Managing discussion groups

his chapter describes how to create and manage discussion groups and how to control user access to discussion groups.

How you access these forms depends on who you are:

If you are the server administrator, you access the discussion group management forms from the Collabra administrative interface.
If you are a user who has been granted the manager role to a discussion group, you access the discussion group management forms from the Communicator interface.

Most of the tasks described in this chapter are available to any user who has the appropriate permissions to the discussion group. Some tasks, however, are not available to users from the Communicator interface. These tasks are identified by a note.

For purposes of the following discussions, the discussion group hierarchy is shown in Table 4.1

royal.*

royal.dev.*

royal.rec.*

royal.pets.*

royal.dev.server
royal.dev.server.collabra
royal.dev.server.enterprise
royal.dev.server.fasttrack
royal.dev.server.proxy
royal.dev.client
royal.dev.client.nav3
royal.dev.client.comm

royal.rec.fun
royal.rec.fun.skydive
royal.rec.fun.gliders
royal.rec.fun.hangglide
royal.rec.fun.race
royal.rec.fun.race.f1
royal.rec.fun.race.f3
royal.rec.fun.race.fford
royal.rec.boring
royal.rec.boring.pinochle
royal.rec.boring.bridge
royal.rec.boring.knit

royal.pets.dogs
royal.pets.dogs.malamutes
royal.pets.dogs.rotties
royal.pets.dogs.chihs
royal.pets.cats
royal.pets.cats.persians
royal.pets.cats.tabbys
royal.pets.cats.strays
royal.pets.repts
royal.pets.repts.turtles
royal.pets.repts.snakes
royal.pets.repts.lizards

.

royal.*
royal.dev.*	royal.rec.*	royal.pets.*
royal.dev.server royal.dev.server.collabra royal.dev.server.enterprise royal.dev.server.fasttrack royal.dev.server.proxy royal.dev.client royal.dev.client.nav3 royal.dev.client.comm	royal.rec.fun royal.rec.fun.skydive royal.rec.fun.gliders royal.rec.fun.hangglide royal.rec.fun.race royal.rec.fun.race.f1 royal.rec.fun.race.f3 royal.rec.fun.race.fford royal.rec.boring royal.rec.boring.pinochle royal.rec.boring.bridge royal.rec.boring.knit	royal.pets.dogs royal.pets.dogs.malamutes royal.pets.dogs.rotties royal.pets.dogs.chihs royal.pets.cats royal.pets.cats.persians royal.pets.cats.tabbys royal.pets.cats.strays royal.pets.repts royal.pets.repts.turtles royal.pets.repts.snakes royal.pets.repts.lizards

Viewing information about a discussion group

To obtain information about a discussion group:

From the administrative interface, choose Discussion Groups|Manage Discussion Groups. Type the discussion group you want to see and click OK. (All discussion groups (*) is the default.)
From the Communicator interface, select the discussion group, then choose Edit|Manage Discussion Groups.
To view the discussion group hierarchy, use buttons that appear beside the discussion group:
Plus button. If a discussion group contains other discussion groups, the discussion group name is preceded by the plus button. To view the next level of discussion groups in the discussion group hierarchy, click this button.
Minus button. To close a discussion group hierarchy, click the minus button.
Select the discussion group you want to see information about, then Click General Properties.

You will see information about the discussion group name, display name, type of discussion group, type of postings allowed, whether the discussion group is moderated, and so on.

About discussion group types. A discussion group type can be standard, categorized, or category. If the discussion group is categorized, all discussion groups within the discussion group hierarchy are categories. Categories are displayed differently in the client interface. See "Creating a discussion group" for more information about categorized discussion groups and categories.

About virtual discussion groups. A virtual discussion group contains articles that are the result of a specified search across discussion groups. If a discussion group is a virtual discussion group, you will see the following text beneath the type of discussion group: This is a virtual discussion group.

Creating a discussion group

To create a discussion group, you open the New Discussion Group form and specify the necessary information. Figure 4.1 shows a sample filled-out form for creating the chihs (Chihuahua) discussion group in the royal.pets.dogs hierarchy.

Note: To create a discussion group, the server must be running.

New Discussion Group form

From the administrative interface, choose Discussion Groups|Manage Discussion Groups.
From the Communicator interface, choose Edit|Manage Discussion Groups.
Select the parent discussion group, or to add a top-level discussion group, select the root-level discussion group, then click New.
For example, to add a lower-level discussion group to the royal.pets.dogs hierarchy, click royal.pets.dogs and then click New.
In the Name field, type the name of the discussion group. This name must follow the Internet conventions for newsgroup names. The name cannot include spaces or most special characters. The name cannot include uppercase letters or numbers unless the server administrator specifically configures the server to allow for them. See "Naming your discussion groups" for more information.
In the Display Name field, type a descriptive name, which can include spaces, lowercase and uppercase letters, special characters, and so on. The display name is used in the client presentation.
In the Description field, type a description of the discussion group. (This field is optional.)
Specify the type of discussion group you want: categorized or standard.
The categorized attribute affects the presentation of the discussion group within the client user interface. A categorized discussion group provides a 3-paned interface in which the user can view:
A standard discussion group provides a 2-paned interface in which the user can view:
- All of the articles within a particular discussion group
- The text of a particular article
In a categorized discussion group, any lower-level discussion group is a category. A categorized discussion group cannot contain another categorized discussion group.

Note: If the parent discussion group is already categorized, you do not see a choice for the type of discussion group. Instead, the type of the discussion group becomes category discussion group.
If you want to specify advanced options for the discussion group, such as type of postings allowed or moderation, go to the Advanced Options section (by scrolling) and continue to step 8.
If you do not want to specify further options, click Submit now.

Note: The default options are 1) create the discussion group on all connected servers and 2) local and remote postings to an unmoderated discussion group.
You can specify the following information by clicking the associated button:
Click Submit to create the discussion group.

The Reset button resets any changes to the form that you have not yet submitted.

The server administrator receives a notification control message for each discussion group that is created.

Naming your discussion groups

By default, the Collabra Server enforces the latest proposed newsgroup naming standards. A few Usenet newsgroups do not comply with these standards. Your server will reject these newsgroups.

Although it is not recommended, the server administrator can override discussion group name validity checking by changing the REQUIRE_VALID1036_NAMES parameter value in the nsnews.conf file from DO to DONT. If you do change the value, be aware that doing so might cause server problems. For example, if you change the value to DONT on a Unix machine and then create a discussion group that does not comply to the 1036 standards, replicating this discussion group to a machine that does comply to the naming standards will fail.

Controlling access to a discussion group

This section describes how to use the forms that enable you to:

View access control for a discussion group
Grant access to a discussion group
Delete access to a discussion group
Modify access to a discussion group

These tasks are available to all users who have appropriate permissions to the discussion group.

Before users can perform these tasks, however, the server administrator must do the following:

Create users and user groups and assign roles to the users and user groups
Manage and define user roles
Delegate discussion group management tasks to users (if appropriate), and provide the necessary information about roles and associated permissions to the delegated managers

By default access control is on. If, for some reason, access control has been turned off, the server administrator must enable access control.

These server administrator tasks are described in Chapter 3, "Controlling access to your server."

Delegating management tasks

If you are the manager of a discussion group, you can delegate discussion group management tasks by assigning management roles to other users.

Assume you have created the discussion group royal.pets.* And, within the royal.pets.* hierarchy, you have created the following lower-level discussion groups:

royal.pets.cats

royal.pets.repts

You decide to delegate management of these discussion groups, so you name a manager for each discussion group. Robert manages the royal.pets.cats discussion group; and Jules manages the royal.pets.repts discussion group. Robert and Jules can perform the following tasks on the discussion group they manage and on all lower-level discussion groups within the discussion group hierarchy:

View all discussion groups
Create new discussion groups
Remove discussion groups
Access and change basic information about any discussion group
Add new access to any discussion group
Modify the access to any discussion group
Specify managers and moderators for lower-level discussion groups
Cancel messages posted by other people

See "Specifying access to a discussion group" for more information.

Viewing access control for a discussion group

To view access control for a discussion group:

From the administrative interface, choose Discussion Groups|Manage Discussion Groups.
From the Communicator interface, choose Edit|Manage Discussion Groups.
Select the discussion group, then click Access Control Rules.

The Access Control form, as shown in Figure 4.2, appears at the bottom of the discussion group form.

Access Control form

You will see one or more access rules for the discussion group. An access rule maps users and user roles to the discussion group. For lower-level discussion groups, some of these rules are "inherited" from higher-level discussion groups in the discussion group hierarchy.

For example, in Figure 4.2, rule 1 is inherited from the root-level discussion group. Inherited rules are viewable but not selectable. See "Understanding inheritance" for more information.

Note: By default, when the server is first installed, all users inherit the poster role. In the examples in this section, the default rule has been modified so that all users inherit the reader role instead, as shown in rule 1.

The following access rules have been defined for the Pets discussion group:

The default rule (rule 1) has been modified so that all users inherit the reader role (instead of the poster role).
Crowe has "absolute" manager rights to the discussion group (rule 2) because the Continue box is not checked. The asterisk (*) in the host field indicates that Crowe can access the discussion group from any host machine.
An absolute right means that Crowe has manager rights to all lower-level discussion groups in the hierarchy and that this right cannot be revoked by a lower-level rule in the hierarchy. See "Specifying a continued or absolute rule" for more information.

For access rules that are not inherited, you can change the order of appearance by clicking the up or down arrows.

For each access rule, you can view the following information:

The name of the users (user, user group, host) for whom this rule applies. If one rule contains multiple users, you can view all the users by clicking the Edit button, or for inherited rules, the List button.
Whether authentication is determined by:
- default
- basic
- certs
See "Understanding authentication" for more information.
The role granted to the users (user, user group, host) or the denial of all access to the user.
Whether this rule is continued or absolute. See "Specifying a continued or absolute rule" for more information.
If the rule is inherited, the Set from field shows from which discussion group inheritance is set. See "Understanding inheritance" for more information.

For example, assume any user has reader access (read permission) to royal.pets.snakes. This rule is inherited from the root level, as shown in Figure 4.4, rule 1. Consequently, all lower-level discussion groups, including the Snakes discussion group, inherit this rule for all users--unless the rule is specifically overridden by creating a new rule for a particular user.

Assume that Jules, who manages the Snakes discussion group (rule 3), does not want all users to have reader access to the group. So he creates a rule (rule 4) that denies all users access to the Snakes discussion group. He then grants access to specific users. For example, Gena, John, Ben, and Brian have poster rights to the discussion group (rule 5); they can view the discussion group, read messages in the discussion group, and post messages. Raghu, however, can only read messages in the discussion group (rule 6); he cannot post messages to the discussion group.

Access control for Snakes

Jules' strategy works BECAUSE RULE 1 IS A CONTINUED RULE. If rule 1 were not continued, Jules could not override the rule, as he's done in Rule 4. (See "Specifying a continued or absolute rule" for more information.) Only a manager of the discussion group from which a rule is inherited can change the Continue attribute for that rule.

You can specify new rules that override an inherited rule (that is not continued), but you cannot modify the inherited rule unless you have manager access to the higher-level discussion group. For example, only the server administrator, by default, can modify rule 1. And only the server administrator and Crowe, who manages the Pets discussion group (rule 2), can modify rule 2.

Note: If you are granting the same role to multiple users, you should specify one rule with multiple users listed, as shown in Figure 4.4, rule 5. For purposes of visual clarity, some of the examples in this section show a single user per rule. Keep in mind that, for performance reasons, the example shown in rule 5 is the recommended way for specifying multiple users.

Note: If you are denying access, be careful that you do not deny yourself access to the discussion group. For example, if you are granting manager privileges to yourself, be sure to do this before you deny all access. If you do deny yourself access, you'll need to contact your server administrator to fix the problem.

Specifying a continued or absolute rule

To determine the access of a user (user, user group, or host) to a particular discussion group, the Collabra Server begins checking the user's access at the top level of the discussion group hierarchy. The server continues checking until it detects an absolute (not-continued) rule. By default, rules are continued.

You should check Continue if you want the server to continue checking for other access control rules that match this user and this discussion group, and that contain a role that has the permissions necessary for the current action.

If you want the rule you are specifying for this user and this discussion group to be absolute; that is, to apply to this user and all lower-level discussion groups within the hierarchy as well, you should uncheck the Continue checkbox.

For example, if Crowe has absolute manager rights to royal.pets, the server automatically grants Crowe manager rights to royal.pets.dogs and any lower-level discussion groups in the royal.pets.dogs hierarchy. Figure 4.5 shows that Crowe has inherited manager rights to the royal.pets.dogs.rotties discussion group (rule 2).

Consequently, although JMacho, who manages the Rottweilers discussion group, has tried to deny Crowe all rights to royal.pets.dogs.rotties (rule 5), Crowe still has inherited manager rights to the discussion group.

Access control for Rottweilers

In Figure 4.6, JMacho has inherited reader rights to royal.pets.dogs (rule 1), but his rights are not absolute. Consequently, Daphne, who manages the Chihuahuas discussion group (rule 3), can deny JMacho all rights to royal.pets.dogs.chihs, as she has done in rule 8. She then has second thoughts and decides to grant JMacho reader rights to the Chihuahuas discussion group (rule 9). Now, JMacho can read messages in the discussion group, but he cannot post to the discussion group. (Alternatively, Daphne could have deleted rules 8 and 9.)

Access control for Chihuahuas

Robert, who manages the Cats discussion group, decides that JMacho should have no access to the Cats discussion group, so he revokes all of JMacho's permissions to the group, as shown in Figure 4.7 (rule 11). Furthermore, Robert decides that JMacho should have no access to any lower-level discussion groups in the Cats hierarchy, so he decides to make the rule an absolute rule by unchecking the Continue checkbox.

Access control for Cats

Understanding authentication

Authentication verifies the identity of the user. After the user authenticates, access control determines what the user can do. If access control is enabled and your server does not require authentication on first connect (ask your server administrator), users are asked to authenticate when they try to access certain discussion groups.

When you specify access control for a discussion group, you can specify the type of authentication you allow by choosing one of the following options from the Auth by menu:

default. Authentication by default means that the default authentication method is used to control access to the discussion group. The default authentication method is set by your server administrator (Access Control|Access Control Options).
basic. Authentication by login requires the user to specify a user name and password. The user name and password are stored in the directory service. Keep in mind that users can lose, or share, their user name and password. Any user with access to a valid user name and password can access your discussion group from any machine that can access your discussion group.
certs. Authentication by certificate provides stricter access control. Only machines with a valid certificate can access your discussion group. If the user has a valid client certificate, they need not login when they access the discussion group. Authentication by certificate requires a secure Collabra Server. If you do not know if your server is secure, ask your server administrator.

Authentication by certificate has higher priority than authentication by basic login. This means that after a user has authenticated to a discussion group by certificate, the user is not required to login again even if another access control rule in the hierarchy requires basic login.

If you specify authentication by certificate in any access control rule for a discussion group, all users will be asked to authenticate by certificate-- regardless of the authentication methods specified in later rules for a particular user. (The server must prompt for the certificate to determine if later rules specify this user and authentication by basic.) If the user does not have a certificate, the user can still authenticate by user name and password.

If you specify this option, you will want to notify your clients that they must get a client certificate before they can access your discussion group.

Understanding access control for a virtual discussion group

You should understand the following about access control for a virtual discussion group:

When a user creates a search profile for a virtual discussion group, the results of the search depend on the access privileges of the creator. If the creator does not have access to a discussion group, articles from that group are not returned in the virtual discussion group.
By default, only the creator can read the virtual discussion group.
(The server automatically adds an access control rule for the creator of the virtual discussion group.)
For the following reasons, Netscape does not recommend that you change the default access control for a virtual discussion group. If you do change the default access control, be aware that:
- The search results are always based on the creator's access privileges.
- Caution: If another user has access to the virtual discussion group, but not to one of the source discussion groups, the user cannot view the text of the article, but can view the headers, including the subject line, of the article.

Deleting an access control rule

To delete an access control rule:

From the administrative interface, choose Discussion Groups|Manage Discussion Groups.
From the Communicator interface, choose Edit|Manage Discussion Groups.
Select the discussion, then click Access Control.
In the Access Control form, select the rule you wish to delete and click the corresponding Delete key (the trash-can icon at the end of the rule).

Modifying access to a discussion group

To modify access to a discussion group:

From the administrative interface, choose Discussion Groups|Manage Discussion Groups.
From the Communicator interface, choose Edit|Manage Discussion Groups.
Select the discussion group, then click Access Control.
In the Access Control form, select the rule you wish to modify.
You can make changes by modifying the fields on the main form. You can also make changes to users and groups by clicking Edit to access the Users and Groups search form.
After you've made all your changes, click Submit All Changes on the main access control form or, if you've used the Users and Groups search form, click OK on the search form.

See "Specifying access to a discussion group" for more information about the fields on the form.

Removing a discussion group

To remove a discussion group:

From the administrative interface, choose Discussion Groups|Manage Discussion Groups.
From the Communicator interface, choose Edit|Manage Discussion Groups.
Select the discussion group, then click Remove.
Specify whether to remove the discussion group from the local Collabra Server or from all connected servers. (The default is the local Collabra Server.)
Note: If you are using the Netscape Directory Server and you choose to remove the discussion group from the local Collabra Server only, the discussion group and its access control rules are not removed from the Directory Server.

Caution: The discussion group and all lower-level discussion groups within the hierarchy are removed. You will be prompted for confirmation, be sure you want to remove the discussion group hierarchy before confirming.

The server administrator receives a notification control message for each discussion group that is removed. (That is, one notification message for the removal of a discussion group and all lower-level discussion groups in the hierarchy.)

Modifying attributes of a discussion group

To modify the attributes of a discussion group:

From the administrative interface, choose Discussion Groups|Manage Discussion Groups.
From the Communicator interface, choose Edit|Manage Discussion Group.
Select the discussion group, and then click General Properties. From the General Properties form, you can:
Click OK.

The Reset button resets any changes to the form that you have not yet submitted.

Moderating a discussion group

A discussion group moderator performs the following tasks:

Reviews submitted messages
Specifies which messages can be posted and not posted
Sends mail to the author of the denied messages
Forwards accepted messages to the discussion

Moderators, therefore, can control the amount of traffic and the message content a discussion group receives by filtering irrelevant or unwanted material. A moderator, for example, might want to control the content posted to a specific discussion group. A moderator can submit (or reject) each posting, or combine messages and articles to create a digest that gets posted periodically.

For example, assume the royal.pets.dogs.chihs (Chihuahuas) discussion group is open to all users. The purpose of the discussion group is to share information about the care, breeding, and showing of chihuahuas. Some chihuahua fans, however, are annoyed at some of the messages posted to the discussion group. In particular, a few users who own Rottweilers have been posting less-than-flattering messages about chihuahuas to the discussion group.

As the server administrator, you decide to end this bickering and designate a moderator. The moderator will filter the messages posted to royal.pets.dogs.chihs and forward only those messages that meet the discussion criteria. After the moderator becomes familiar with the content of JMacho's messages to the chihuahua discussion group, for example, the moderator might automatically deny messages posted by JMacho.

How to post moderated articles

When an article is posted to a moderated discussion group, the Collabra Server looks for a special header Approved: moderatoraddress. If the address in the header matches the moderator's address for the discussion group, the message is added to the spool. If the address does not match the moderator's address, the message is sent by email to the moderator.

To approve an article, the moderator uses inews, a program that comes with the Collabra Server. The inews program and the Collabra Server must run on the same operating system. Consequently, to enable moderation, you must provide your moderators with the following:

A copy of the inews program
A copy of the nsnews.conf file

The moderator will need to set the NS_NEWSCONF environment variable in the nsnews.conf file to the full pathname of the nsnews.conf file.

When moderators receive a message for approval, they can save the message to a file, and edit the message to remove the moderator header information.

To approve an article, the moderator runs the inews command on the article, as shown in the following example:

inews -h -a moderuser@champagne.royal.com filename_article

The -h option indicates that the file contains headers; the -a option indicates that the file is approved.

To reject an article, the moderator simply does not forward the message to the discussion. The moderator should, however, send an email to the poster and explain why the message was rejected.

If access control is enabled

If access control is enabled, the following rules also apply to moderating a discussion:

You must grant the moderator role to the moderator.
You must specify in the moderator's access control rule that authentication is by basic.
The moderator must specify a user name and password when running the inews program, as shown in the following example:
inews -h -a moderuser@champagne.royal.com -u mewing -w passwd filename_article

Note: If you are requiring authentication at first connect and Client certificate as the default authentication method (Access Control|Access Control Options), the moderator cannot use the inews program.

For more information

The USENET Moderators Archive (ftp://ftp.sterling.com/moderators/index.html) provides a vast repository of moderator knowledge. Some of the information at the archive is specific to various news server products, but most of the material is about moderating a discussion group and the tools available for such activity. As the server administrator, you should ensure that all of your moderators are aware of the Moderators Archive. Another good source of information is the Moderators Handbook (http://www.landfield.com/moderators/handbook/handbook.draft), which should be required reading for all discussion group moderators.

Importing discussion groups

You can import the names of discussion groups from an active file, which is a list of discussion groups that are supported by a server. You can get an active file from some other server. This is a quick way to support the same discussion groups on other servers.

Note: This task is not accessible to users from the Communicator interface.

To host the same discussion groups on your server that are being sent by another server, you should obtain that server's active file and import the desired discussion groups into your server's active file.

The importing can take several seconds, even minutes, depending on the size of the active file being imported.

To import a discussion group:

Choose Discussion Groups|Import Discussion Groups.
Click one of the following options:
- Active file to import discussion groups from
- Remote host to import discussion groups from
In the Import discussion groups matching field, type the text for the discussion groups you want to import. You can type a wildcard pattern to specify the discussion groups.
The Discussion group creator field is informational only and displays the name of the user who created the discussion group.
Click OK. You'll get a confirmation message.

The Reset button resets any changes to the form that you have not yet submitted.

Note: If you are importing an active file from a remote server, be sure your server and the remote server are listening to the same port number.

For more information about setting up discussion group replication with another news server, see Chapter 5, "Managing replication of articles."

Warning!

To import a discussion group, you should never edit the active file. All manipulations should be done only through the administrative interface, which automatically pauses the server.