Lennart Regebro <lennart@torped.se> wrote:
With workgroups you create ten workgroups. Within each workgrup you assign users to their respective roles. You then add the workgroups to the correct places in the hierarchy. It also opens for the possibility to assign workgroup managers that can create users and add them to their groups without having any other manager rights (although this could be added later to make it easier to implement).
Okay now I understand. It's indeed another form of indirect management of local roles. In getRolesInContext you'd have to have examine __ac_local_workgroups__, containing the list of workgroup ids, and to know what user->role mapping a workgroup has you'd have to consult the place where the workgroup definitions are stored, probably the acl_user of the user we're currently looking at. Then it's simply :-) a matter of user interface. There's also the question of what permissions are needed to modify a workgroup of course. Does this match what you want ? Looks quite feasible to me, and I think it can be done pretty independantly of the user groups I propose. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 10 http://nuxeo.com mailto:fg@nuxeo.com