Suggestion: Permissions can be painful - Simplify it with Effective Permissions or RSOP tools

[OverDriveAdamJ]

Excerpts taken from my Support ticket #583533, re-worded, and added to.

I'm used to Active Directory permissions in an enterprise environment. In Windows this is known as the "Effective Permissions" tool that can be used to find out what the resultant permissions are on a user for a specific folder. If you have access to Windows XP SP3 or above, right click on a folder, go to security tab, Advanced button, and Effective Permissions. This is one of the most useful tools in Windows Server environments to confirm either permission to, or lack of permission to a folder. This tab is a savior as it tells the permissions of the user you choose on the folder you went to this tab on.

My suggestion is for IPB to develop something similar to this, perhaps a tab in the forum permissions area or something to that nature that has select a user function. Then it will show all the permissions that user has. In Windows it can get quite complex depending on what Advanced screen the effective permissions is on (for folder - read,modify,deny - for the basics, but it varies as to which screen they're on and can be as complex as in Active Directory Users and Groups - can create objects, can delete objects, read, modify, can take ownership, can read attributes, can write attributes, can delete attributes, etc).


If you want to surpass Microsoft's "Effective Permissions" tab on folders, you can go 1 step further like Microsoft's RSOP (Resultant Set of Policies) MMC (Server 2003/2008) which has 2 modes, planning and logging mode. Logging mode will tell you effective group policies for an object, and how they came to be - what policies were implemented in which order, which policy won for each setting. Planning will allow you to take a user and simulate policies, to find out which is the best to use that will give the user least permissions while still being able to do the things they need to.

This way as you develop the permission levels, and as you get more complex with the primary groups, secondary groups, overwriting masks, and new permission ways you guys come up with, the overall managing structure and planning will be easier for everyone.