Better UX for the backend user module - managing be user groups, rights assignment
I would like to make a suggestion for a more userfriendly backend user groups modul.
When you have multiple backend users and backend usergroups, it's really complicated to keep track of the rights assignment.
You have the users and you can assign groups to the user but you don't know which particular rights the user has. You have to go into each be usergroup to find out which checkmarks are set. Comparing 3 or 4 different groups, almost impossible. Sure, you can name the be groups to make the purpose clear and split them for functionality/roles (ACL Group, Database mount group, page groups etc.) We already use this approach and have a lot of groups because some groups inherit from each other.
Lets say someone sets a right in the wrong group...you have to check every group which is assigned to the user to find out what is wrong.
Add a new tab "user rights" to the be user properties where you can see all options and usergroups in a 2-dimensional overview (see the attached screenshot). Vertically you see all the ACL, DM, PG options and horizontally you see all usergroups. With this view you can easily see all the groups and rights which the user has. You can easily check if you have assigned the same right to multiple groups, you can change and edit the groups right, maybe create new groups aswell. That way you don't have to switch the usergroups to check the rights assignment - which can be very time consuming.
Maybe you have other suggestions or want to add something. I think there is much potential to optimize the rights assignment workflow. Maybe not for the upcoming LTS10, but maybe for LTS11...
#1 Updated by Georg Ringer 24 days ago
- Status changed from New to Needs Feedback
Thanks for creating this feature request which is totally valid. Can you check out the current master (or 10.3 release) as I improved the whole situation already a lot with #90298.
Now you will see in the BE user module which groups a user is assigned and which ones of those are directly added and which are added via some other groups. Additionally all permissions are shown in the detail view (not all in the compare view). Note: Styling is not finished and will be done with #90533.
It would be quite hard to track which setting is added with which group. Maybe the current situation is enough for you and I could close this issue? thanks!
Thank you. I just took a look at the current 10.4-dev branch.
The backend user overview is better now, because the current approach makes it easier to see all assigned permission to a user, which is really good. :)
However, as someone who has to maintain those groups and assigments I would like to see why a certain permission has been assigned to the user, which group is responsible that the user has this permission. If I want to check why a user still has the permission X (when he shouldn't) I still have to go through all the groups to find the group responsible.
Imagine you have multiple people who maintain these groups. Sooner or later people make errors and assign permissions to the wrong groups. In order to find those errors later, you have to check every group and find the group which has the wrong permission.
So, a good workflow would be that you see a compare view of be groups and can easily spot the error and directly correct it in that view (so you don't have to go back to the group and correct the permission).
So, in case of error handling nothing has changed, I think.
I saw that you have added a feature #90826 for comparing be user groups. In the current version I don't see that feature (I can only compare users). I think that is a good feature.
Without seeing the user interface of that be group compare view I assume it works like the user comparison, where you can compare multiple users by adding users to a compare view and click the "compare"-button where you see every user in a compare view?
So, does the be group comparison works the same way: You can make a list of groups you want to compare by manually adding be_groups to a list and then click a "compare" button?
If that is the case, would it be possible to integrate a "compare be groups" button directly in the users properties which would - if clicked - add all assigned usergroups from that user to the be group comparison view? Perhaps group dependencies can also be made visible in that compare view?
So, I think finding a solution for an optimal workflow to handle be groups/users and permission errors was my intention to start this issue/feature discussion. I'm happy that it's not forgotten because I think that this is a part where TYPO3 can be improved a lot.
If not for the upcoming LTS, maybe for the next. Maybe other users want also to contribut their thoughts. So, I would be against closing this discussion. :)