Hello,

There is special component "RolesExtractor" for mapping portal groups into security groups. Default implementation of this component is class org.exoplatform.services.security.impl.DefaultRolesExtractorImpl

and most important part is in method "extractRoles" in this piece of code:

      for (MembershipEntry membership : memberships)

      {

         String[] splittedGroupName = StringUtils.split(membership.getGroup(), "/");

         if (userRoleParentGroup != null && splittedGroupName[0].equals(userRoleParentGroup)

            && splittedGroupName.length > 1)

         {

            roles.add(splittedGroupName[splittedGroupName.length - 1]);

         }

         else

         {

            roles.add(splittedGroupName[0]);

         }

      }

Variable "userRoleParentGroup" is read from configuration and default value is "platform" . So from all subgroups of "platform" the last one will be used as security group and the first will be used for rest.

For example: your user is in portal groups "/platform/users" , "/platform/administrators" , "/platform/users/employees" , "/partners" . Then after process RolesExtractor algorithm , your user will be in j2ee security groups: "users", "administrators", "employees", "partners" .

Actually role "users" is needed if you don't want to have "403 Forbidden" error when you are trying private URL (this is defined as standard web authentication in $JBOSS_HOME/server/default/deploy/gatein.ear/02portal.war/WEB-INF/web.xml .

Hope this helps,

Marek

Interesting, I think that these access permissions should work in sharedlayout.xml . Maybe you can try to delete database and check again (If you are using HSQLDB, then you need only delete directory $JBOSS_HOME/server/default/data to delete database).

Another approach can be to tweak user roles according to your needs. For example, there is login module class CustomMembershipLoginModule, which can be added to login modules chain. This login module can be used to add all users into predefined group (for example into /platform/users) after successful login of user. More info is here https://issues.jboss.org/browse/GTNPORTAL-1347 .

So you can use this login module if you want to add all users. If you want to add only some users to /platform/users (For example only users from your group2 or subgroups) you can try to create your own login module implementation according to your needs and you can use CustomMembershipLoginModule for inspiration.

Hope this helps,

Marek

Ad 1 - Each group has it's navigation and so you can create navigation for your groups. Administrator's pages are visible only for members of group /platform/administrators and Executive board's pages for members of /organization/magement/executiveboard and user's pages for members of the grou /platform/users. It seems that your users are not in these groups and they are in custom groups like /group1/group2 etc. So you will need to create navigation for these groups and you can add pages according to your needs. You can do it easily through UI ( http://localhost:8080/portal/private/classic/groupnavigation ).

You will probably need to tweak permissions of pages as well. For example appliationRegistry page or PageManagement page are visible only for /platform/administrators by default. This is also doable from UI, you can login as root user and change permissions of pages on PageManagement page.

Ad 2 - Site editor - You can't see it due to the code in class org.exoplatform.toolbar.webui.component.UIAdminToolbarPortlet :

      if (hasEditPermissionOnNavigation() || hasEditPermissionOnPage() || hasEditPermissionOnPortal())

      {

         super.processRender(app, context);

      }

So if your user does not have permission to edit page or edit portal, the AdminToolbar link is not shown . So you will need again to change permission of pages and change permission of portal. This is initially doable by root user. When users from your group /group1/group2 will have permission to edit poarticular portal or page, the links will be shown on toolbar.

Good luck,

Marek

Hi Marek,

Did you try to create Group navigations for your custom groups ( /group1/group2 etc. ) ? You can do it for example through UI by these steps:

- Login as root

- Go to http://localhost:8080/portal/private/classic/groupnavigation

- Click to "Add navigation" and select your group.

- Add navigation nodes to your navigation. These nodes can point to pages with administration portlets (like Application registry, Page management, Organization management, ... ) or you can create your own pages and add administration portlets to these pages.

After logout and login of user from group /group1/group2 you should be able to see group navigation for your group.

So you can add your groups into server/default/deploy/gatein.ear/02portal.war/WEB-INF/conf/portal/portal-cofniguration.xml (Parameter group.configuration ) and create pages.xml and navigations.xml for your groups inside directory structure in server/default/deploy/gatein.ear/02portal.war/WEB-INF/conf/portal/group .

You can use existing group navigation configuration for inspiration and some documentation is here http://docs.jboss.com/gatein/portal/3.1.0-FINAL/reference-guide/en-US/html/chap-Reference_Guide-Development.html#sect-Reference_Guide-Portal_Navigation_Configuration-Group_Navigation .

Don't forget to delete your DB and restart portal after doing some changes in configuration files if you want to see them.

Hope this helps,

Marek