Giving a user permissions, creating groups, adding users to groups
Note: Return to tutorial view.
Definitions relevant for this tutorial
- Permission: the ability to perform a
specific task in a given area of the site (i.e. edit a page, view an unpublished image, create a folder, etc . . .).
- Role: a group of permissions comprise a role. Permissions associated with a role are managed in a fine-grained security system. Roles can be assigned to groups or individual members.
- Local role: a role that is assigned for a specific folder or individual document on the site. This can be used to allow certain users to gain more content management permissions in a limited way. Assigned through the Plone interface (via the "sharing" tab for any piece of content).
- Global role: allows a user to exercise permissions anywhere in the
site. Can be assigned to groups via the Plone "user and group"
The Different Roles
- Member: All newly created users are given this role. Members can't create new content, unless given a permission to do so. In addition a Manager could promote Member to Owner or
Reviewer for specified folders (or the whole site). Member permissions can be custom set by site administrators.
- Owner: This role is defined on a per-folder basis. An owner can also create a co-owner and remove a reviewer, but can't assign one. This means: one folder can have more than one owner and they all will have the same rights in that folder. Owners can't assign roles beyond "Authenticated" and "Owner"
- Reviewer: A reviewer can edit/publish content but cannot create new content nor alter local roles.
- Manager: The Manager Security role is a
standard role in Plone. A user with the Manager role has ALL permissions
except the Take Ownership permission. Also commonly known as
Administrator Site Administrator. Can add/modify users, add
keywords, publish/revoke/modify content. Assigns local roles for users and/or promotes them to specific levels.
Creating New Users
Note: managers need to be logged in to
perform these steps
- Click on the Site Setup link, usually found near the Site Map and/or Contact links
- Select User and Groups Administration
- From here you can Search for an existing user or Show All to view everyone
- Click the Add New User button
- Enter all the person's information, including a password and a valid email
- Click the Register button to add the new user
The user has been created can now log in. Keep in mind though, newly created users are only given the Member role to start with. You must Search or Show All to find the new entry, if you want to change their role to Reviewer or Manager.
Note: managers need to be logged in to perform these steps
When a group of members will need the same role:
- Create a group that will have this role (then members can be given the role simply by adding them to the group, saving time as those participating change). Use the Groups Overview screen (at http://yoursite/prefs_groups_overview) --> Add new group.
- Add members who will need this role into the group. From the Groups Overview screen (at http://yoursite/prefs_groups_overview) screen, select your new group. You will see a list of the site members. Check the box next to those that you want to add to the group (one screen at a time), and click "add selected users to this group" (near bottom of the page).
- Navigate to the content you want to allow the group to manage.
- Assign a local role to the group. Click on the Sharing tab in the taskbar. Scroll down the page to the "Add sharing permissions to groups" section. Check the box next to the name of the group you created and select the appropriate role from the drop-down menu. Click "assign local role to selected group".
Note: You can assign a group a
manager role for a folder. They will be able to add/edit/delete content
in that folder and any subfolder. This is the most common
When a single member needs a unique ability to manage specific content...
- If the person does not already have a member/user account on the Web site, create one. From the Users Overview screen (at http://yoursite/prefs_users_overview) screen, click on the add new user button. Enter in the necessary information: full name, a user name (for example, first initial + last name), email address, and a password (make one up that the member can later change), and click on the box to send the user the password via email.
- Navigate to the content you want to allow the member to manage.
- Click on the Sharing tab (in the group of tabs with "edit", "view", "content" etc located over the content bar) to access the local role form.
- Scroll down the Local role form page to the section "Add sharing permissions for <name of content>". Find the user by entering a search term in the box and searching for the username or name of the member. When you see the user's name in the list, check the box next to the name and select the appropriate role from the drop-down menu. Click "assign local role to selected user".
When a user needs a global role (ie permissions in all content areas of the site)...
You can assign some roles for site-wide capabilities (manager and reviewer). Both of these roles have been set up with groups, so that to assign the site-wide role, you can just add the given member into the appropriate group.
Note: the manager role should not be assigned to people who are not willing to accept responsibility for all of the privileges that come with this role. PLEASE use this role sparingly as it can lead to difficulties in maintaining the site if too many people have a global manager role.
To assign the global role, add the member to the appropriate group:
- Alternate 1 Find the member that you want to assign the role to from the Users Overview screen (at http://yoursite/prefs_users_overview) screen. Click on the member's username and you will see the "user properties" information (note the tab over the content). Click on the "group memberships" tab next to the highlighted tab. Check the box next to the appropriate group (ie "reviewer" or "manager") from the list and click "add user to selected group".
- Alternate 2 (useful when adding two or more members at a time). Click on the name of the group you will be adding members to from the Groups Overview screen (at http://yoursite/prefs_groups_overview) page. From the list of members that is presented, check off the boxes next to the username(s) that you want to add to the group (add members from one screen before scrolling through the list to find additional members). Click on "add selected members to this group" button.