Cascade Permissions

Summary

Cascade permissions are set at the folder level and inherited by children folders.They are Group-based. The groups exist in Cascade but are maintained in active directory (AD). The Cascade groups are populated with their list of members by an LDAP Sync process that pulls the appropriate AD group, and updates the Cascade group.

To add or delete a user, you edit the AD group, not the group in Cascade. There are a few exceptions for test user accounts or vendors which are local to Cascade and not part of the sync. These are userids like Test_Contributor or eworobec_BREI .

The LDAP Sync process uses an xml-based script, that we maintain, which maps/pairs each AD group to its equivalent group in Cascade.  The LDAP Sync rubs on a schedule, currently once a day at 9:30pm, or can be kicked off manually.

Most groups we’ll need have already been created at this point so typically we only need to add a new user to an existing active directory (AD) group and let the sync run that night, or kick it off manually.

Determining the Group

To determine which group(s) to add a new user to, you can:

  • See what AD group a similar user is a member of by viewing the ALL WEB USERS tab of this google doc:
    https://docs.google.com/spreadsheets/d/1o2yGLbXtgVeccTqv-zz9Y_yyUr8XTwVtjbPdckSAvjs/edit?usp=sharing. There is an AD Group column.
  • See what Cascade group a similar user is a member of by going to the Administrator menu and clicking on Users or Groups options. Most of the AD group names are nearly identical to the Cascade group name so fairly easy to know which pair together. The LDAP script or the google doc are another way to see how they pair up.
  • Look at a particular folder in the Cascade site tree to see what group(s) have access. Do this by going to the folder, doing a right-mouse click and choosing the Access option. This will list the groups at the bottom. All folders have Web Coordinators and Sitewide Contributors group. The extra group(s) arethe users. For example on /students/academic-resources/advising/ folder the extra group is Academic-Advising. Most of the AD group names are nearly identical to the Cascade group name so fairly easy to know which pair together. The LDAP script or the google doc are another way to see how they pair up.

Adding a User to an Existing Group

Launch the Active Directory Users and Computers application with your 500 server account (not personal userid). Do this by doing a shift-right-mouse click and choosing Run as a Different User. All the Cascade groups are in chapman.edu | Chapman – OC | IST | CMS folder structure. They have names such as Web CMS Academic Advising, Web CMS Dodge College etc. Each contains the network userid of the members. Add a new user and save.

With the next LDAP Sync the members in Cascade will be updated with the members in the AD group (as paired in the script). You can manually kick off the script or wait for the nightly job.

Once the script has run you can go to the Administration menu in Cascade and either go to the Group and look at the list of members, or go to the User and look at the list of their groups. If they are not in the new group, then one of these occurred:

  • LDAP Sync didn’t run
  • LDAP Sync had errors
  • the user is in an OU other than Staff and that OU doesn’t have an entry in the LDAP Script yet.

If successful, and the user is brand new, you should edit the User and assign the “Chapman.edu” site as their default site.

Please also update our list of users and their new AD and Cascade groups they are in, in this google doc. If need access, contact Ross Loehner: https://docs.google.com/spreadsheets/d/1o2yGLbXtgVeccTqv-zz9Y_yyUr8XTwVtjbPdckSAvjs/edit#gid=996278443

Creating a New Group

IF a new group is needed there are many more steps. In a nutshell, you must create the AD group, create the Cascade group, update the LDAP script, run the LDAP sync,  add the new group to the Access (permissions) on the appropriate parent folder in the Sitetree, and propigate them down to subfolders.

  1. Create the new AD group
    Launch the Active Directory Users and Computers application with your 500 server account (not personal userid). Do this by doing a shift-right-mouse click and choosing Run as a Different User. All the Cascade groups are in chapman.edu | Chapman – OC | IST | CMS folder structure. From the CMS folder do a right-nouse click and Add New Group. They all have names such as Web CMS Academic Advising. Once the group is created add the network userids to it.
  2. Create the new Cascade group
    In Cascade, go to the Administration menu, click on Groups. There is an Add Group link. The new group name should be similiar to others and match closely the AD group name, eg Academic-Advising. Leave the Users blank but choose Contributors for the Role.
  3. Edit and run the LDAP Sync
    Follow directions in other portions of this document. The new group must be added in 2 places in the script, then the script must be run to populate the users from AD group into the Cascade group. If any users are brand new Cascade users, their userid should be edited in Cascade to make Chapman.edu their default site.
  4. Add the New Group to Folders in the Sitetree
    Follow directions in other portions of this document. Please also update our list of users and their new AD and Cascade groups they are in, in this google doc. If need access, contact Ross Loehner: https://docs.google.com/spreadsheets/d/1o2yGLbXtgVeccTqv-zz9Y_yyUr8XTwVtjbPdckSAvjs/edit#gid=996278443

The LDAP Script

In the script each group will usually have one entry that maps to the OU for Staff. Upon occasion we will have additional entries in the script to repeat the pairing for the same group for OU=Faculty, or OU=Students, or OU=Student and Temp Workers, but only as needed. A typical staff entry for the Academic-Advising group would look like this:

<user-policy summary=”Academic-Advising Group”>
<container-identifier>OU=STAFF,OU=People,DC=chapman,DC=edu</container-identifier>
<object-attribute-filter>
<name>memberOf</name>
<value>CN=Web CMS Academic Advising,OU=CMS,OU=IST,OU=Chapman – OC,DC=chapman,DC=edu</value>
</object-attribute-filter>
<username-attribute>sAMAccountName</username-attribute>
<email-attribute>userPrincipalName</email-attribute>
<full-name-attribute>displayName</full-name-attribute>
<authenticate-against-ldap-server>yes</authenticate-against-ldap-server>
<enable-new-users>yes</enable-new-users>
<convert-usernames-to-lowercase>yes</convert-usernames-to-lowercase>
<authentication-mode>ldap</authentication-mode>
<system-groups remove-from-other-groups=”No”>
<group>
<name>Academic-Advising</name>
</group>
</system-groups>
<system-roles remove-from-other-roles=”No”>
<role>Contributor</role>
</system-roles>
</user-policy>

Prior to the entries to pair each set of groups, there are lines at the top of the code that make each group a part of All Users. If a new group were added it would need the entry like example shown above, and also a line in the freeform-filter tag, for example:

(memberOf=CN=Web CMS Academic Advising,OU=CMS,OU=IST,OU=Chapman – OC,DC=chapman,DC=edu)

The LDAP Sync process

It will run nightly around 9:30pm but if you want to kick it off manually, or just view it’s contents, go to the Administration menu and click on the LDAP Configuration link. Your userid must be in the Administrator role to do this.

The file is large so even when viewing you must wait a minute+ while it tries to load the content to the screen. It will give you a browser-slow warning message. You’ll know it’s loaded when the form fields are the screen are populated and/or the XML link is finally clickable.There are two options below:

  • If you only want to run the process but don’t need to modify the script (for example you added a new user to an AD group but the group already exists), then simply click the Sync LDAP link. It will give you a brief status message near the bottom of the screen within about 10 seconds saying it was successful or failed.
  • If you need to modify (or view) the screen, once it’s loaded, switch to XML view. It is modified by editing the XML though M. Thomas keeps an external copy of the file on the \\filer\Sysprog\Users\mthomas network share, edits it there then does a full copy/pastes into the CMS each time. If can access that, use it, otherwise copy the xml from this screen and edit externally (easier) then copy new version back in. NOTE: keep copy of original, just in case. Once the new script is ready, paste it in (or drag new external file in) then click Save and Sync. This will save changes and run the process. It will give you a brief status message near the bottom of the screen within about 10 seconds saying it was successful or failed.

The script is setup to notify mthomas@chapman.edu of the completion status. If necessary, another administrator could put their email address in that field in the script and run again. It will send both an email and post a Notification on the Cascade dashboard.

Applying a New Group to a Folder

In Cascade, brand new groups need to be added to the permissions to the parent folder to which they apply and propigated down to children folders. Care needs to be taken to decide if propigating a new group down through all the subfolders is appropriate. Some folders like /campus-services will have a different set of groups at the subfolder level for each department than they do at the parent folder.

For the top folder to which the new group applies, select that folder in the sitetree by clicking on the > caret next to the folder name. Then do a right-mouse click and choose the Access option. In the section of the screen labeled Grant access rights for specific users and/or groups, you can view the current groups. All folders have Web Coordinators and Sitewide Contributors group. The extra group(s) are the users. For example on /students/academic-resources/advising/ folder the extra group is Academic-Advising.

To add the new group, choose Write from the dropdown then click the Choose Users and Groups to launch a screen to choose the new group from all the groups in Cascade. Once selected and back at the main screen, double-check the Access Level says Write, then click Update to apply the group to this folder.

A second step is necessary to apply that change to all the pages and subfolders in the parent folder. Once again, from the site tree select that parent folder by clicking on the > caret next to the folder name. Then do a right-mouse click and choose the Access for Contents option. From the screen, check the checkbox labeled Overwrite existing access rights on contained assets. The screen will expand and at the bottom, click the link labeled Copy user and group access rights from current folder. Then click the Overwrite Access Rights button in top right corner.

If the dept’s site shares a _files folder higher up in the site tree you may need to add the group again to that folder.