Managing the Site: Giving a user permissions
Definitions relevant for this: tutorial:
- Permission: the ability to perform a specific task in a given area of the site. These do not change.
- Role: a group of permissions comprise a role. Permissions associated with a role are managed in a fine-grained security system (via the ZMI). Roles can be assigned to groups or individual members.
- Local role: a role that is assigned for a specific folder or individual document on the site. This can be used to allow certain users to gain more content management permissions in a limited way. Assigned through the Plone interface (via the "sharing" tab for any piece of content).
- Global role: allows a user to exercise permissions anywhere in the site. Can be assigned to groups via the Plone "user and group" management interface or via the ZMI.
- Member: as his/her own space under Members/membername where he/she can create/modify/submit his/her own documents. Members can't create new keywords - they are forced to use existing ones. In addition manager could promote Member to Owner or Reviewer for specified folders (or the whole site). CPSR members can also submit content in the News folder, the CPSR in the News folder, the Issues folder, and the members-only folder.
- Owner: This role is defined on a per-folder basis (aquisition works here just fine - make somebody the owner of plone/a and he'll automaticaly own plone/a/b unless you specify manually plone/a/b to be owned by somebody else). An owner can also create a co-owner via local_roles and remove a reviewer (but can't assign one). This means: one folder can have more than one owner and they all will have the same rights in that folder. Owners can't assign roles beyond "Authenticated" and "Owner"
- Reviewer: A reviewer can edit/publish content/metadata but cannot create new content nor alter local roles.
- Manager: The Manager Security role is a standard role in Zope. A user with the Manager role has ALL permissions except the Take Ownership permission. Also commonly known as Administrator or root in other systems. Can add/modify users, add keywords, publish/revoke/modify content. Assigns local roles for users (promotes them to specific levels).
Note: managers need to be logged in to perform these steps
When there is (a possibly that) a group of members that will need the same role...
- Create a group that will have this role (then members can be given the role simply by adding them to the group, saving time as those participating change). Use the Groups Overview screen --> Add new group.
- Add members who will need this role into the group. From the Groups Overview screen, select your new group. You will see a list of the site members. Check the box next to those that you want to add to the group (one screen at a time), and click "add selected users to this group" (near bottom of the page).
- Navigate to the content you want to allow the group to manage.
- Assigning a local role to the group. Click on the "sharing" tab (in the group of tabs with "edit", "view", "content" etc located over the blue content bar). Scroll down the page to the "Add sharing permissions to groups" section. Check the box next to the name of the group you created and select the appropriate role from the drop-down menu. Click "assign local role to selected group".
Note: You can assign a group a manager role for a folder. They will be able to add/edit/delete content in that folder and any subfolder.
When a single member needs a unique ability to manage specific content...
- If the person does not already have a member/user account on the Web site, create one. From the Users Overview screen, click on the "add new user" button. Enter in the necessary information: full name, a user name (for example, first initial + last name), email address, and a password (make one up that the member can later change), and click on the box to send the user the password via email.
- Navigate to the content you want to allow the member to manage.
- Click on the "sharing" tab (in the group of tabs with "edit", "view", "content" etc located over the blue content bar) to access the local role form.
- Scroll down the Local role form page to the section "Add sharing permissions for <name of content>". Find the user by entering a search term in the box and searching for the username or name of the member. When you see the user's name in the list, check the box next to the name and select the appropriate role from the drop-down menu. Click "assign local role to selected user".
When a user needs a global role (ie permissions in all content areas of the site)...
You can assign some roles for site-wide capabilities (manager and reviewer). Both of these roles have been set up with groups, so that to assign the site-wide role, you can just add the given member into the appropriate group. Note: the manager role should not be assigned to people who are not willing to accept responsibility for all of the privileges that come with this role. PLEASE use this role sparingly as it can lead to difficulties in maintaining the site if too many people have a global manager role.
To assign the global role, add the member to the appropriate group:
- Alternate 1. Find the member that you want to assign the role to from the User Overview screen. Click on the member's username and you will see the "user properties" information (note the blue tab over the content). Click on the "group memberships" tab next to the highlighted tab. Check the box next to the appropriate group (ie "reviewer" or "manager") from the list and click "add user to selected group".
- Alternate 2 (useful when adding two or more members at a time). Click on the name of the group you will be adding members to from the Groups Overview page. From the list of members that is presented, check off the boxes next to the username(s) that you want to add to the group (add members from one screen before scrolling through the list to find additional members). Click on "add selected members to this group" button.
Last modified July 29, 2005 01:05 PM