Multi-site administrator authentication database

In an agency or large company, you may have administrators who want to log easily into a range of client sites or company micro-sites.

To achieve this, you need to have:

• one additional "global" Zenario site running, and of the same software version as its "client" sites (the site can have its front-end disabled)
• any number of "client" sites (the real sites)
• the server(s) that runs the client sites must be able to make a database connection to the MySQL database on the global site's server (usually that means the same machine or the same local network).

The arrangement works by running one additional Zenario site, and creating the accounts of the multi-site admins on that "global" site.

Client sites that are on the authentication "star" are connected to the hub site by a small change in their configuration files.

How to set up multi-site administrator authentication

The setup is quite easy:

1. Install your client site(s).
2. Install your global site.
3. On the global site, create at least one administrator account.
4. Copy the DB credentials from the global zenario_siteconfig.php file (the first few lines of the file) to the GLOBAL section for each of the zenario_siteconfig.php files of the client sites.

Here are the lines, with example values (normally they are commented out):

define('DBHOST_GLOBAL', 'localhost');
define('DBNAME_GLOBAL', 'zenario_global_db_703');
define('DBUSER_GLOBAL', 'global_user');
define('DBPASS_GLOBAL', 'global_pass_123');
define('DB_NAME_PREFIX_GLOBAL', 'zenario_');

As soon as you've saved the zenario_siteconfig.php file on a client site, you can test the connection.

Simply log in to the client site's URL, e.g. http://zenario-client-site.com/admin and log in with your administrator account as created in step 3 above on the global site. You should be able to log in.

If you see a database connection problem, check your DBHOST_GLOBAL and other connection parameters. If connecting across a network (you may have multiple servers or virtual servers) be sure to check that the global server has its MySQL permissions set up correctly.

How to use it

When you log on a client site, you should find that you can log in normally using your administrator credentials from the global site. If you go to the Administrators panel you should see something like this:

You should see your own details there with an auth-type of "Multi-site". 

Regular administrators will be shown as type "Local", and these accounts only exist on the client site.

Zenario's interface will not betray one group of client administrators to another; the presence of other client sites connecting to the same global database is completely invisible to them.

Permissions

The administrator permissions granted to an administrator on the global site will be reflected on all of the client sites that that administrator logs in to.

Note that modules can create their own permissions: so if a client site has a module with specific permissions that it adds, a global administrator will not have permission to use that module's functionality.

If you wish to get round this - that is, that global administrators should always have full permissions of client sites - then when creating a global administrator, you should assign "every possible permission" like this:

Then when that administrator logs in to a client site, he will always have permission to use all standard and custom features.

Note that global administrators will not be able to retrieve a lost password, change a password, or change other details about their profile, except by logging in to the global site.