I'd be interested on other peoples comments on the below server feature requests concerning security. We have a fairly large user base for our server install and we are finding the security settings on the server lack finer grain security:
- Ability to see and select the available 'groups' when setting workflow permissions on the server. When using LDAP authentication, the groups are made available in the ejb-jar.xml file but not visible to user, so an end user has no idea what 'groups' are available for sharing their workflow/folder with!
- Ability to disable world read/write/exec privilages (This would ensure isolation of groups and users on a server where restricted access is necessary for given users)
- Ability to control the Server/Webport login to a finer degree, such as allowing webport login and exec of workflows but not allowing login from the client for workflow view/download. Would be nice if this could be configured on a group basis (i.e.: a given group can login to the webport but not via client)
I'm sure there will be more!
We are certainly monitoring this thread, very good feedback gentlemen!
Points 1 and 3 seem generally very useful and item 2 is something we haven't thought about before but Bernd has some ideas about it (he's following up by email).
My view on James' suggestions:
- good to have
- I'm not sure if I want to be this restrictive. I wonder if the isolation of the groups and users can be achieved with inheriting the permission setting from the parent workgroups. This way, one can create branches only accessible to the specified group(s). I admit that this alternative won't prevent anyone having access to the restricted branch from accidentally granting world access. However, if the permission inheritance is in place, there is less need to open the permission dialog, so less "accidents".
- To separate workflows for execution on webportal from the others, I like to have a dedicated workflow group, say _WEBPORTAL_. Then we know exactly which workflows and workflow groups are exposed to the Webportal users.
Adding to James' wish list, I think that (4) it would be helpful to check and set permissions in a table-like view. And as mentioned above, (5) the permission inheritance and (6) the workflow group dedecated to the Webportal.
Hi Man-ling, great feedback, thanks!