.6 Access Control
CUSTOM GROUPS, ACCESS
CONTROL RULES, AND MEMBERS
9/7/2009 AmyStephen@tamka.org 22
23. Joomla! 1.6 ACL Proposed Rules
Group-Action-Asset
Rules define Who? Administrators Manage Plugins
What? and Where?
Group
Specifies who can
perform this action.
Action
Describes what can be
done. Articles
within the
Accountants Publish
Fiscal
Asset Category
Specifies where this
Action is allowed.
9/7/2009 AmyStephen@tamka.org 23
24. Joomla! 1.6 ACL Proposed Rules
Group-Action-Asset Recommended:
Groups define who can do System Groups:
something. Public, Published, Super Administrator
Custom Groups:
Created, as needed, by Site Developer
In order for Groups to be useful, it is important
that the Interface enable Users to create
Groups at the point of selection. More later…
9/7/2009 AmyStephen@tamka.org 24
25. Joomla! 1.6 ACL Proposed Rules
Group-Action-Asset Recommended:
Actions describe what can be Access:
done. Extensions can use existing Login
actions or add actions, as needed.
Content-related:
View, Respond, Create, Publish
Publish includes Update, Delete, and Archive
System Administration:
Install, Manage, Uninstall
9/7/2009 AmyStephen@tamka.org 25
26. Recommended:
Joomla! 1.6 ACL Proposed Rules
Group-Action-Asset All Access
• Site (Frontend) Access
Assets describe where an Action
• Administrator Access
is allowed.
All Content
• Articles, Banners, Contacts, Contact Form,
Content, Menu Item, and Module
Comments, Media, Newsfeed, Ratings, and Web
Assets can further restrict Actions Links
to a Category or Item
• Content Assets can be further specified by
Category or Content Item
Accountants Publish Articles
within the Fiscal Category. All Administration
Site Development
Parents View Menu Item • Global Configuration, Installer, Languages,
Upcoming Events. Menus, Modules, Plugins, Templates
System Management:
• Cache, Check-in, Mass Mail, Messages, Redirect,
Users
9/7/2009 AmyStephen@tamka.org 26
27. 1
User Manager Group
- Group Name
-Suggest Removing Parent 2
- Manage ACL Rules Widget
- Manage Group Member Widget
- Proposed Widgets are Edit areas
with List, Sort, Filter, Add, and
Delete functions.
9/7/2009 AmyStephen@tamka.org 27
28. 1
ACL Rules Widget
Add Rule
1. ACL Rules Widget on Group page.
2. Press Add Rule.
3. Widget slides open exposing Add Rule Form with
only the populated Action list box.
4. Select Action.
5. Request sent and Asset list box is populated with
entries appropriate for selected Action.
6. Select Asset.
7. If Asset is type of Content, Menu, or Module, a
request is sent and the Categories list box
populated with entries appropriate for the selected
Asset. (Or, Menu Items or Module names).
8. Select Category (Or, Menu Item or Module name).
9. Request sent and the Content Item list box is
populated with entries for that Category. The Apply
Rule to Child Objects checkbox is presented.
10. Optionally, select Content Item and Apply Rule to
Child Objects listbox.
11. Press Add Rule to process change. ACL Rules
widget closes.
Delete Rule
1. Sort, Scroll, Filter, or Search for Rule.
2. Press X to the right of the Rule.
3. Respond to Prompt, Apply Rule Removal to Child
Objects.
9/7/2009 AmyStephen@tamka.org 28
29. 2
Group Members Widget
Add Member
1. Group Members Widget on Group page.
2. Press Add Member.
3. Widget slides open exposing Add Member
Form.
4. Enter Name in Autosuggest Listbox.
5. Select Name .
6. Press Add Member to process change.
Group Member Widget closes with added
Member.
Delete Member
1. Sort, Scroll, Filter, or Search for Member.
2. Press X to the right of the Member.
3. Widget slides open exposing Add Member
Form.
4. Respond to Prompt confirming Delete.
Group Member Widget presents without
Member.
9/7/2009 AmyStephen@tamka.org 29
30. Rules List
-Good resource to sort by
Action, Asset, Category, Item,
and Group
-Ex. find all Groups w Web links access
9/7/2009 AmyStephen@tamka.org 30
32. Joomla! 1.6 Access Control
VIEW ACCESS LEVEL FOR CONTENT,
MENU ITEMS, MODULES
9/7/2009 AmyStephen@tamka.org 32
33. Joomla! 1.6 Access Control
View Access Level
Access Level defines who can View
content from the Frontend. In 1.5,
default is “Public” and can be
changed to “Registered” or
“Special.”
Recommendations for Joomla! 1.6:
Build list of Access Level values from the
list of System and Custom Group Names.
Default Access Level to Parent value(s).
(Remove default in Global Configuration).
Remove Access Column in all List Views
since it is no longer required to be a
single value. The Access Listbox should
remain allowing identification of content
for that selected Access Level (Group).
9/7/2009 AmyStephen@tamka.org 33
34. Joomla! 1.6 ACL Proposed Rules
View Access Level
Default Access Level to Parent value(s).
Publish permission required before Access
Level can be changed, otherwise, hide this
Widget. 1
View Access Level Widget:
Group(s) Selection and Removal Widget
enables search for Group. Multiple Groups
can be selected for Access Level.
New Group Creation – Add User Manager
Option “Enable New Group Creation for View
Level.” If Parameter is activated, Widget
should allow the creation of a Group and
2
automatically add a View Access Rule for the
current Object. The Widget should also
enable search and selection of Group
Members. Note: Use Group Member Widget
with Group Name field.
If additional changes are desired for the new
Group, those changes should be made in the
User Manager to ensure proper access.
This Widget should be available everywhere
the Access List selection is required.
9/7/2009 AmyStephen@tamka.org 34
37. Joomla! 1.6 ACL Use Case
Design Test
1. Create Categories Internal
2. Create Pages Office
3. Create Users External
4. Create Groups
5. Assign Members News
6. Assign Rules Elementary
Classroom
7. Create Menus
Showcase
8. Create Menu Items
9. Create Modules
Portfolios Student
10. Create Templates
9/7/2009 AmyStephen@tamka.org 37
38. Joomla! 1.6 ACL Use Case
Design Test
1. Create Categories
2. Create Pages
3. Create Users
4. Create Groups
5. Assign Members
6. Assign Rules
7. Create Menus
8. Create Menu Items
9. Create Modules
Office Staff - Jean, Sam
10. Create Templates
Faculty - Lou, Addison
The Student - Rainbow
Parents - Stormy, Skye
9/7/2009 AmyStephen@tamka.org 38
39. Group Action Asset Category Item Members
Public View Articles Office External News
View Articles Classroom
Joomla! 1.6 ACL Use Case View Menu Item Showcase
View Menu Item News
Design Test View Menu Item Office
View Menu Item External News
1. Create Categories Respond Comments News
2. Create Pages Registered View Menu Item News
Super
3. Create Users Administrator Sam
4. Create Groups Content
Administrator Access Administrator Jean
5. Assign Members Publish
Manage
All Content
Users
Manage Modules
6. Assign Rules Manage Template
7. Create Menus Faculty Access Administrator Lou, Addison
Create Articles Internal News
8. Create Menu View Menu Item Internal News
Items
Office Staff Publish Articles Office Internal News Jean, Sam
9. Create Modules Publish
View
Articles
Menu Item
Office External News
Office
10. Create Templates
Students Create Articles Student Rainbox
Response Comment Student
Parents Response Comment Student Stormy, Skye
Teacher Publish Articles Student Lou
Response Comment Student
9/7/2009 AmyStephen@tamka.org 39
Publish Articles News
40. Joomla! 1.6 ACL Use Case The proposed design provides for these
Design Test recommendations:
Conclusion
• The Access Control, Group, Membership
Access Control Custom Groups and Rules
are very powerful and flexible. I do not
foresee concerns about major limitations. It
Widgets must be flexible, not require page
should be adequate for any custom need I
can imagine.
load or visit to another page.
I do have concerns about usability. Even with
my very small Use Case, the configuration
required to implement the design – on paper
– was considerable.
• Widgets must link all information together
Consider, in Joomla! 1.5:
so that every necessary configuration –be it
•Each User could have only one Group. the Group, Member List, Rules, and even
•Each content Item, Menu, Menu Item and
Module could only have on Group, and
typically that remained the default Public
multiple sets of such, are easy to iteratively
value. complete.
Consider the difference for Joomla! 1.6:
When Groups, Membership, and three-part
Group-Action-Asset Rules are created and
applied to cascading layers of Components,
Categories, Items, Menus, Menu Items, and
• Widgets must be provided to create View
Modules. Level Access Groups and define Members to
In short, User Interface will make or break
Access Control in Joomla! 1.6.
create a truly usable interface.
9/7/2009 AmyStephen@tamka.org 40