I don't have LDAP connected to this LCES server to try this, so I thought I'll just post the question here instead:
when I manually create a user account in the Default Domain, one of the steps in the create user process is to assign some "Roles" for the account; and by default, none of the available Roles (including the "WorkSpace user" role) was associated with the new user.
question is, is that also the case for those user accounts that you bring into the server after you sync with the LDAP? ie. new accounts (from LDAP) got created without any Role assigned initially?
if the accounts got created without any Role, is there an easy way to assign the "WorkSpace User" role to all of them?
The best way to assign role to a bunch of people is to assign the role to a LDAP group that contains all the users.
You can also go under User Management/Role Management and select you role and then manually select all the users you want to assign this role to. This will also assign the role to all the users in one shot, but you'll need to manually select the users.
How about I assign the "WorkSpace User" role to the "All Principles" group, before I configure the LDAP connection? would that cause any undesirable side-effects?
what I don't quite understand is, why the user accounts were not created with the "WorkSpace User" role automatically assigned? does that mean Adobe is trying to discourage the usage of the WorkSpace ES?
Assigning to All Principals should work.
LiveCycle will also automatically create a "local" group called "All Principals in Domain X" whenever you create a new domain, and you could use that domain instead.
It's not that Adobe is discouraging the use of Workspace, it's more a general principal that the system should be secure by default. This is a very good principal to follow, otherwise you could easily get accidental or malicious misuse of the system. This basically means that nobody should automatically be allowed to do anything unless they have been explicitly granted authority. As the administrator of the system, you can choose to override the defaults using the "All Principals" group, but this is a decision you're explicitly making.
Adobe also appear to follow the principal of "Privacy by default" - for example, you can't see anyone else's task list unless they explicity grant you access.
Thanks for the explaination, Howard, it's very interesting.
Regarding the security concern, it makes sense not to make Roles like "Application Administration" or "WorkBench user" checked by default, but "WorkSpace User"? I can't imagine what security risk a WorkSpace User can cause to the system... if there's a risk, I definitely would like to know about it... are there risks to grant users the "WorkSpace User" role??
When I create a user account manually or bringing the accounts into the system by syncing with the LDAP, I have already made a conscious decision that I want these guys to use the WorkSpace... which is the Out of the Box End User interface btw, isn't it? Why would I create these accounts if I don't want them to use the system?
So I still think that LCES should create any new accounts with the "WorkSpace User" role granted by default. If the administrator doesn't want specific users to use the WorkSpace, he can manually uncheck that box for those user accounts.
You might have created a workflow that automatically deducts $100 from your account, and credits it to the account of whoever started the workflow :-) Not sure if you'd like everyone to automatically have access to that workflow.
OK, that's probably not a good example, and I take your point. But the point is that you can modify the default behaviour, by granting Workspace access to All Principals.