Usability issue: group inclusion

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

On Mon, 2009-11-09 at 09:48 -0500, Desilets, Alain wrote:
> This AM, I was creating a group called PanelParticipant, and I
> configured it to include two other groups: Editors and admin.
The string in admin->group:
"Group" will have all the permissions of the included groups.
is not enough?
Perhaps we have only to change Include by 'Permissions included'


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

----- Original Message -----

From: Alain.Desilets@...

To: tikiwiki-devel@...

Sent: Monday, November 09, 2009 9:48 AM

Subject: [Tikiwiki-devel] Usability issue: group inclusion

This AM, I was creating a group called PanelParticipant, and I configured it to include two other groups: Editors and admin.

 

What I expected to happen was that people who are members of Editors or admin would become part of PanelParticipant.

 

But what happened instead is the opposite. Members of PanelParticipant automatically became members of admins and Editors. Fortunately, I caught the mistake relatively quickly (20 mins afterwards), but it could easily have gone un-noticed for days, and in this particular case, it  would have resulted in a major breach of confidentiality  in this particular case.

 

I think this is really bad, and could have major consequences on the security of a site. It seems to me that the definition of group inclusion is wrong, wrong, wrong, and goes against what people naturally expect.

 

Is this an issue that has been visited before, and if so, what was the rationale for choosing this particular definition of group inclusion?

 

Alain

---

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

---

_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

The "group inclusion" concept in Tiki has from the beginning has meant
"includes the permisions of <group>" or "groups from which permissions
are inherited from".

I think making sure labels are to "Permissions included" or
"Permission included from" or something similar might suffice to avoid
confusion.

The way inclusion works in Tiki is from the perspective of the members
of the group:

Think: (Admin group includes Panel Participants group) If Peter is in
the Admin group, then he is included in the Panel Participants group.
Peter is in the Admin group, and the Panel Participants group is one
of his included groups.

Think: (Admin group includes Panel Participants group)  All admins are
included in the panel participants group.

However confusion can arise because in much of English usage, "Admin
group includes Panel Participants group" means "All panel participants
are admins", which is the opposite of what Tiki does -> which often
leads to the situation Alain got himself into.


On Mon, Nov 9, 2009 at 10:02 AM, Sylvie Greverend <sgreverend@...> wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

----- Original Message -----

From: Alain.Desilets@...

To: tikiwiki-devel@...

Sent: Monday, November 09, 2009 9:48 AM

Subject: [Tikiwiki-devel] Usability issue: group inclusion

This AM, I was creating a group called PanelParticipant, and I configured it to include two other groups: Editors and admin.

 

What I expected to happen was that people who are members of Editors or admin would become part of PanelParticipant.

 

But what happened instead is the opposite. Members of PanelParticipant automatically became members of admins and Editors. Fortunately, I caught the mistake relatively quickly (20 mins afterwards), but it could easily have gone un-noticed for days, and in this particular case, it  would have resulted in a major breach of confidentiality  in this particular case.

 

I think this is really bad, and could have major consequences on the security of a site. It seems to me that the definition of group inclusion is wrong, wrong, wrong, and goes against what people naturally expect.

 

Is this an issue that has been visited before, and if so, what was the rationale for choosing this particular definition of group inclusion?

 

Alain

---

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

---

_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

hi alain,

you keep me surprising with almost every mail... :-p

at first sight you look like a Tiki power user and tester, at the second
you appear like you have seen Tiki for the first time that day...
as the other people say, it has been like that for ages since the
beginning of the TikiWiki project... if you did this then it is your
responsibility as admin of the site that you don't read properly and
just click and click... you could made that mistake in many cases with
other options and in other software too.

how come it is high usability issue and dangerous stuff suddenly that
you have to cry "wrong wrong wrong" at us ? wouldn't it be more
appropriate to say "could we change the string to 'Include Permissions'
or something ?" when you experience your test users are confused by what
we have ?

we will not rewrite whole Groups perms system just because it is not
"what people naturally expect"... i agree that we can improve some
translation strings towards usability though

thanks,
luci


On 11/09/2009 03:48 PM, Desilets, Alain wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

Actually, I think that it's Tiki that has it backwards, because in the real world, membership goes countrary to what it is in Tiki.

For example, in the real, world, I can say that the group: Citizens of Canada includes the group: Canadian Federal Ministers of Canada. What that means is that all Federal Ministers of Canada enjoy the same privileges as any Citizen of Canada. It certainly does NOT mean that any Citizen of Canada has the same privileges as a Federal Minister of Canada. In particular, as an ordinary Canadian Citizen, I cannot table bills (i.e. proposed laws) at the Chamber of Communes, nor vote on whether or not they should be adopted.

As for the following message (which Sylvie mentions):

   "Group" will have all the permissions of the included groups."

It was obviously not sufficient in my case, since I missed it altogether and didn't notice the error for 20mins. This string is a bit akin to having a note on a car windshield saying:

  "Note: This car veers left when you turn the steering wheel to the right" ;-)

Note that I am fully aware that this may be very hard to change now, because everyone has set their groups the "wrong" way, and has gotten used to Tiki behaving that way.

Quite unfortunate in my opinion, but there you go.

Alain

Hum... as I look at this some more, I now see that the whole screen is prefaced with "Assign permissions". This suggests that word "inclusion" refers not to the members of the group, but to the sets of permissions that members of the group enjoy. In other words, if I am administering the group "Canadian Citizens" and I see "include Canadian Federal Ministers", what it really means is this:

"Include the sets of permissions of Canadian Federal Ministers in the permissions of Canadian Citizens".

Note however that this is pretty unusual way of managing groups. In Windows at least, inclusion is described in terms of a group of users including another group of users.

Also, "assign permission" caption is strongly contradicted by the nature of the various fields contained on that screen, which have more to do with overall description of the group, than just permissions. So one is not automatically put in a "I am managing groups of permissions" mind frame, in spite of the caption.
________________________________________

From: Rick Sapir [mailto:rick.sapir@...]
Sent: Monday, November 09, 2009 10:08 AM
To: Tikiwiki developers; Desilets, Alain
Subject: Re: [Tikiwiki-devel] Usability issue: group inclusion

You have it backwards.
 
If you want Editors or Admins to be part of PanelParticpant, then those two groups should include PanelParticpant. Editors and Admins *include* PanelParticpants.
 
If PanelParticipant includes Editor & Admins, then anyone who is a PanelParticpant will also have Editor and Admin rights. AFAIK, Tiki is doing this correctly.

---
Greetings from Sanford, NC, USA!
----- Original Message -----
From: Desilets, Alain
To: Tikiwiki developers
Sent: Monday, November 09, 2009 9:48 AM
Subject: [Tikiwiki-devel] Usability issue: group inclusion

This AM, I was creating a group called PanelParticipant, and I configured it to include two other groups: Editors and admin.

What I expected to happen was that people who are members of Editors or admin would become part of PanelParticipant.

But what happened instead is the opposite. Members of PanelParticipant automatically became members of admins and Editors. Fortunately, I caught the mistake relatively quickly (20 mins afterwards), but it could easily have gone un-noticed for days, and in this particular case, it  would have resulted in a major breach of confidentiality  in this particular case.

I think this is really bad, and could have major consequences on the security of a site. It seems to me that the definition of group inclusion is wrong, wrong, wrong, and goes against what people naturally expect.

Is this an issue that has been visited before, and if so, what was the rationale for choosing this particular definition of group inclusion?

Alain
________________________________________
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july 
________________________________________
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

Sorry but I see any issues. I think it is working as designed (which is,
IMHO, correct).

>
>For example, in the real, world, I can say that the group: Citizens of
>Canada includes the group: Canadian Federal Ministers of Canada. What that
>means is that all Federal Ministers of Canada enjoy the same privileges as
>any Citizen of Canada.
>

Yes. This is (my understanding) of how Tiki currently works. Think of visual
representation of  "Citizens of Canada" includes "Federal Ministers":

.Federal Ministers
.....Citizens of Canada

Permissions inherit downward (from parent to child) -- not upwards. All
Ministers are Citizens (and will have all of Citizens' permissions. But all
Citizens *are not* Ministers

In your original example you should have your permissions as:

.Editors
.....PanelParticpant
.Admins
.....PanelParticpant

Which translates to:
1. All Editors will include PanelParticpant permissions.
2. All Admins will include PanelParticpant permissions.


Seems to make perfect sense to me.

-R

---
Greetings from Sanford, NC, USA!
----- Original Message -----
From: "Desilets, Alain" <Alain.Desilets@...>
To: "Rick Sapir" <rick.sapir@...>; "Tikiwiki developers"
<tikiwiki-devel@...>
Sent: Monday, November 09, 2009 12:27 PM
Subject: RE: [Tikiwiki-devel] Usability issue: group inclusion


Actually, I think that it's Tiki that has it backwards, because in the real
world, membership goes countrary to what it is in Tiki.

For example, in the real, world, I can say that the group: Citizens of
Canada includes the group: Canadian Federal Ministers of Canada. What that
means is that all Federal Ministers of Canada enjoy the same privileges as
any Citizen of Canada. It certainly does NOT mean that any Citizen of Canada
has the same privileges as a Federal Minister of Canada. In particular, as
an ordinary Canadian Citizen, I cannot table bills (i.e. proposed laws) at
the Chamber of Communes, nor vote on whether or not they should be adopted.

As for the following message (which Sylvie mentions):

   "Group" will have all the permissions of the included groups."

It was obviously not sufficient in my case, since I missed it altogether and
didn't notice the error for 20mins. This string is a bit akin to having a
note on a car windshield saying:

  "Note: This car veers left when you turn the steering wheel to the right"
;-)

Note that I am fully aware that this may be very hard to change now, because
everyone has set their groups the "wrong" way, and has gotten used to Tiki
behaving that way.

Quite unfortunate in my opinion, but there you go.

Alain

Hum... as I look at this some more, I now see that the whole screen is
prefaced with "Assign permissions". This suggests that word "inclusion"
refers not to the members of the group, but to the sets of permissions that
members of the group enjoy. In other words, if I am administering the group
"Canadian Citizens" and I see "include Canadian Federal Ministers", what it
really means is this:

"Include the sets of permissions of Canadian Federal Ministers in the
permissions of Canadian Citizens".

Note however that this is pretty unusual way of managing groups. In Windows
at least, inclusion is described in terms of a group of users including
another group of users.

Also, "assign permission" caption is strongly contradicted by the nature of
the various fields contained on that screen, which have more to do with
overall description of the group, than just permissions. So one is not
automatically put in a "I am managing groups of permissions" mind frame, in
spite of the caption.
________________________________________

From: Rick Sapir [mailto:rick.sapir@...]
Sent: Monday, November 09, 2009 10:08 AM
To: Tikiwiki developers; Desilets, Alain
Subject: Re: [Tikiwiki-devel] Usability issue: group inclusion

You have it backwards.

If you want Editors or Admins to be part of PanelParticpant, then those two
groups should include PanelParticpant. Editors and Admins *include*
PanelParticpants.

If PanelParticipant includes Editor & Admins, then anyone who is a
PanelParticpant will also have Editor and Admin rights. AFAIK, Tiki is doing
this correctly.

---
Greetings from Sanford, NC, USA!
----- Original Message -----
From: Desilets, Alain
To: Tikiwiki developers
Sent: Monday, November 09, 2009 9:48 AM
Subject: [Tikiwiki-devel] Usability issue: group inclusion

This AM, I was creating a group called PanelParticipant, and I configured it
to include two other groups: Editors and admin.

What I expected to happen was that people who are members of Editors or
admin would become part of PanelParticipant.

But what happened instead is the opposite. Members of PanelParticipant
automatically became members of admins and Editors. Fortunately, I caught
the mistake relatively quickly (20 mins afterwards), but it could easily
have gone un-noticed for days, and in this particular case, it would have
resulted in a major breach of confidentiality in this particular case.

I think this is really bad, and could have major consequences on the
security of a site. It seems to me that the definition of group inclusion is
wrong, wrong, wrong, and goes against what people naturally expect.

Is this an issue that has been visited before, and if so, what was the
rationale for choosing this particular definition of group inclusion?

Alain
________________________________________
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
________________________________________
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel 


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

> The "group inclusion" concept in Tiki has from the beginning has meant
> "includes the permisions of <group>" or "groups from which permissions
> are inherited from".

I don't know for sure, but I'm pretty sure that in Windows at least, group inclusion is based on members of the group, not on permissions. I'm willing to bet that this is also the case for Unix.

> I think making sure labels are to "Permissions included" or
> "Permission included from" or something similar might suffice to avoid
> confusion.

I suspect that will not be enough.

> The way inclusion works in Tiki is from the perspective of the members
> of the group:
>
> Think: (Admin group includes Panel Participants group) If Peter is in
> the Admin group, then he is included in the Panel Participants group.

That very much contradicts how people usually interpret the sentence "Admin group includes Panel Participants group". Most people would interpret that as meaning that if Peter is part of "Panel Participants", then he is member of "Admin".

> However confusion can arise because in much of English usage, "Admin
> group includes Panel Participants group" means "All panel participants
> are admins", which is the opposite of what Tiki does -> which often
> leads to the situation Alain got himself into.

Correct. In addition, I suspect that Tiki's definition of group inclusion is contrary to the way it is defined in most applications and OSes. But I may be wrong on that one.

Alain


On Mon, Nov 9, 2009 at 10:02 AM, Sylvie Greverend <sgreverend@...> wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

Interesting. I suspect it’s another one of those situations where there will be a 50-50 split between folks.

 

Alain

 

---

From: geoff@enmore [mailto:geoff@...]
Sent: Monday, November 09, 2009 11:31 AM
To: 'Tikiwiki developers'; Desilets, Alain
Subject: RE: [Tikiwiki-devel] Usability issue: group inclusion

 

yep agreed.

 

Group inclusion logic has always been this way and its always seemed 'right; to me

 

geoff

 

---

From: Rick Sapir [mailto:rick.sapir@...]
Sent: 09 November 2009 15:08
To: Tikiwiki developers; Desilets, Alain
Subject: Re: [Tikiwiki-devel] Usability issue: group inclusion

You have it backwards.

 

If you want Editors or Admins to be part of PanelParticpant, then those two groups should include PanelParticpant. Editors and Admins *include* PanelParticpants.

 

If PanelParticipant includes Editor & Admins, then anyone who is a PanelParticpant will also have Editor and Admin rights. AFAIK, Tiki is doing this correctly.

---
Greetings from Sanford, NC, USA!

----- Original Message -----

From: Alain.Desilets@...

To: tikiwiki-devel@...

Sent: Monday, November 09, 2009 9:48 AM

Subject: [Tikiwiki-devel] Usability issue: group inclusion

 

This AM, I was creating a group called PanelParticipant, and I configured it to include two other groups: Editors and admin.

 

What I expected to happen was that people who are members of Editors or admin would become part of PanelParticipant.

 

But what happened instead is the opposite. Members of PanelParticipant automatically became members of admins and Editors. Fortunately, I caught the mistake relatively quickly (20 mins afterwards), but it could easily have gone un-noticed for days, and in this particular case, it  would have resulted in a major breach of confidentiality  in this particular case.

 

I think this is really bad, and could have major consequences on the security of a site. It seems to me that the definition of group inclusion is wrong, wrong, wrong, and goes against what people naturally expect.

 

Is this an issue that has been visited before, and if so, what was the rationale for choosing this particular definition of group inclusion?

 

Alain

---

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

---

_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

Interesting.  From the outset, I understood the concept of including
perms in the way it was intended.  I'm not familiar with how Windows
manages groups, but I like the concept of managing what users can do.  
This provides a great way to manage projects.  For example, I have a
large program consisting of several projects.  I can create a group,
with assigned perms, for each project.  I can then create levels of user
groups, say, "subcontractors," "members," and "managers," with no
perms.  I can then selectively allow visibility by including project
groups in the user groups.  This approach also makes it very easy to
control menu visibility.  I can assign project groups to menu options in
the same way.

The downside to this is that I have to manage object perms too.  So If a
manager creates a wiki page or a file gallery, group perms have to be
assigned to that object, otherwise, non-admin users can't see it.  This
is hard to manage when you have users who don't understand perms.

Eric Kelner, P.E.
Vice President
Letton-Hall Group
210-372-0830 (Office)
210-875-6277 (Cell)
www.letton-hall.com



Desilets, Alain wrote:
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

> at first sight you look like a Tiki power user and tester, at the
second
> you appear like you have seen Tiki for the first time that day...
> as the other people say, it has been like that for ages since the
> beginning of the TikiWiki project... if you did this then it is your
> responsibility as admin of the site that you don't read properly and
> just click and click... you could made that mistake in many cases with
> other options and in other software too.

Dear Luca,

One of the most important principles of usability is that when the user
makes a mistake, you should treat that as an indication of a problem
with the system, NOT the user. As developers, we too often blame errors
on the users, instead of looking for ways to make the system clearer and
prevent this sort of errors.

One of the challenges of Tiki is that it is often deployed in situations
where we give admin privileges to people who don't have a typical admin
profile. I am one of them... If I could get other people to admin my
Tiki sites, I would gladly do so, because I don't really trust myself
with admin tasks, and often read what I THINK something says, instead of
what it ACTUALLY says. That is also the reason why I am not a very good
proof reader, nor a good code inspector. What it DOES make me however,
is a very good usability tester.

As a developer, you can respond to my mistake in two ways.
 
OPTION 1: Accept the fact that people like me will be administrating
Tiki sites, and do whatever you can to prevent us from doing mistakes.

OPTION 2: Leave those admins to their own device, and blame them for
mistakes that they makee.

You seem to have choosen OPTION 2, which I find unfortunate.

> how come it is high usability issue and dangerous stuff suddenly that
> you have to cry "wrong wrong wrong" at us ? wouldn't it be more
> appropriate to say "could we change the string to 'Include
Permissions'
> or something ?" when you experience your test users are confused by
what
> we have ?

I'm sorry if I sounded too negative. I tend to do that sometimes. Be
assured that my aim is not to blame developers, just to see if we can
improve the system.

> we will not rewrite whole Groups perms system just because it is not
> "what people naturally expect"... i agree that we can improve some
> translation strings towards usability though

I agree that it's too late for that. Let's think about ways to make this
clearer.

Alain

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

> >
> >For example, in the real, world, I can say that the group: Citizens
of
> >Canada includes the group: Canadian Federal Ministers of Canada. What
that
> >means is that all Federal Ministers of Canada enjoy the same
privileges as
> >any Citizen of Canada.
> >
>
> Yes. This is (my understanding) of how Tiki currently works. Think of
visual
> representation of  "Citizens of Canada" includes "Federal Ministers":

Actually, you are "confused" in the exact way that I am. Tiki actually
works the other way around. Try it!

Go to a tiki site to which you have admin rights.

* Create a group "Canadian Ministers"
* Create a group "Canadian Citizens"
** When creating that group include "Canadian Ministers" in it.
* Create a user joe_bloe, and put him in the group "Canadian Citizens"
* Edit user joe_bloe, and you will see that he is now part of both
"Canadian Citizens" and "Canadian Ministers", eventhough you only
included him in "Canadian Citizens". In other words, you have just given
an ordinary joe ministerial powers!!!


> Permissions inherit downward (from parent to child) -- not upwards.
All
> Ministers are Citizens (and will have all of Citizens' permissions.
But all
> Citizens *are not* Ministers

I agree 100%! But Tiki works the other way around.

Alain

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

> Interesting.  From the outset, I understood the concept of including
> perms in the way it was intended.  I'm not familiar with how Windows
> manages groups, but I like the concept of managing what users can do.

> This provides a great way to manage projects.  For example, I have a
> large program consisting of several projects.  I can create a group,
> with assigned perms, for each project.  I can then create levels of
user
> groups, say, "subcontractors," "members," and "managers," with no
> perms.  I can then selectively allow visibility by including project
> groups in the user groups.  This approach also makes it very easy to
> control menu visibility.  I can assign project groups to menu options
in
> the same way.

I agree with you. Being able to define different levels of permissions
through the definition of groups is invaluable. I am not arguing against
that. I am just trying to figure out a way to make it clearer to users
when they are giving a group more permissions, or less permissions than
another. It seems to be confusing, given that both Rick Sapir and I made
the same mistake of thinking that when Group A includes Group B, it
means that that Group B may have more permissions than Group A (not the
other way around).

Alain

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel

In the Group management, that should be read:

"has the permissions of, and is included in, Group XYZ"

Giancarlo

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Tikiwiki-devel mailing list
Tikiwiki-devel@...
https://lists.sourceforge.net/lists/listinfo/tikiwiki-devel