Restrict Primary Auth Group for Limited External Collaborators

[torrin47]

We recently noticed that many LEC users are also in a normal internal authgroup (OW, R5, etc), and we don't think this is intentional or appropriate, and we're pretty sure the source is the request tool. The whole concept of LEC is that these users don't get access to ANYTHING in the GPO that isn't explicitly shared with them. So they don't even have access to items shared with the entire Org. Putting LEC users in an EPA authgroup runs counter to that assumption because many authgroups have a whole bunch of items shared with them, and it's pretty clear they're not intended for LEC users. The dashboard will assume LEC users are associated with the primary authgroup of their sponsor for reporting purposes (and this can be adjusted later, if needed), so there's no need for the LEC users to also be a member of an internal authgroup.

TL:DR In the Project Request form, if Geoplatform Role is set to Limited External Collaborator, force Primary Auth Group to be the Limited External Collaborator Auth Group with no other choices available: If someone also includes an internal authgroup in the "GeoPlatform Groups" section above, that's ok.

[tbock]

@torrin47 We will transition to a configuration in the admin like so. The choices available there are the ones currently selected as auth groups.

This will in turn be used to limit choice in the frontend.

To migrate existing setup is it correct to say EPA Publisher should have all current auth groups associated with it and LEC should ONLY have the LEC group?

[torrin47]

Yup, that's affirmative. Sounds like a good approach.

[tbock]

How are auth groups handled in Geosecure? Is there such a thing? Just trying to determine if this needs to be required or optional based on environment or something. @torrin47

[torrin47]

No authgroups in Geosecure since most users are view-only. Less of a need to steward the users and their content - only the secure data.