This question is locked. New answers and comments are not allowed.
Hello,
I'm just about finished evaluating Everlive and Icenium, and I think it has everything I need. In fact, I think it's absolutely wonderful. There is one outstanding issue, though, that I need help understanding. I've tried adding Acls, but during the evaluation, I'm not allowed to use Item-level security. Before committing, I want to make absolutely certain I know this will work for me. Can you please tell me if the following scenario sounds plausible to you?
Consider two simple Content Types, Groups and Messages. Using the Master key I will add Groups, then add an Admin user to each Group. There could be hundreds of Groups/Admins.
As mobile users sign up, they will be made part of one Group at Sign up via Cloud Code. At sign up the user provides the name of a Group, and beforeCreate looks up the Group's Id and stores it as part of the User record.
After eight sign ups, the data might look like this:
Groups Users
------ -----
1 Admin1, 1, 5, 8
2 Admin2, 2, 3, 7
3 Admin3, 4, 6
Just to be clear, users Admin1, 1, 5 and 8 are part of Group 1. Admin2, 2, 3 and 7 are part of Group 2, etc. For each Group, only the corresponding Admin user will be able to add items for members of its group. Users other than the Admin cannot add items, so all items are owned by Admins. After a few are added, the Messages Content Type could look like this:
Id Owner UserId Content
----- ----- ------ -------
1 Admin1 5 Message 1
2 Admin2 2 Hi
3 Admin3 6 Hello
4 Admin1 8 Test 1 2 3
Here are my requirements:
Admin1 needs C+R+U+D access for all Messages for users 1, 5 and 8
Admin2 needs C+R+U+D access for all Messages for users 2, 3 and 7, etc.
Admin2 should not have any access to records for users 1, 5 and 8, and vice versa
No one can create a Group without the Master key
No one but an Admin can create a Message
User 1 needs R+D access for all Messages with user = 1
User 1 should have no access to Messages where UserId <> 1
No one can have Master key access
No one can have any access to Groups
1) In general, does this look feasible? I don't care what combination of Roles, Content Type, or item-level permissions I need to use, as long as it can be accomplished.
2) What general permission scheme do I set for the Group and Messages content types? "Private" seems to be the only choice that would deny readers, but it allows writers. "Read-Only" prohibits writing, but would let anyone read. Shared and Public allow readers and/or writers. Ay carumba!
3) At the item level, for each Message, is it as simple as leaving the Admin as the item's owner, and adding an Acl that sets UsersCanRead and UsersCanDelete for the single user that is allowed to R+D the Message?
4) I had to open up the Groups Content Type for Anonymous access to get the beforeCreate cloud code to be able to look up the user's group. As noted, I don't want anyone but the cloud code to be able to read the Groups content type. How can I secure it from everyone, but keep the cloud code from getting the 403?
Thanks in advance!
Kelly
I'm just about finished evaluating Everlive and Icenium, and I think it has everything I need. In fact, I think it's absolutely wonderful. There is one outstanding issue, though, that I need help understanding. I've tried adding Acls, but during the evaluation, I'm not allowed to use Item-level security. Before committing, I want to make absolutely certain I know this will work for me. Can you please tell me if the following scenario sounds plausible to you?
Consider two simple Content Types, Groups and Messages. Using the Master key I will add Groups, then add an Admin user to each Group. There could be hundreds of Groups/Admins.
As mobile users sign up, they will be made part of one Group at Sign up via Cloud Code. At sign up the user provides the name of a Group, and beforeCreate looks up the Group's Id and stores it as part of the User record.
After eight sign ups, the data might look like this:
Groups Users
------ -----
1 Admin1, 1, 5, 8
2 Admin2, 2, 3, 7
3 Admin3, 4, 6
Just to be clear, users Admin1, 1, 5 and 8 are part of Group 1. Admin2, 2, 3 and 7 are part of Group 2, etc. For each Group, only the corresponding Admin user will be able to add items for members of its group. Users other than the Admin cannot add items, so all items are owned by Admins. After a few are added, the Messages Content Type could look like this:
Id Owner UserId Content
----- ----- ------ -------
1 Admin1 5 Message 1
2 Admin2 2 Hi
3 Admin3 6 Hello
4 Admin1 8 Test 1 2 3
Here are my requirements:
Admin1 needs C+R+U+D access for all Messages for users 1, 5 and 8
Admin2 needs C+R+U+D access for all Messages for users 2, 3 and 7, etc.
Admin2 should not have any access to records for users 1, 5 and 8, and vice versa
No one can create a Group without the Master key
No one but an Admin can create a Message
User 1 needs R+D access for all Messages with user = 1
User 1 should have no access to Messages where UserId <> 1
No one can have Master key access
No one can have any access to Groups
1) In general, does this look feasible? I don't care what combination of Roles, Content Type, or item-level permissions I need to use, as long as it can be accomplished.
2) What general permission scheme do I set for the Group and Messages content types? "Private" seems to be the only choice that would deny readers, but it allows writers. "Read-Only" prohibits writing, but would let anyone read. Shared and Public allow readers and/or writers. Ay carumba!
3) At the item level, for each Message, is it as simple as leaving the Admin as the item's owner, and adding an Acl that sets UsersCanRead and UsersCanDelete for the single user that is allowed to R+D the Message?
4) I had to open up the Groups Content Type for Anonymous access to get the beforeCreate cloud code to be able to look up the user's group. As noted, I don't want anyone but the cloud code to be able to read the Groups content type. How can I secure it from everyone, but keep the cloud code from getting the 403?
Thanks in advance!
Kelly