Is it just me or there is something messed up with the new permissions? Users don't become active, until they are added a role - I thought single permissions should work too :( Also, roles take precedence it seems to explicitly assigned permissins ...

I tried to give permissions to a project to a user, and then tried both the guest role and the anonymous role - in one case the user could see all projects, in the other, she could see none. How to set it up? Do individual permissions work at all now?

There is nothing messed up. Users must be assigned a role as the role has the login permission attached. No role, no login.

Individual permissions are used to modify a role's permissions. The roles supplied are examples only and you can create a role that has virtually no permissions, and then use individual permissions to provide the access. Oh, and individual permissions do work, and work quite well. We have now 3 sites testing this for us in production environments and, apart from some bugs that have been identified, the permissions system is quite solid.

You probably need to check out the phpgacl docs to get an understanding of how they work, and review the classes/permissions.php file for information on how it is implemented in dP.

I read through the phpgacl docs before we applied it ... I realised this about roles, and created a role as I want it (with no project access), but when I give project access to a specific project later on, it still doesn't give access to that project.
I'll stop my windge and have a look in the code - I just tried to save me some work :)

There are several permissions you need. Access permission is required to get into the module or to have the module displayed in the list of available modules. View permission is required to view a project, while edit permission is - as its name implies - is required to edit a permission.

What you may have done is created a role with a lot of deny permissions. This is not really necessary, you should just not provide any permissions. Deny permissions should be used in the user permissions to override global permissions.

I realize all that. I found my problem anyway - I had created a permission for the project, but it wasn't being applied / didn't work because there were no permissions for companies whatsoever. That way it was checking if you have access to companies, and it was denying access to everything below it. This is not always a natural way to look at things - it makes sense once you look at it deep, but maybe we should think about projects as stand alone permission units as well, and if you have allow permission to a project it won't need to check companies as well. Does that make any sense?

p.s. add permissions in forums aren't right ... it doesn't let you add topics unless you have edit permissions

I realize all that. I found my problem anyway - I had created a permission for the project, but it wasn't being applied / didn't work because there were no permissions for companies whatsoever. That way it was checking if you have access to companies, and it was denying access to everything below it. This is not always a natural way to look at things - it makes sense once you look at it deep, but maybe we should think about projects as stand alone permission units as well, and if you have allow permission to a project it won't need to check companies as well. Does that make any sense?

I so agree with companies not determining access to projects. We have workgroups that need read access to all projects of those in their workgroups. Also need rollup. So, Director of IT and Programming can see all those projects that the IT workgroup and Programming Workgroup has created.

A staff member of IT couldn't see projects of Programming unless they were asigned as a resource or granted read access by the projects creator. The project creator should be able to allow read access to workgroups or individuals as the project creator sees fit. The only Project Management tool I have seen that gives this level of control to the project creator is OPT Max. But the interface of that tool is dated and it lacks a few other items.

- Ric

Your point is well taken, but I like the idea of being able to govern access to projects based on whether or not you are allowed to access a specific company. The way I have my dP set up, I have multiple "companies" for each branch of my actual company (I decided not to break it up by departments, since the sorting features by department, esp for the calendar, are non-existent). Anyway, I want employees to have access to their company, and to have the ability to add and edit projects for any company they are assigned (and deny access to any company they are not assigned).

But I see where you guys are coming from, and I think each situation is different. Maybe there is a way to add an option in the pop-up box when you click on the "Item" box for "Company" where you can choose to "Ignore company perms when setting other permissions", which will skip the check to see if the user has permission to view that company, and will skip right down to the Projects permissions.