Hiding users from each other

  • 7005574
  • 31-Mar-2010
  • 27-Apr-2012

Environment

Novell Teaming 2
Novell Teaming 2.1

Situation

Purpose:
This explains how to set up a Teaming installation so that users cannot see other users. If users are members of competing companies, it may be desirable to prevent the members of one company from knowing that their competition is also present, and it may be necessary to hide proprietary information about one company from members of a competing company.

Symptoms:
The default settings in Teaming allow a search in the "find people" box to turn up all users in the zone. The default settings for Personal Workspaces allow all users to see other users' personal workspaces, and these in turn are named after the user name, so that a seach in the "find places"  box will turn  up the names of these users' personal workspaces. The default settings for personal guestbooks allow all users to see both the name of another user's personal guestbook (and consequently, his name) and the contents of the guestboook. Turning off All Users access to the Personal Workspaces page has the undesirable effect that users can no longer modify their own profiles, and cannot change their password, email address, phone number, or other profile settings, placing an undesirable burder on the Teaming administrator to handle all such profile change requests personally rather than allowing users to change their own profiles.

Resolution

Workaround Steps:
As an administrator, perform these steps to fix the problem for all newly created users:
  1. Go to Manage, then Site Administration, then Access Control for Zone Administration Functions
  2. Click Add a Role, then add the role entitled "Can Only See Members of Groups I Am In"
  3. Click Add a Group, then enter the group "All users"
  4. Check the box in the column "Can Only See Members of Groups I Am In" in the All users row
  5. Click "Save Changes", then "Close"
  6. Click "Manage Workspace and Folder Templates"
  7. Click "User workspace"
  8. Click "Manage this Target", then "Access Controls"
  9. Change the setting for "Inherit role membership from the parent folder or workspace from "yes" to "no", then click "Apply" and then "Close"
  10. Expand the User workspace entry on this page by clicking on the "+" next to it
  11. Click on "Guestbook"
  12. Click "Manage this Target", then "Access Controls"
  13. Change the setting for "Inherit role membership from the parent folder or workspace from "no" to "yes", then click "Apply" and then "Close"
In addition, any existing users will have to be changed by hand, one at a time. For each existing user:
  1. Click on the "+" next to "Personal Workspaces"
  2. In the expanded list of users, click on the first user's name
  3. Click "Manage", then "Access Control"
  4. Change the setting for "Inherit role membership from the parent folder or workspace from "yes" to "no", then click "Apply"
  5. In the "All users" row, uncheck the box labelled "Visitor"
  6. Click "Save Changes"
  7. Click the "+" next to the user's name and then click "Guestbook"
  8. Click "Manage", then "Access Control"
  9. Change the setting for "Inherit role membership from the parent folder or workspace from "no" to "yes", then click "Apply" and then "Close"
  10. Go back to step 1 in this list, and repeat the process for each remaining user until all users have been changed.

Additional Information

Root Cause:
The default access control settings for Teaming permit users to see that other users are members of a zone, and permits them access to information in those other users' profiles and personal workspaces. While this is a reasonable default for most systems, there are some situations in which it is desirable to prevent users from knowing about each other. For example, a company may implement an extranet solution using Teaming, such as supporting its customers, but those customers in turn may be competitors of each other. In this case it is desirable to prevent the members of company "A" to know of the existence of members of company "B" in the Teaming zone.

Details:
There is a role called "Can Only See Members of Groups I Am In" that can be applied to all users in the Zone by the Teaming administrator. This role prevents members of company "A" from seeing anyone else. If it is desired for members of company "A" to see and collaborate with each other, the administrator would create a group for company "A" and put all members of company "A" in this group; they would then be able to see each other but not members of other companies.

This solution suffices to hide users from each other unless they are in the same group, when using the "find people" search box. However, each user's personal workspace is named after the user, and so a member of company "A" could still detect members of company "B" by using the "find places" search box, since this would turn up their personal workspaces.

To prevent this, access controls for personal workspaces need to be adjusted. It is necessary for the access control settings of the Personal Workspaces page to include All Users in order to allow people to change their own profiles (such as to change their password). Consequently, each user's personal workspace must not inherit access controls from its parent (the Personal Workspaces page) since the parent requires that All Users have visitor rights, but individual users personal workspaces should not have visitor rights.

This change can be accomplished in a few steps for all new users, by editing the templates for new user workspaces and also for new users' guestbooks. By turning OFF inheritance for new user workspaces, we remove the visitor rights to all users. By turn ON inheritance for the personal guestbook, we cause guestbooks to inherit the parent's access, which has no visitor rights for all users.

Once this is done, any new users will have their access rights set correctly for their personal workspace and all sub-workspaces including the guestbook. However, the problem will still remain for existing users who were created before the templates were modified. For these users, it is necessary for the administrator to navigate to the existing user persoal workspace, set the access control rights for that one workspace to not inherit from parent, and then to navigate down to the guestbook and then to set access rights for the guestbook to inherit access control from the personal workspace.