Groups across apps some use cases

[danaskallman]

As of now, I believe that a user that is created in WordPress can/will create a user on NextCloud, probably can work with Piwik too. However that is an individual account without specific access to anything that may be shared. Maybe we can outline some use cases to plan for.

Since we are working with a WordPress multisite, and in some cases multinetwork, users may be administrators or editors of one or multiple website. Maybe there's a way to define this and say if xyz role also add access to a group in NextCloud and can view that sites analytics in Piwik, for example. However, subscribers would just be a user across applications with no additional group associations.

Looking at NextCloud specifically users management also has groups, how can we tie into this? Initial thought is Site Admin is Admin of a group of that site and editors maybe users with access.

What's the best way to outline this?

[fabacab]

Hmmm. I think this project's wiki makes sense as a place to start drafting possible implementation ideas.

What comes up for me immediately is that on WP Multisite, a "site" is an implicit "grouping of content (and maybe also users)" but on NextCloud there is no direct analogue to this. This is why NextCloud's Groups feature exists, of course. So, does that mean the most intuitive mapping is:

• WP Site → NextCloud Group?

Can NextClous groups contain other NextCloud Groups (can NextCloud Groups be nested)? If not, is this a better mapping:

• WP User with a certain role → NextClous Group with that role as its name

If so, maybe the better hierarchy mapping is:

• WP Site → NextCloud Group (for that Site)
  • WP User (Author) → NextCloud Group of Authors

For example: a website at subsite1.example.com might have two users, Alice and Bob. Alice is a Site Admin in WordPress (her user account in WP has the Administrator role associated with it). Bob is an Author. What does this mean for how they share files (using NextCloud)? Do they need access to the same files regardless? If so, maybe groups matter less. Might Bob need more access to NextCloud capabilities than Alice? If so, maybe a strict permission mapping from WP to NextCloud isn't sensible. Or maybe it would make sense to map the structure directly, and so we would have four NextCloud Groups, two nested one-level deep:

1. Main Site Group (for the implicit group at example.com)
2. Subsite1 Group (for subsite1.example.com)
   1. Admins of Subsite1 Group (for Alice)
   2. Authors of Subsite1 Group (for Bob)

In any event, I think it's important to work out what we want to happen in WP and NextCloud before worrying about what the LDAP DIT structure will look like.

[danaskallman]

Back looking at this. Maybe start "simpler" (let me know if I am off base) since it may not be simple at all.

The one thing that seem important to start are site_id. So could a user just be part of any group they are a user on a site? And not look at roles at all right now. So if I am a user on two sites, I am part of those two groups in nextcloud for example.

The reason I note this is that the share option in nextcloud displays all users, but it would be good to see only users in groups associated with the sites they are part of. And not all users in the network.

Maybe after we can explore of network_id too.