What makes Plone an enterprise CMS? What is missing?

Continuing the discussion from GSoC 2022 brainstorming:

Copied from previous thread:

We should identify what Plone makes an "enterprise CMS" and bring these capabilities back in Plone 6.
This is clearly not a recycle bin or some similar toy.

Plone lacks decent capabilities in

  • decent OAuth support out of the box for all major providers (Google, Azure etc.)
  • strong and customizable password policies (a password length of 5 chars out of the box is a joke)
  • better user management (at least I should be possible to lock accounts
  • better tracking of user activity for better site protection (e.g. automatically lock accounts after N failed login tries)
  • support for 2FA (is there a generic approach or some standard available?)
  • 2FA login support using security devices (Yubi key or so)

Yes, agreed on these items. Also look at GitHub - castlecms/castle.cms: A product of Wildcard Corp. https://wildcardcorp.com for implementation ideas that are specifically for making Plone more secure and big enterprise ready. I still miss these features on "standard" Plone deployments.

I'd be thinking wider than enterprise CMS which is a very ill defined and old term.
I'd be looking at something more like content governance which is more about how to decentralise content editing and workflow which plone is already good at.
But there are some things missing like audit reports to see who is publish what to get visibility of what is happening over a large site?
One thing we had to hack into plone workflow related to this that would be nice to have out of the box is multistep workflow where the next person is nominated or assigned at a previous step rather than anyone from a role.
Another thing is better support for checklists and conditions on workflow steps.
Audits on deleted content is another.
Ability to stage and review changes across many pages at once is a hard problem but something still missing.
Another one we've hacked in before is a rereview workflow for ensuring content is still relevant X months after publications.
This article talks about avoiding duplicated content which another thing that can be automated and is a problem for bigger sites.


Discourse (what this forum is) suggests what it thinks are similar posts as you compose a new post and start filling in the title of your post, to avoid people asking a question that has already been answered

These are great ideas

One area that would be great to improve with Plone is "connected services". We have a great core and obviously some of the missing features are covered by addons. But where are they visible? The list of notable addons is thin and hasn't been updated. With major Plone versions we keep losing important addons, because they're not kept up to date. And to me, it looks like it's a struggle to keep Plone afloat, when competing with the highly financed "software as service" models. Where it's still competitive, it seems to me that it's not chosen for being the best solution, but just because it's cheap and open source.

To make it enterprise, I think the Plone Foundation should invest in keeping at least one or two full-time developers working on core and connected. Just like the Python Foundation has started doing.

These listed 'enterprise' features are for a large part about user access and control. But in 'large' enterprise configurations/stacks, these features are no longer handled by the CMS because there is an external user directory (over ldap) which provides these services and controls. (password management/account revocation, 2FA).

Having these in core Plone is much more a requirement for smaller sites/organisations (SME) where users and groups are still stored and managed in the CMS, so the opposite of 'enterprise'...... For enterprise setups you would have to watch out that added resrictions or checks on users don't get in the way.

Good point...but in the end you need support for OAuth for integration in larger orgs and you want 2FA support on the Plone layer for smaller installation where you don't authenticate against a cloud service.

+1000 :slight_smile:

1 Like