Understanding OGR access rules

To be able to have TAC hook in to OG posts, the current user needs to be assigned to a role within that group? This wasn't the case in earlier versions of this module, I belive. Earlier versions honored the system wide role within OG to.

I don't quite understand what you mean here. OG User Roles (OGR) "TAC/OG Integration" has one goal: To make OG and TAC work in concert. By that I mean that both TAC and OG access rules are respected, instead of one or the other. So, if content has taxonomy and is in a group, a user must have permission to BOTH (not just one or the other) to access the content.

Scenario: A site for a company with many sub divisions (OG's). Every user is assigned a system wide role, which limits (with TAC) what the user can access (outside of OG). There's also posts within every OG that needs the same access rules, so the user's system wide role should be honored within OG as well. This can't be done without assigning each user an OG Role as well as a system wide role?

OGR has no effect whatsoever on what users can or cannot see outside of OG context. OGR uses the core Drupal function $user->roles to obtain roles for a user. So, when a user within group context, it doesn't matter whether his role(s) are site-wide (from users_roles table) or group limited (og_users_roles table).

That said, ogr_access grants are a slightly different matter: These grants are determined by the combination of role and taxonomy permssions a user has for each node within a group. Since it is the og_users_roles table which is used to create these grants, they do, by definition, exclude site-wide roles. And, in that sense, ogr_access grants are NOT generated for site-wide roles.

But, ogr_access grants where only created to allow users to see what content they can access in other groups. The only place this happens in a normal Drupal site is with "Recent Posts". Before ogr_access, you could only see content you had access to in your *current* group. With ogr_access, you can now see content you have access to in *all* groups.

Theoretically, access control for any content that the user has access to exclusive of OGR (that is, access determined by site-wide roles from users_roles table) would be handled by the usual OG and TAC grants. But, again, this only applies to access to nodes outside of group context; i.e., viewing nodes using "Recent Posts".

By definition, ogr_access only deals with access determined by OGR.

If this is a problem for you, one possible solution: Use the OGR default new member role assignment feature to give all new subscribers to every group the same sitewide role within the group -- that way you can be sure that ogr_access grants will be created for the site-wide role as well.

Hope this helps.

Haven't heard anything back, so will assume this is fixed.

See updated documentation on this here: http://drupal.org/node/281197