user_saml icon indicating copy to clipboard operation
user_saml copied to clipboard
verified publisher icon nextcloud

Allow disabling group prefix

Open hrenard opened this issue 1 year ago • 8 comments

Expected behaviour

We should be able to disable group prefix. I think it's a regression because this was the default behavior in v5.

Actual behaviour

It's not possible to set an empty value from the CLI. And in the UI, the difference between empty or default isn't clear either.

Server configuration

PHP version: 8.2

Nextcloud version: (see Nextcloud admin page) 28.0.9

App version: 6.2.0

hrenard avatar Aug 28 '24 10:08 hrenard

The behaviour is different yes, but existing groups are not affected.

blizzz avatar Aug 29 '24 11:08 blizzz

But it breaks systems using group names without a prefix. The lack of an option to disable the prefix or set it to empty is causing issues. This flexibility is needed to maintain compatibility with setups that don’t use group prefixes. In my case, new users automatically provisioned via SAML end up in new groups like SAML_groupname and therefore lose access to existing shared resources.

rthaler avatar Oct 03 '24 13:10 rthaler

But it breaks systems using group names without a prefix. The lack of an option to disable the prefix or set it to empty is causing issues. This flexibility is needed to maintain compatibility with setups that don’t use group prefixes. In my case, new users automatically provisioned via SAML end up in new groups like SAML_groupname and therefore lose access to existing shared resources.

These are local groups with users from mixed backends?

blizzz avatar Oct 04 '24 10:10 blizzz

In my case, there is no mix of different backends. All users and groups are exclusively provisioned via Keycloak, so these are local groups created by Keycloak. However, the proposed change would require me to adjust all existing groups and group assignments, which would create significant complications. Additionally, folders and shares are created by another system, meaning adjustments would also need to be made there, further complicating the process. That’s why it would be very helpful to have the option to disable the prefix or set it to empty, to ensure compatibility with the existing setups.

rthaler avatar Oct 13 '24 10:10 rthaler

Same here - now there are a lot duplicated Groups in NC with same name but different internal names - had to reorganize a lot of shares.

jooooaah avatar Nov 11 '24 11:11 jooooaah

@rthaler

In my case, new users automatically provisioned via SAML end up in new groups like SAML_groupname and therefore lose access to existing shared resources.

Users are still sorted into existing groups that do not have a prefix. And when migrating groups from local to SAML backend, the ID will persist without the backend. Both scenarios are covered with automated tests.

Additionally, folders and shares are created by another system, meaning adjustments would also need to be made there, further complicating the process.

Now when it comes to newly created groups and the IDs are just assumed, then I see how you can run into it.

blizzz avatar Nov 11 '24 12:11 blizzz

Would it be possible to configure at least the “admin” group without a prefix? Since this group should not be deleted anyway, this exception would not interfere with the intention of cleaning up empty groups.

tmaex avatar Jan 24 '25 22:01 tmaex

Would it be possible to configure at least the “admin” group without a prefix? Since this group should not be deleted anyway, this exception would not interfere with the intention of cleaning up empty groups.

The admin group is a special, local one.

There it makes more sense to solve #561 by implementing IIsAdminBackend to the group backend and some configuration around it.

blizzz avatar Jan 31 '25 19:01 blizzz