Why create restricted access areas?

Suppose your organization is made up of staff, volunteers, and board members. Your staff are obviously responsible for creating and maintaining content on the website. Therefore, they need to have the highest level of access to be able to do that job. But board members and volunteers may want to add to the site as well, or have access to sensitive information that you do not want publicly available.

The best solution is to create a space on your website specifically for these groups to "own" and manage for their own needs. Usually that takes the form of a private folder or page. For this tutorial we're going to use the example of a Board section.

Background:

Before we begin this tutorial, I would advise you to read through this general tutorial about Users, Groups, and Permissions. It's not specific to the case we're going to cover here, but it does have some basic information you should know about before reading this tutorial. Pay particular attention to the Definition of Terms, and Creating New Users.

The steps involved:

1. Create users
2. Create a group
3. Add users to that group
4. Create the Board folder and add contents (if any)
5. Change folder and contents to private state
6. Permission the board group to manage the folder

If you haven't already done so, you need to create the users on your website who will use the private Board folder. To see what users have been created for your site, go to Site Setup -> Users and Groups Administration. From here you can or Show All to see a list of everyone

Do not confuse the member ROLE with a member of your organization. One is a role in Plone, the other is your relationship with the individual.

As you can see from the above example, each user has a User Name, Email and Role column. This is where you set the Global Role for a user. Global Role controls how that user can behave across the entire site. For your Board members, you should leave them in the member Role. If you want those individuals to also change or add content anywhere on the site, you can give them the manager Role.

When you're done adding new members and setting their role, you're ready to move onto the next step.

Now that you have created your list of Board members, it's time to create a group for them. The purpose of creating groups is that groups can be given both Global and Local roles, which means you do not have to change roles for each individual. The idea is to create one group which gets assigned a role for a folder. Any users in that group inherit the local role.

From Site Setup -> Users and Groups Administration click on the green groups tab on the task bar. You should see the title Groups Overview and any existing groups listed there (many sites have Administrators and Reviewers as default groups).

1. Push the icon.
2. Fill in Board, for both name and title
3. Fill in a description if you wish
4. Enter an email address. You should use your own email, if you are creating the board.
5. Push Save.

Assign the group role as member, unless you want all Board members to have full access to all parts of your site.

At this point the group has been created and you have your list of users. Now you must add users to your group. To do that, click on the group name. From there you can search for individual members, or click the Show All button to see everyone.

Select users one at a time, or use the checkbox at the top to select all users. Then push the "add selected groups and users to this group" button to finish.

If you haven't already done so, at this point you should create a folder for your Board and put all the content you have for the Board in that same folder. Set the publishing state for the folder and its contents to private. If you do not change the publishing state, anonymous users can potentially find and access your restricted documents.

Once that is done you are ready to assign permission to work on that folder to your Board group. To do that, click on the green Sharing tab in the taskbar for your Board folder.

There are three main areas of the sharing screen:

1. Current sharing permissions for Board - Whoever created the folder in the first place will be listed here as the Owner. As you permission other users and groups, they will appear in this box.
   
2. Add sharing permissions to users - Use this box to add permissions to a single user.
   
3. Add sharing permissions to groups - Use this box to add permissions to a group. This is the box you want to permission your Board group for the Board folder.

Use the checkbox to select the Board group, then choose Manager from the Role to assign list. This will allow the Board group total control of the Board folder, but no other section of your website. If you only want your Board to view documents in the Board folder, select Member from the list instead. Push the "assign local role to selected group(s)" to finish.

Once you're all done with that, you should see the Board group appear in the first box of the Sharing screen like this:

Now all users in the Board group will have the ability to log-in, go to the Board folder, and create, edit, or view all the content contained there. In this set-up, the Board group won't be able to edit or create content anywhere else on the site.

The last thing to do would be to copy the URL of the Board folder and put it in an email to your Board members so they will know where to find their restricted access section. The Board folder won't be able to be found by a search, nor will it appear in the site navigation.