Re: [moregroupware-interface] Rights2 defaults?

[David L. <llo...@ad...>]

Ryan et al,

> Something that really does need to be addressed ASAP is to create sane 
> defaults for a User group at installation time (i.e. not Admin).

Tell me about it.

> Right now, installation involves creating a group, creating a user,
> then spending ages clicking through individual rights and setting them 
> correctly.

If the users first experience with moregroupware is:

 "I've logged in as admin and this product is really cool. So now I'll add
  POINTY HAIRED BOSS with username PHB and pass BASTARD"

...well I can see P.H.B calling me his password when he first uses the
product and gets:

 "You don't have the rights to view this module"

> Perhaps this strategy, in theory, forces users to create secure 
> policies, but in reality, people are either totally giving up on the 
> project as soon as they realize the work that needs to be done, or just 
> blindly clicking "Allow" to everything because they quite frankly can't 
> be stuffed going through it all.

It's not secure. It's unusable and it's as simple as that. I teach security
courses and that's the one thing that I make SURE everyone learns first:

 1. Secure
  - means only appropriate and authorised access is granted

 2. Unusable
  - means that the "security" is so difficult to get by you don't use it
  - or WORSE you circumvent it

> Is this a responsibility of the -dev team, or of the -ui team?  What 
> should the default group be called?  "Default" isn't a good choice, 
> IMHO, as most users will delete this group, create another, then 
> realize that they have to go through the whole Rights2 pain again 
> (unless, of course, our defaults *do* apply to newly created 
> Groups/Users, which seems even more sane).

I don't suppose the default group of users could be called, well, ummm,
errr, DRUM ROLL: "users"?

DSL

--
"What about the Age of Reason?"
 [John Farnham]