Basic knowledge about Open Atrium permissions can be found in the user docs: http://docs.openatrium.com/documentation/access-control-content and associated pages.

To understand Open Atrium (OA) permissions it is important to realize OA is built upon Organic Groups (OG) and uses the OG permission settings. You can find more about OG permissions here.

OA and OG both use the term "group”, this can cause confusion: OA uses 2 kinds of OG groups: Groups ("a collection of users”) and Spaces ("a subset of content that is shared among a collection of users”; aka "a collection of content”).

Using OG permissions means in these instances Drupal permissions (admin/people/permissions) no longer control (CRUD) rights to content. So although you will find a setting "Document Page: Create new content” there, enabling it for authenticated users won’t allow your users to create content in Groups or Spaces.
Note that for OG there is a setting at admin/config/group/settings to use "Strict node access permissions". This is turned on by default in OA. Most permissions (but not all, e.g. like authoring information is still controlled by the Drupal permisson "Administer content") will be controlled by OG.

If you go to admin/config/group/permissions you will find the permissions for both OG groups. They look exactly the same, but they control the permissions for User-groups (OA Groups) and Content-groups (OA Spaces).

Note that in addition to Groups and Spaces, OA uses subsets of both: Teams as a subset of User-groups and Sections as a subset of Content-groups. Spaces can contain Sections. Teams only exist in a single Space, while Groups span across multiple Spaces. There is no direct relation between Groups and Teams: Teams are an ad-hoc collection of users. Teams are always private.

To use discrete content permissions within OA Spaces, first inspect the defaults at: admin/config/group/permissions. These defaults apply to every OA Space.

To override permission defaults for a specific Space:

  • Go to the Space and click edit.
  • Click the Inheritance fieldset.
  • Under “Group roles and permissions” choose “Override default roles and permissions”
  • Save the form.
  • At the top right hand side of the page click on the gear and choose Config.
  • Under Config choose “permissions” and you can set the permissions that will apply to this Space only.

Ok, so how do I implement all this? Can you give me an example?

In general in Open Atrium you do not use "roles". Neither drupal roles nor OG roles.

In Atrium what you are supposed to do is assign users to an Atrium Group. Set the OG permissions for members of that Group to custom and then tweak the permissions however you want. Then, assign that Group to a Space. Now users who are members of the Group will have their Group permissions within the space. Group permissions are additive, so if you have multiple Groups and a user is a member of multiple groups, any group that allows the permission will take affect.

As a concrete example:

  1. Turn off the "Create Document Content" OG permission for the Space members
  2. Create a group called "Contributors".
  3. In the Contributors custom group permissions, enable the "Create Document Content" for members

Now, a normal member of the space won't be able to create documents. But if the user is added as a member of the Contributors group, they will be able to create documents.

So, "Groups" work much like "Roles". The reason for doing this in Atrium is that you can map Group membership to various user identity management systems such as LDAP or Active Directory where you might have existing access-control-groups that define who is allowed to do what. It's much easier to map those LDAP/AD "groups" into Atrium Groups then it is to create new roles for each one. Roles can get very cumbersome in Drupal when you need more than a couple.

Permissions in Workbench Moderation

Permissions in Workbench Moderation are a bit backwards from the norm: submodules *revoke* access rather than *grant* access. Typically this means you will set the Drupal Workbench Moderation permissions (including View Unpublished content) to be allowed for all authenticated users, then use OG permissions to restrict to Members and/or Space Admins, then optionally use OA permissions to restrict to Groups/Teams.

Comments

riverrat’s picture

All the above is interesting but I can't create a group in the first place. Tried to ask how to in drupalanswers but regarded as too general. Where do I go for help?

prairiedog’s picture

Hello riverrat. You might find this helpful:

http://docs.openatrium.com/content/groups

Groups in OA are actually content types, rather than something otherwise related to users and permissions (a strange concept to some new uers of OA). Hope the above is of assistance.

Georges Gorges’s picture

problem solved sorry did not find your very helpful post before deleting my post...

prairiedog’s picture

Hi George. I will try to help. The directions you cited above need some breaking down. (Also note that this would be a great topic to add in the Drupal Forums rather than here on this direction page.)

Rather than posting a long response here, we've added a .PDF document on our company website: MVC Contribution to Comment 13397019--Dec 2019