Client org-level sharing of parent-level content

Jonathan Allen shared this idea 2 years ago
Idea Logged

In our implementation we have parent level content that we need to be available in the client orgs. However, within each client org the sharing model can be quite complicated. Not all content from the parent org should necessarily be available to the client org users, and not all client org users should have access to the same content.

Currently this is all managed at the parent org level which means we need to manage all sharing and create many different user groups to address all possible scenarios. Ideally we would be able to "Publish" the parent org content to all client orgs so that they are available, but then the sharing at the client org level would work like any other content in the client org.

Comments (3)

photo
1

This was discussed with Nathan here and he confirmed that this can not be done as of now

photo
1

I have raised this as an official enhancement:

  1. 9374

photo
1

Would be great to have this option added. At the moment (using 8.0.4) I do not see an option like Jonathan Allen described. Assign all parentorg content to clientorg admin groups and let all further sharing/security/ect be done in the client. Then it would be selfservice security by the clientorg admins. At the moment this can only be done from the parentorg but with 100's of clientorgs that is not manageable.

So with that I mean that as a clientorg admin I need to be able to create usergroups (possible already), define folder access (partially possible on clientorg content only, but not on parentorg content) and access filters (not possible, with 1 datasource being defined on parentorg level).

photo
1

Thanks JeRoen for the feedback.


Unfortunately what is being asked kinda goes against the purpose of client orgs. It's everthing top down, and if you want to apply further security, it needs to happen at the top, which I understand can be pain with many client orgs.


The other alternatives could be to duplicate content on the client orgs, which is fine for security, but makes it hard to keep content at the client org in sync (if that's what you're after).

Sorry for the bad news on this, it's just not possible at this point in time, and not something we are currently planning on supporting.

Regards,

David

photo
1

Hello David,

Thanks for looking into this.

The problem is that not everything is top down. For instance, when I hav an LDAP group (our even a YellowFin usergroup) at the parentorg level and I give rights to that group to a certain folder at parentorg level I would expect that combination is still used at clientorg level. But in that case I have to add a usergroup in all clientorgs.

I feel stuck in limbo a bit ;-)

Whatever security method I choose, it seems a solution with a lot of work (unmanageable) or not possible:

  • maintain everything at parentorg level (with 100+ clientorg's and 15 usergroups) that is a lot of work
  • Only manage clientorg admins groups at parentorg level and let the clientorg admin do the heavy lifting (creating groups and assiging folder access). Not possbile for parentorg content, because everything is top down.
  • Maintain everything at parentorg level (folder access using usergroups, not clientorg groups) and let YellowFin at clientorg level determine if based on those usergroups a user has access to certain folders.
    Also not possible, because not everything is top down and usergroups partentorg are not available at clientorg.

I wonder how clients with 1000+ clientorg groups manage this? Is then all content available for all people in all clientorg's. How to make it manageable in that situation?

Regards,

JeRoen

photo
1

Thanks for the additional info JeRoen,


We do have clients with many client orgs (don't know anyone personally who has it in the 1000+ though), though I suspect their security levels are a lot less complicated and have an all access to default org content, and then specific folders for specific content, which is secured by default, and only particular groups allowed access. So only 'some' folders would need to be manually maintained, and then it's not across all orgs.

Rather than go back and forth on this, thinking it might be a good idea for me to reach out to your CSM to see if we can better understand your use-case and look at alternatives, if there are any. E.G. Maybe securing views, or data sources, rather than folders..

Will this be ok if I reach out to them?

Thanks,

David

photo