From 2a0018de6e6eb86613b3c7a9325704bf86d62d6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20S=C4=85gol?= Date: Wed, 28 Feb 2024 09:46:08 +0100 Subject: [PATCH 1/2] [TASK] Add Example Configuration section for Permissions Management docs --- .../ExampleConfiguration/Index.rst | 123 ++++++++++++++++++ ...ackend-groups-multisite-project-1.plantuml | 42 ++++++ ...ackend-groups-multisite-project-2.plantuml | 26 ++++ ...roups-multisite-project-organized.plantuml | 70 ++++++++++ ...d-groups-simple-project-organized.plantuml | 44 +++++++ .../_backend-groups-simple-project.plantuml | 32 +++++ Documentation/PermissionsManagement/Index.rst | 1 + .../SettingUpBackendGroups/Index.rst | 2 +- 8 files changed, 339 insertions(+), 1 deletion(-) create mode 100644 Documentation/PermissionsManagement/ExampleConfiguration/Index.rst create mode 100644 Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-1.plantuml create mode 100644 Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-2.plantuml create mode 100644 Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-organized.plantuml create mode 100644 Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project-organized.plantuml create mode 100644 Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project.plantuml diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst b/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst new file mode 100644 index 00000000..0a3881fc --- /dev/null +++ b/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst @@ -0,0 +1,123 @@ +.. include:: /Includes.rst.txt + +.. index:: backend, acl, permissions, user groups, user management + +.. _example-configuration: + +============================================ +Example configuration of backend user groups +============================================ + +Knowing how backend user groups can be :ref:`categorized <_available-acl-options>`, +and how they can be organized using :ref:`naming conventions <_naming-convention>` +to distinguish their purpose or context, also following other best practices, +more advanced examples of group structures for projects with a single or multisite setup +can be discussed. + +.. _single-site-structure: + +Backend groups’ structure for a small project +============================================== + +When setting up backend groups and permissions for small, single-site projects, +consider future complexity. Organizing groups by best practices from the start +makes future extension and maintenance easier. + +Consider a scenario where two role groups are required: one for general content management, +named :samp:`Content Editor`, and another for survey management, named :samp:`Survey Manager`. + +The following conditions should be met: + +* Both roles should manage content in all languages +* Both roles should perform any file operations +* The Content Editor role has a dedicated file mount for organizing various files +* The Survey Manager role should have access to a dedicated file mount within the same file storage +* The Content Editor role should be able to view files uploaded by users with the Survey Manager role, as they might need them for blog posts mentioning the surveys +* The Content Editor role should manage all types of content, except for surveys +* The Content Editor should have access to a dedicated branch in system categories +* The Survey Manager role should only see the storage folder and a selected part of the pages tree where the surveys are listed and rendered +* The Survey Manager role does not need access to any system categories + +With these requirements in mind, the backend groups structure can be planned. +Following the recommendations of having the :ref:`System Groups <_system-groups>` +and :ref:`Access Control List Groups <_acl-groups>`, it could look like this: + +.. uml:: _backend-groups-simple-project.plantuml + :align: center + :width: 700 + +Having defined all the required :samp:`System` and :samp:`Access Control List` groups, +they can be combined to fulfill the :samp:`Content Editor` and :samp:`Survey Manager` +roles requirements. + +.. uml:: _backend-groups-simple-project-organized.plantuml + :align: center + :width: 700 + +Both :samp:`System` and :samp:`Access Control List (ACL)` groups serve as components +that can be integrated into a larger entity, in this case, the role group. +These role groups can then be assigned to users. As previously mentioned, +it's recommended that only the role groups be directly assigned to users. + +.. _multisite-structure: + +Backend groups’ structure for a multi-site project +================================================== + +When designing backend user groups for a multi-site project, the approach remains +consistent with that of a smaller, :ref:`single-site project <_single-site-structure>`. +Adhering to recommended best practices from the start simplifies the expansion +and preparation of a more advanced setup. + +This scenario describes a project with three separate sites (a multi-site setup). +There will be three distinct :samp:`Content Editors` roles, one for each site, +along with multiple other roles that will have cross-site access and permissions +to manage content. + +Rhe following condition should be met: + +* Project has 3 separate sites defined: Website A, Website B, Website C +* Project has one default language and one translation to English language +* For each site there are separate Content Editor roles as they will have different permissions +* Content Editor roles on Website A and Website C will have access to all languages, while the Content Editor role for Website B will have access only to the English language +* Each Content Editor role should have access to dedicated system categories branch +* Each Content Editor role can manage general content elements +* Content Editor role on Website A and C can manage news +* Content Editor role on Website A and C can manage galleries +* Content Editor role on Website A can manage use custom page types +* Content Editor role on Website A can manage contact forms (send responses etc.) +* Content Editor role on Website B can manage surveys + +Start by creating the necessary groups to form role groups. This includes system groups +for each site and shared groups across different roles and sites. Next, define the +ACL groups, which will be universally reusable for all role groups on any site. + +.. uml:: _backend-groups-multisite-project-1.plantuml + :align: center + :width: 700 + +.. uml:: _backend-groups-multisite-project-2.plantuml + :align: center + :width: 700 + +Groups specific to particular sites (e.g., page group, database mounts) have +been identified as well as the :samp:`shared groups`, which are universal, +and should be reused across role groups. These shared groups are applicable +for roles dedicated to a single site as well as for cross-site groups. + +The ACL groups could be further granulated if necessary, by separating permissions +for different content elements and dividing records’ related groups into multiple +ones — for editing records, managing lists and details through plugins, etc. +It wasn't done here to avoid overly complicating the diagram, which is already +quite comprehensive. However, in your setup, it might be necessary to create +more ACL groups, each responsible for a smaller set of permissions than those shown here. + +The desired backend groups structure and aggregation could look like this: + +.. uml:: _backend-groups-multisite-project-organized.plantuml + :align: center + :width: 700 + +You should grasp the essence of this concept: numerous smaller backend groups +can be combined to form a Role group. Role groups are the 'top' tier and are +the only ones that can be assigned to users later on. diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-1.plantuml b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-1.plantuml new file mode 100644 index 00000000..08d9ae44 --- /dev/null +++ b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-1.plantuml @@ -0,0 +1,42 @@ +@startuml +skinparam nodesep 10 +skinparam ranksep 20 + +rectangle "Website A" AS Website_A #line.dotted { + rectangle "PG_website_a" as PG_website_a #Application + rectangle "DBM_website_a" as DBM_website_a #Application + rectangle "DBM_website_a_news" as DBM_website_a_news #Application + rectangle "FM_website_a" as FM_website_a #Application + rectangle "CM_website_a" as CM_website_a #Application + PG_website_a -[hidden]-> DBM_website_a + DBM_website_a -[hidden]-> DBM_website_a_news + DBM_website_a_news -[hidden]-> FM_website_a + FM_website_a -[hidden]-> CM_website_a +} + +rectangle "Website B" AS Website_B #line.dotted { + rectangle "PG_website_b" as PG_website_b #Application + rectangle "DBM_website_b" as DBM_website_b #Application + rectangle "DBM_website_b_news" as DBM_website_b_news #Application + rectangle "DBM_website_b_survey" as DBM_website_b_survey #Application + rectangle "FM_website_b" as FM_website_b #Application + rectangle "FM_website_b_survey" as FM_website_b_survey #Application + rectangle "CM_website_b" as CM_website_b #Application + PG_website_b -[hidden]-> DBM_website_b + DBM_website_b -[hidden]-> DBM_website_b_news + DBM_website_b_news -[hidden]-> DBM_website_b_survey + DBM_website_b_survey -[hidden]-> FM_website_b + FM_website_b -[hidden]-> FM_website_b_survey + FM_website_b_survey -[hidden]-> CM_website_b +} + +rectangle "Website C" AS Website_C #line.dotted { + rectangle "PG_website_c" as PG_website_c #Application + rectangle "DBM_website_c" as DBM_website_c #Application + rectangle "FM_website_c" as FM_website_c #Application + rectangle "CM_website_c" as CM_website_c #Application + PG_website_c -[hidden]-> DBM_website_c + DBM_website_c -[hidden]-> FM_website_c + FM_website_c -[hidden]-> CM_website_c +} +@enduml \ No newline at end of file diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-2.plantuml b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-2.plantuml new file mode 100644 index 00000000..1f794a70 --- /dev/null +++ b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-2.plantuml @@ -0,0 +1,26 @@ +@startuml +skinparam nodesep 10 +skinparam ranksep 20 + +rectangle "Shared System groups" AS Shared_System_Groups #line.dotted { + rectangle "FO_all" AS FO_all #Application + rectangle "L_all" AS L_all #Application + rectangle "L_english" AS L_english #Application + FO_all -[hidden]-> L_all + L_all -[hidden]-> L_english +} + +rectangle "Shared ACL groups" AS Shared_ACL_Groups #line.dotted { + rectangle "ACL_content_elements" AS ACL_content_elements #Technology + rectangle "ACL_news" AS ACL_news #Technology + rectangle "ACL_gallery" AS ACL_gallery #Technology + rectangle "ACL_survey" AS ACL_survey #Technology + rectangle "ACL_contact_forms" AS ACL_contact_forms #Technology + rectangle "ACL_pages_custom" AS ACL_pages_custom #Technology + ACL_content_elements -[hidden]-> ACL_news + ACL_news -[hidden]-> ACL_gallery + ACL_gallery -[hidden]-> ACL_survey + ACL_survey -[hidden]-> ACL_contact_forms + ACL_contact_forms -[hidden]-> ACL_pages_custom +} +@enduml \ No newline at end of file diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-organized.plantuml b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-organized.plantuml new file mode 100644 index 00000000..dab6698a --- /dev/null +++ b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-multisite-project-organized.plantuml @@ -0,0 +1,70 @@ +@startuml +skinparam nodesep 10 +skinparam ranksep 20 + +rectangle "Website A" #line.dotted { + rectangle "R_website_a_editor" as R_website_a_editor #Implementation + rectangle "PG_website_a" as PG_website_a #Application + rectangle "DBM_website_a" as DBM_website_a #Application + rectangle "FM_website_a" as FM_website_a #Application + rectangle "FO_all" as FO_all #Application + rectangle "L_all" as L_all #Application + rectangle "CM_website_a" as CM_website_a #Application + rectangle "ACL_content_elements" as ACL_content_elements #Technology + rectangle "ACL_news" as ACL_news #Technology + rectangle "ACL_gallery" as ACL_gallery #Technology + rectangle "ACL_pages_custom" as ACL_pages_custom #Technology + rectangle "ACL_contact_forms" as ACL_contact_forms #Technology + R_website_a_editor <-- PG_website_a + PG_website_a -- DBM_website_a + DBM_website_a -- FM_website_a + FM_website_a -- FO_all + FO_all -- L_all + L_all -- CM_website_a + CM_website_a -- ACL_content_elements + ACL_content_elements -- ACL_news + ACL_news -- ACL_gallery + ACL_gallery -- ACL_pages_custom + ACL_pages_custom -- ACL_contact_forms +} + +rectangle "Website B" #line.dotted { + rectangle "R_website_b_editor" as R_website_b_editor #Implementation + rectangle "PG_website_b" as PG_website_b #Application + rectangle "DBM_website_b" as DBM_website_b #Application + rectangle "FM_website_b" as FM_website_b #Application + rectangle "FO_all" as FO_all1 #Application + rectangle "L_english" as L_english #Application + rectangle "CM_website_b" as CM_website_b #Application + rectangle "ACL_content_elements" as ACL_content_elements1 #Technology + rectangle "ACL_survey" as ACL_survey #Technology + R_website_b_editor <-- PG_website_b + PG_website_b -- DBM_website_b + DBM_website_b -- FM_website_b + FM_website_b -- FO_all1 + FO_all1 -- L_english + L_english -- CM_website_b + CM_website_b -- ACL_content_elements1 + ACL_content_elements1 -- ACL_survey +} + +rectangle "Website C" #line.dotted { + rectangle "R_website_c_editor" as R_website_c_editor #Implementation + rectangle "PG_website_c" as PG_website_c #Application + rectangle "DBM_website_c" as DBM_website_c #Application + rectangle "FM_website_c" as FM_website_c #Application + rectangle "FO_all" as FO_all2 #Application + rectangle "L_all" as L_all1 #Application + rectangle "CM_website_c" as CM_website_c #Application + rectangle "ACL_content_elements" as ACL_content_elements2 #Technology + rectangle "ACL_news" as ACL_news1 #Technology + R_website_c_editor <-- PG_website_c + PG_website_c -- DBM_website_c + DBM_website_c -- FM_website_c + FM_website_c -- FO_all2 + FO_all2 -- L_all1 + L_all1 -- CM_website_c + CM_website_c -- ACL_content_elements2 + ACL_content_elements2 -- ACL_news1 +} +@enduml \ No newline at end of file diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project-organized.plantuml b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project-organized.plantuml new file mode 100644 index 00000000..6af54449 --- /dev/null +++ b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project-organized.plantuml @@ -0,0 +1,44 @@ +@startuml +skinparam nodesep 10 +skinparam ranksep 20 + +rectangle "Content Editor" #line.dotted { + rectangle "R_content_editor" as R_content_editor #Implementation + rectangle "PG_website_a" as PG_website_a #Application + rectangle "DBM_website_a" as DBM_website_a #Application + rectangle "FM_website_a" as FM_website_a #Application + rectangle "FO_all" as FO_all #Application + rectangle "L_all" as L_all #Application + rectangle "CM_website_a" as CM_website_a #Application + rectangle "ACL_content_elements" as ACL_content_elements #Technology + rectangle "ACL_news" as ACL_news #Technology + rectangle "ACL_gallery" as ACL_gallery #Technology + + R_content_editor <-- PG_website_a + PG_website_a -- DBM_website_a + DBM_website_a -- FM_website_a + FM_website_a -- FO_all + FO_all -- L_all + L_all -- CM_website_a + CM_website_a -- ACL_content_elements + ACL_content_elements -- ACL_news + ACL_news -- ACL_gallery +} + +rectangle "Survey Manager" #line.dotted { + rectangle "R_survey_manager" as R_survey_manager #Implementation + rectangle "PG_website_a" as PG_website_a2 #Application + rectangle "DBM_website_a_survey" as DBM_website_a_survey #Application + rectangle "FM_website_a_survey" as FM_website_a_survey #Application + rectangle "FO_all" as FO_all2 #Application + rectangle "L_all" as L_all2 #Application + rectangle "ACL_survey" as ACL_survey #Technology + + R_survey_manager <-- PG_website_a2 + PG_website_a2 -- DBM_website_a_survey + DBM_website_a_survey -- FM_website_a_survey + FM_website_a_survey -- FO_all2 + FO_all2 -- L_all2 + L_all2 -- ACL_survey +} +@enduml \ No newline at end of file diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project.plantuml b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project.plantuml new file mode 100644 index 00000000..df892d22 --- /dev/null +++ b/Documentation/PermissionsManagement/ExampleConfiguration/_backend-groups-simple-project.plantuml @@ -0,0 +1,32 @@ +@startuml +skinparam nodesep 10 +skinparam ranksep 20 + +rectangle "System Groups" #line.dotted { + rectangle "PG_website_a" as PG_website_a #Application + rectangle "DBM_website_a" as DBM_website_a #Application + rectangle "DBM_website_a_survey" as DBM_website_a_survey #Application + rectangle "FM_website_a" as FM_website_a #Application + rectangle "FM_website_a_survey" as FM_website_a_survey #Application + rectangle "CM_website_a" as CM_website_a #Application + rectangle "FO_all" as FO_all #Application + rectangle "L_all" as L_all #Application + PG_website_a -[hidden]-> DBM_website_a + DBM_website_a -[hidden]-> DBM_website_a_survey + DBM_website_a_survey -[hidden]-> FM_website_a + FM_website_a -[hidden]-> FM_website_a_survey + FM_website_a_survey -[hidden]-> CM_website_a + CM_website_a -[hidden]-> FO_all + FO_all -[hidden]-> L_all +} + +rectangle "Access Control List Groups" #line.dotted { + rectangle "ACL_content_elements" as ACL_content_elements #Technology + rectangle "ACL_news" as ACL_news #Technology + rectangle "ACL_gallery" as ACL_gallery #Technology + rectangle "ACL_survey" as ACL_survey #Technology + ACL_content_elements -[hidden]-> ACL_news + ACL_news -[hidden]-> ACL_gallery + ACL_gallery -[hidden]-> ACL_survey +} +@enduml \ No newline at end of file diff --git a/Documentation/PermissionsManagement/Index.rst b/Documentation/PermissionsManagement/Index.rst index dbed3bfd..5816bfbb 100644 --- a/Documentation/PermissionsManagement/Index.rst +++ b/Documentation/PermissionsManagement/Index.rst @@ -107,3 +107,4 @@ the naming convention for backend groups later on. GeneralRecommendations/Index SettingUpBackendGroups/Index + ExampleConfiguration/Index diff --git a/Documentation/PermissionsManagement/SettingUpBackendGroups/Index.rst b/Documentation/PermissionsManagement/SettingUpBackendGroups/Index.rst index 98ae8d0d..e4df3038 100644 --- a/Documentation/PermissionsManagement/SettingUpBackendGroups/Index.rst +++ b/Documentation/PermissionsManagement/SettingUpBackendGroups/Index.rst @@ -120,7 +120,7 @@ Page Group Examples: *PG_website_a*, *PG_website_a_blog*, *PG_website_b*, *PG_website_b_gallery* Grants permissions to all pages in the pages tree for a given site or only -selected branches of pages in the tree. + selected branches of pages in the tree. Those groups will be assigned directly to the pages (see Page Permissions for more details) following the TSConfig or the Access Module configuration. From 9746ae793f3459579ebded530b894d1a634eae10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20S=C4=85gol?= Date: Thu, 29 Feb 2024 13:30:37 +0100 Subject: [PATCH 2/2] Apply suggestions from code review Co-authored-by: Sarah McCarthy --- .../ExampleConfiguration/Index.rst | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst b/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst index 0a3881fc..9d1bf773 100644 --- a/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst +++ b/Documentation/PermissionsManagement/ExampleConfiguration/Index.rst @@ -8,38 +8,38 @@ Example configuration of backend user groups ============================================ -Knowing how backend user groups can be :ref:`categorized <_available-acl-options>`, -and how they can be organized using :ref:`naming conventions <_naming-convention>` -to distinguish their purpose or context, also following other best practices, -more advanced examples of group structures for projects with a single or multisite setup -can be discussed. +How backend user groups can be :ref:`categorized <_available-acl-options>`, +and organized using :ref:`naming conventions <_naming-convention>` +to distinguish their purpose or context as well as following best practice +and more advanced examples of group structures for projects with a single or multisite setup +are discussed. .. _single-site-structure: Backend groups’ structure for a small project ============================================== -When setting up backend groups and permissions for small, single-site projects, -consider future complexity. Organizing groups by best practices from the start +When setting up backend groups and permissions for small, single-site projects +future complexity should be considered. Organizing groups by best practice from the start makes future extension and maintenance easier. Consider a scenario where two role groups are required: one for general content management, -named :samp:`Content Editor`, and another for survey management, named :samp:`Survey Manager`. +named :samp:`Content Editor`, and one for survey management, named :samp:`Survey Manager`. The following conditions should be met: * Both roles should manage content in all languages * Both roles should perform any file operations -* The Content Editor role has a dedicated file mount for organizing various files +* The Content Editor role has a dedicated file mount for organizing files * The Survey Manager role should have access to a dedicated file mount within the same file storage * The Content Editor role should be able to view files uploaded by users with the Survey Manager role, as they might need them for blog posts mentioning the surveys * The Content Editor role should manage all types of content, except for surveys * The Content Editor should have access to a dedicated branch in system categories -* The Survey Manager role should only see the storage folder and a selected part of the pages tree where the surveys are listed and rendered +* The Survey Manager role should only see the storage folder and the part of the pages tree where the surveys are listed and rendered * The Survey Manager role does not need access to any system categories With these requirements in mind, the backend groups structure can be planned. -Following the recommendations of having the :ref:`System Groups <_system-groups>` +Following best practice of having :ref:`System Groups <_system-groups>` and :ref:`Access Control List Groups <_acl-groups>`, it could look like this: .. uml:: _backend-groups-simple-project.plantuml @@ -48,35 +48,35 @@ and :ref:`Access Control List Groups <_acl-groups>`, it could look like this: Having defined all the required :samp:`System` and :samp:`Access Control List` groups, they can be combined to fulfill the :samp:`Content Editor` and :samp:`Survey Manager` -roles requirements. +role requirements. .. uml:: _backend-groups-simple-project-organized.plantuml :align: center :width: 700 -Both :samp:`System` and :samp:`Access Control List (ACL)` groups serve as components +The :samp:`System` and :samp:`Access Control List (ACL)` groups serve as components that can be integrated into a larger entity, in this case, the role group. These role groups can then be assigned to users. As previously mentioned, -it's recommended that only the role groups be directly assigned to users. +permissions should only be assigned to users via role groups. .. _multisite-structure: -Backend groups’ structure for a multi-site project +Backend group structure for a multi-site project ================================================== -When designing backend user groups for a multi-site project, the approach remains -consistent with that of a smaller, :ref:`single-site project <_single-site-structure>`. -Adhering to recommended best practices from the start simplifies the expansion -and preparation of a more advanced setup. +When creating backend user groups for a multi-site project, the approach is +the same as that of smaller, :ref:`single-site projects <_single-site-structure>`. +Adhering to recommended best practice from the start simplifies building the website +and prepares for a more advanced setup. This scenario describes a project with three separate sites (a multi-site setup). There will be three distinct :samp:`Content Editors` roles, one for each site, -along with multiple other roles that will have cross-site access and permissions +along with other roles that will have cross-site access and permissions to manage content. -Rhe following condition should be met: +The following conditions should be met: -* Project has 3 separate sites defined: Website A, Website B, Website C +* Project has 3 separate sites: Website A, Website B, Website C * Project has one default language and one translation to English language * For each site there are separate Content Editor roles as they will have different permissions * Content Editor roles on Website A and Website C will have access to all languages, while the Content Editor role for Website B will have access only to the English language @@ -100,15 +100,15 @@ ACL groups, which will be universally reusable for all role groups on any site. :align: center :width: 700 -Groups specific to particular sites (e.g., page group, database mounts) have +Groups specific to particular sites (e.g., page groups, database mounts) have been identified as well as the :samp:`shared groups`, which are universal, -and should be reused across role groups. These shared groups are applicable -for roles dedicated to a single site as well as for cross-site groups. +and reused across role groups. Use shared groups for +for roles for single sites as well as for cross-site groups. -The ACL groups could be further granulated if necessary, by separating permissions +The ACL groups could be further granulated, by separating out permissions for different content elements and dividing records’ related groups into multiple ones — for editing records, managing lists and details through plugins, etc. -It wasn't done here to avoid overly complicating the diagram, which is already +It is not done here to avoid overly complicating the diagram, which is already quite comprehensive. However, in your setup, it might be necessary to create more ACL groups, each responsible for a smaller set of permissions than those shown here. @@ -118,6 +118,6 @@ The desired backend groups structure and aggregation could look like this: :align: center :width: 700 -You should grasp the essence of this concept: numerous smaller backend groups -can be combined to form a Role group. Role groups are the 'top' tier and are -the only ones that can be assigned to users later on. +The key concept that you should grasp here is that small backend groups +are combined to form a Role group. Role groups are the 'top' tier and only they +can be assigned to users later on.