Booked Scheduler Support Forums

Hi,
I use the latest version 2.8.4 with LDAP auth.
I created all groupOfNames in my ldap with corresponding users.
I used the same name (cn) in Booked group management.
I set the option sync.groups to true in Ldap plugin config.
When a new user logs in for the first time, it does not appear in his own group.
Wouldn't it be the normal behavior or have I missed something ?

And, second question: is it possible to limit access to a ressource to a specific group.
By default, a resource is created with 'Full access' for all users.
I can only remove access user by user which is quite long with 250+ users... and useless because
all new users will have full access.
So, I thought groups would be the solution but I tried to set all but one group to 'None' and I'm always
able to do a reservation even if I'm not in that specific group.
There is probably something I don't understand.

Thanks

Hi,

To avoid the fact that new user would have automatically access to the recourse(s), try the following:

Login as application administrator
Application Management / Resources / select ‘ACCESS’ on the resource you want
Unselect ‘Permission is automatically granted’. (This option will create havoc among the new Booked users, this was NOT automatically selected in older Booked versions!)

This applies only to the new users!
If you want to change the access of other users: Application Management /Users / select ‘Actions’ / Permissions of the user you want.

To use “Groups” to give reservations rights:
Create two groups (Application Management / Groups):

First group (the group administrators):
“Lab Group Admin”
Groups members = select only the users with these administrator rights
Permissions = select only the accessible resources for these users
Group roles = select ‘Group Admin’
Group administrator = Lab Group Admin (the one created above)

Second group (the 'normal' users):
“Lab User Group”
Groups members = select all the ‘normal’ users without any special rights
Permissions = select only the accessible resources for these users
Group roles = none should be selected!
Group administrator = ‘Lab Group Admin’ (the one created above)

The members in group ‘Lab Group Admin’ should be able to create, edit or delete reservations for other users in the group ‘Lab User Group’.
The users in the group ‘Lab User Group’ can only create, edit or delete their own reservations.

Attention: be sure the ‘normal’ users in group 'Lab User Group' don’t have individual rights, so try this out with new users AND ‘Permission is automatically granted’ is unselected for the resource(s)!!!

YZone

I think the "Lab Group Admin" group shouldn't be able to administrate their own group, the role should be assigned to a higher admin_group.

More importantly, when a user of Lab Group Admin exercise his administrative rights on users belong to the "Lab User Group", it shouldn't include abilities such as "change password", "updating all fields in profile". These are dangerous. Especially when the "Lab Group Admin" users can add ANY user (including the application Admin) into the group and thrust the unlimited administrative abilities upon them. I would think an invite_to_group would be suffice.

Hi, Meric!

Were you able to correctly configure the synchronization of ldap groups?

I set this options here, but doesn't works.

Can you help me, please?