Migrate the security settings on office content

I tried to hash out the format needed from OSI in irc on Friday, but wasn't successful. Thus, I am moving the conversation to Launchpad so we can track it.

I am uploading the file I have created for review. This file contains the following columns:

KARL 2 Export Path
User or Group
KARL 2 Role

There are a notes about the file:

1. The User or Group entries highlighted in light blue or pink are new groups that need to be added to the GSA user sync XML. Once this is done, a resync of users should set the groups up in the karl3 users folder.

2. The file is currently showing the KARL 2 Roles assigned to the user. This will need to be translated to an ACL that provides the same rights to the user under the new KARL 3 security policy.

3. The rows with the Viewer local role assigned represent content that has a custom view restriction applied. This is content related to New York HR policies that is hidden from everyone except users with the Viewer local role.

Hi Jason,

This is fine, but csv would be better.

Thanks!
Chris

/people

Re-opening and assigning to Chris to implement. I'll change the title of the issue.

Sorry, I accidentally closed this ticket thinking it was another ticket.

Attaching in csv format if needed. I had it in Excel format so I could highlight a few columns.

After chatting with Shane, he said he would pick this one up. He might have a few questions. He'll start after completing his current task.

Questions:

- Karl 3 does not have a concept of "Manager". What do those permissions map to? Moderator or administrator?

- Most of the paths in the export file do not exist in Karl 3. It appears that the office files for all cities have been merged into a single office space. Is that right? If so, should people who had manager or administrator rights for just one city now have rights for all cities?

- I have tried to guess the mapping of Karl 2 paths to Karl 3 paths, but is there some document that specifies the path mapping? Users who have made bookmarks will need to know where things have moved.

Can you list some of the paths that do not exist?

--Paul

On May 18, 2009, at 9:34 PM, Shane Hathaway wrote:

> Questions:
>
> - Karl 3 does not have a concept of "Manager". What do those
> permissions map to? Moderator or administrator?
>
> - Most of the paths in the export file do not exist in Karl 3. It
> appears that the office files for all cities have been merged into a
> single office space. Is that right? If so, should people who had
> manager or administrator rights for just one city now have rights for
> all cities?
>
> - I have tried to guess the mapping of Karl 2 paths to Karl 3 paths,
> but
> is there some document that specifies the path mapping? Users who
> have
> made bookmarks will need to know where things have moved.
>
> --
> Migrate the security settings on office content
> https://bugs.launchpad.net/bugs/377779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Porting KARL to a new architecture: In Progress
>
> Bug description:
> For Wednesday's eval, we'll need the listing of ACL settings based
> on the report ChrisR sent. We'll do it as a separate console script
> that can run independently of migration, thus we don't need it
> (many) hours in advance.
>
> Jason has provided an attachment with the info.

I *think* many of the paths might be reference manual folders. We put
those in /offices/files/referencemanuals so perhaps you can look
there. Tomorrow we are reverting the decision to centralize the
reference manuals, so they should return to their original (KARL2)
locations after tomorrow.

--Paul

On May 18, 2009, at 9:34 PM, Shane Hathaway wrote:

> Questions:
>
> - Karl 3 does not have a concept of "Manager". What do those
> permissions map to? Moderator or administrator?
>
> - Most of the paths in the export file do not exist in Karl 3. It
> appears that the office files for all cities have been merged into a
> single office space. Is that right? If so, should people who had
> manager or administrator rights for just one city now have rights for
> all cities?
>
> - I have tried to guess the mapping of Karl 2 paths to Karl 3 paths,
> but
> is there some document that specifies the path mapping? Users who
> have
> made bookmarks will need to know where things have moved.
>
> --
> Migrate the security settings on office content
> https://bugs.launchpad.net/bugs/377779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Porting KARL to a new architecture: In Progress
>
> Bug description:
> For Wednesday's eval, we'll need the listing of ACL settings based
> on the report ChrisR sent. We'll do it as a separate console script
> that can run independently of migration, thus we don't need it
> (many) hours in advance.
>
> Jason has provided an attachment with the info.

Paul Everitt wrote:
> I *think* many of the paths might be reference manual folders. We put
> those in /offices/files/referencemanuals so perhaps you can look
> there. Tomorrow we are reverting the decision to centralize the
> reference manuals, so they should return to their original (KARL2)
> locations after tomorrow.

Ok, I'll generate a list of missing paths after that's done.

Shane

Yeh, over half of those settings are referencemanuals folders.

I wonder if that fact has some special meaning we could learn
something from. For example, if it is natural that each "office" has
a group of official content administrators for "administrative" content.

--Paul

On May 18, 2009, at 9:34 PM, Shane Hathaway wrote:

> Questions:
>
> - Karl 3 does not have a concept of "Manager". What do those
> permissions map to? Moderator or administrator?
>
> - Most of the paths in the export file do not exist in Karl 3. It
> appears that the office files for all cities have been merged into a
> single office space. Is that right? If so, should people who had
> manager or administrator rights for just one city now have rights for
> all cities?
>
> - I have tried to guess the mapping of Karl 2 paths to Karl 3 paths,
> but
> is there some document that specifies the path mapping? Users who
> have
> made bookmarks will need to know where things have moved.
>
> --
> Migrate the security settings on office content
> https://bugs.launchpad.net/bugs/377779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Porting KARL to a new architecture: In Progress
>
> Bug description:
> For Wednesday's eval, we'll need the listing of ACL settings based
> on the report ChrisR sent. We'll do it as a separate console script
> that can run independently of migration, thus we don't need it
> (many) hours in advance.
>
> Jason has provided an attachment with the info.

cc'ing some others not subscribed to this bug. I think we should plan
a call this morning about it, perhaps with Anthony and Ajo (as Jason
is booked.)

Some notes I found in looking at it this morning:

1) 49 out of the 87 ACL entries were for office reference folders.
This is clearly a trend. [wink]

2) 43 of the 87 entries are for individual people, rather than
groups. Can't we simplify things by putting some of these people into
some groups?

3) I see at least one fossil: bschreiber is an Enfold developer.

4) Shane is right, we have duplication of "Administrator" and
"Manager", for example on forums and offices/budapest (where
group.budapestadmins is both Admin and Manager.)

5) I think all entries that have "jhooper", "jlantz", and "agalietti"
could go away. They are likely to be KarlAdmin anyway. (Though I
suspect jhooper might revert back.)

6) This list doesn't help us on what ACLs to remove. For example, the
default rule is that staff gets to see anything in any office. But
what places is that not true?

On May 18, 2009, at 9:34 PM, Shane Hathaway wrote:

> Questions:
>
> - Karl 3 does not have a concept of "Manager". What do those
> permissions map to? Moderator or administrator?
>
> - Most of the paths in the export file do not exist in Karl 3. It
> appears that the office files for all cities have been merged into a
> single office space. Is that right? If so, should people who had
> manager or administrator rights for just one city now have rights for
> all cities?
>
> - I have tried to guess the mapping of Karl 2 paths to Karl 3 paths,
> but
> is there some document that specifies the path mapping? Users who
> have
> made bookmarks will need to know where things have moved.
>
> --
> Migrate the security settings on office content
> https://bugs.launchpad.net/bugs/377779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Porting KARL to a new architecture: In Progress
>
> Bug description:
> For Wednesday's eval, we'll need the listing of ACL settings based
> on the report ChrisR sent. We'll do it as a separate console script
> that can run independently of migration, thus we don't need it
> (many) hours in advance.
>
> Jason has provided an attachment with the info.

Shane, I got some answers back based on a call with OSI just now.

1) We can get rid of Administrator/Manager as a distinction. The
*only* goal they had was to allow add/edit/delete of content in those
folders. I suspect that means "Moderator" in KARL3.

Of course, the KarlAdmin group should get the "let them do anything
anywhere."

2) Remove/ignore any entries for bschreiber.

3) We can skip the entries for jhooper/jlantz/agalietti as they will
be in KarlAdmin.

4) There are 7 Viewer restrictions at the bottom. These are the
exceptions to the rule of "If you're staff, you can see anything in
any office."

5) Anthony (now subscribed to the ticket) will provide us with any
additional Viewer restrictions by commenting on this issue.

--Paul

On May 19, 2009, at 9:30 AM, Paul Everitt wrote:

>
> cc'ing some others not subscribed to this bug. I think we should
> plan a call this morning about it, perhaps with Anthony and Ajo (as
> Jason is booked.)
>
> Some notes I found in looking at it this morning:
>
> 1) 49 out of the 87 ACL entries were for office reference folders.
> This is clearly a trend. [wink]
>
> 2) 43 of the 87 entries are for individual people, rather than
> groups. Can't we simplify things by putting some of these people
> into some groups?
>
> 3) I see at least one fossil: bschreiber is an Enfold developer.
>
> 4) Shane is right, we have duplication of "Administrator" and
> "Manager", for example on forums and offices/budapest (where
> group.budapestadmins is both Admin and Manager.)
>
> 5) I think all entries that have "jhooper", "jlantz", and
> "agalietti" could go away. They are likely to be KarlAdmin anyway.
> (Though I suspect jhooper might revert back.)
>
> 6) This list doesn't help us on what ACLs to remove. For example,
> the default rule is that staff gets to see anything in any office.
> But what places is that not true?
>
>
> On May 18, 2009, at 9:34 PM, Shane Hathaway wrote:
>
>> Questions:
>>
>> - Karl 3 does not have a concept of "Manager". What do those
>> permissions map to? Moderator or administrator?
>>
>> - Most of the paths in the export file do not exist in Karl 3. It
>> appears that the office files for all cities have been merged into a
>> single office space. Is that right? If so, should people who had
>> manager or administrator rights for just one city now have rights for
>> all cities?
>>
>> - I have tried to guess the mapping of Karl 2 paths to Karl 3
>> paths, but
>> is there some document that specifies the path mapping? Users who
>> have
>> made bookmarks will need to know where things have moved.
>>
>> --
>> Migrate the security settings on office content
>> https://bugs.launchpad.net/bugs/377779
>> You received this bug notification because you are a direct
>> subscriber
>> of the bug.
>>
>> Status in Porting KARL to a new architecture: In Progress
>>
>> Bug description:
>> For Wednesday's eval, we'll need the listing of ACL settings based
>> on the report ChrisR sent. We'll do it as a separate console
>> script that can run independently of migration, thus we don't need
>> it (many) hours in advance.
>>
>> Jason has provided an att...

Security Description Attached Below.

My sheet above is for viewer access.

This is the updated Excel sheet for Viewer Office Security Access. This should replace the last 7 lines of Jason's CSV file submitted earlier. In addition, based on my tests, there is no special security for the Employee Handbook. The Employee Handbook should follow the same security logical as the entire Human Resources Reference Manual.

Here is what I believe needs to happen to finish this task:

- I am waiting for the next content import on the testing server "kdiaa" to test my aclimport tool. I am told that the next import will not change the location of the reference manuals, as previous imports have done. This should solve most of the missing paths.

- We need to look at the group names in the CSV file. I don't know how they map to Karl 3.

- I need to understand the 3 lines in Anthony's viewer list that say "Restricted Content: None". What does that mean? Does it mean those reference manuals should be visible to all authenticated users?

- We need to translate Anthony's viewer list to the CSV file.

- We need to add something to the CSV file that solves bug #378059.

Regarding the group names, these are all managed external to the
system using their "GSA" tool (Global Staff Administrator). There is
a sync script in karl.peopledir (the one with the inadequate unit
tests) that makes groups as needed from the sync data.

Thus, I *think* your second bullet isn't an issue.

I will email Anthony and cc you about bullet 3.

You (Shane) can take care of the last two bullets, I believe.

--Paul

On May 19, 2009, at 6:42 PM, Shane Hathaway wrote:

> Here is what I believe needs to happen to finish this task:
>
> - I am waiting for the next content import on the testing server
> "kdiaa"
> to test my aclimport tool. I am told that the next import will not
> change the location of the reference manuals, as previous imports have
> done. This should solve most of the missing paths.
>
> - We need to look at the group names in the CSV file. I don't know
> how
> they map to Karl 3.
>
> - I need to understand the 3 lines in Anthony's viewer list that say
> "Restricted Content: None". What does that mean? Does it mean those
> reference manuals should be visible to all authenticated users?
>
> - We need to translate Anthony's viewer list to the CSV file.
>
> - We need to add something to the CSV file that solves bug #378059.
>
> --
> Migrate the security settings on office content
> https://bugs.launchpad.net/bugs/377779
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Porting KARL to a new architecture: In Progress
>
> Bug description:
> For Wednesday's eval, we'll need the listing of ACL settings based
> on the report ChrisR sent. We'll do it as a separate console script
> that can run independently of migration, thus we don't need it
> (many) hours in advance.
>
> Jason has provided an attachment with the info.

On May 19, 2009, at 6:42 PM, Shane Hathaway wrote:

> - I need to understand the 3 lines in Anthony's viewer list that say
> "Restricted Content: None". What does that mean? Does it mean those
> reference manuals should be visible to all authenticated users?

Hi Anthony. Shane had a question about this part.

If the two of you could maintain a dialog, I can get out of the
message-transfer business. [wink]

--Paul

Implemented in revision 2875. I was able to answer my questions once the paths were resolved. It turns out the group names are all correct, except that they are not lower case in Karl 3.

I also figured out that Anthony's list of viewers actually matches Jason's.

To run the script I wrote using the 2 CSV files:

  bin/aclimport karl2import/office_local_roles.csv
  bin/aclimport karl2import/anthony-roles.csv