The week before last I was in Sorrento at the Plone Open Gardens and presented a talk on some work we had been doing at Netsight on doing transparent Single Sign On to Plone using Active Directory (using Kerberos). This was all in response to an intranet we had been working on the week before for the National Health Service here in the UK.
Today I just saw a post from Tony Byrne of Real Story Group on User Management in CMSes. So I thought I'd try and tie the two together and give a real world example of the flexibility of user management in Plone.
I'm often asked at trade shows and the likes "What sets Plone apart from [insert other CMS here]?". Most CMSes do much of the same thing. Some have some areas that are strong that others, or work in different ways around a particular topic. One thing that always seems to come up as a strength of Plone though is it's user management. I've yet to come across another CMS that is quite as flexible and powerful as Plone in the way that it works with managing user permissions, roles and groups.
In fact I wrote about this here on this blog almost exactly four years ago. But it is an important topic and the one thing that Tony's blog post made me think is that it is a area that maybe we take for granted in Plone and don't shout about enough.
Plone's security model is hierarchical. You can define local roles to a user or a group in any folder in the site and that role will apply for that user in any sub-folder on down. This means that you can give Mary from HR the role of 'Editor' in the folder called 'HR Policies' and she will be able to edit anything in that folder and any sub folders. But she won't be able to edit anything in e.g. the 'Marketing Folder' elsewhere in the site.
Not only that but you can assign users to groups and you can assign roles to groups in a particular location in the site e.g. Anyone who is a member of the Marketing group can have the role of Editor in the 'Marketing' folder.
Where the power then really comes is that you can use external sources of information to populate which users are members of which groups. You can also mix and match. Plone breaks down the process not into just the two steps Tony details (Authentication and Authorisation), but a total of 11 different 'facets' of user management. These are all handled by the Pluggable Authentication System in Plone and allow you to use different plugins to handle different aspects. e.g.:
- Extracting credentials from the user
- Authenticating the user
- Storing and managing properties and information about the user
- Searching and listing users and groups
- Assigning users to groups
This can all be combined together to provide a very flexible system
In the case of the NHS Intranet I mentioned above, we had to create a single intranet with transparent SSO that worked with two separate Active Directory domains. Half the users are in one domain and half in another. This is a common scenario we see when organisations merge, restructure or are acquired.
Using Plone's Pluggable Authentication Service we were able to combine various authentication plugins to provide the best experience for intranet users. It will attempt to transparently log you in using Windows Integrated Authentication if you are on a Windows computer connected to one of the two AD domains. Failing that you can manually type in your AD credentials and it will authenticate them via an LDAP query to the relevant AD server. And as a third option you can be a locally defined user in Plone and have a username and password that is not in AD at all.
I'm not sure how well other systems handle requirements as complex (but quite common) as this, but I know that you can't achieve the same thing in Sharepoint without setting up multiple Sharepoint servers and separate URLs, which adds a lot of complexity, confusion and costs.