> Though I see the usecase I don't like to change the ACLs since most users are already confused by its complexity and > the ACLs are flexible enough for 99% of the cases (yes I'm making up that figure). I can understand that, but I actually think that making "none" always mean "none" makes it clearer and less complex. > One could argue that the problem is not within DokuWiki's ACLs but the setup of your Active Directory ;-). You could, but you'd be wrong ... ;) I think that most AD's are built with the notion that you use "Domain Users" (similar to DokuWikis @ALL) to set read only permissions, create smaller groups to set higher permissions and, if necessary, specific (and often very small) groups to explicitly deny. DokuWiki's ACL system is very close to NTFS (basic) file permissions, with the exception of how "none"/deny works. > Users always get the highest permission assigned to the same > namespace. So if you give read access to @ALL on the root namespace, > then you can do restrictions only for sub namespaces. Eg. this would > restrict access for guest users on the secret namespace. All other > users would still have read access (or upload if they belong to the > @users group). > > * @ALL 1 > * @users 8 > secret:* @guests 0 > secret:* @users 8 > May I just add that the above permissions can quite easily (and inadvertently) be compromised. As described above, the @guests group can not access the "secret" namespace with the above ACL's. Let's say that someone decides that read access for @ALL isn't enough in "secret", @ALL should be allowed to edit pages in that namespace and adds this: secret:* @ALL 2 Now you have opened upp the entire "secret" namespace to @guests too ... That is illogical to me, that a group that explicitly has "none" permissions now actually has edit permissions, but I am used to Windows/NTFS security settings, where "deny" always prevails. In a very small setting, with a a few namespaces and a handful of users, the current DokuWiki ACL functionality isn't a problem. You can create new exclusive groups (where users are never part of two groups), move users between groups and move ACL's around a bit to make it work like you want, but it is not practical when you have thousands of users, hundreds of groups and thousands of pages. I'd greatly prefer if "none" always means "none", that way you can use @ALL for basic (mostly "read") ACL settings, some AD groups for higher permissions and sprinkle some "none" ACL's where appropriate, knowing that you really have shut the affected users/groups out from those sections. BTW, in DokuWiki 2008-05-05, the ACL's are incorrectly previewed on the management page, at least if you use AD groups. If, in your original example, you choose "Permissions for" the @guests AD group and check permissions on "secret", it will say that they have "Read" permissions (inherited) when in reality they have "None". If you add "Edit" for @ALL on "secret" (as in my example) it will correctly show "Read, Edit" for @guests. /Daniel -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist