1.7.1 User Roles and Permissions

Disclaimer

Plone Groups

Plone makes a full set of differentiated authorisation roles available, but for the purpose of this example in its default 'Simple Publication Workflow, only two are really necessary, for users creating content, Contributors, and Reviewers to edit, retract or publish content

Best practice is to set up the the permissions in Plone groups, and then assign users to these groups depending their responsibilities on the site

See the full default set of Roles available in Plone.

By default, Plone only offers groups for Reviers and Site administrators

• Reviewer - Group with content reviewer role and can edit/publish content that has been submitted for review, but cannot create new content.
• Site Administrator - Super user powers within Plone site with full access to manage content and configuration in a Plone site

The manager users does the systems administration and can be ignored in the CMS context. The authenticated user group can be used to differentiate between anonymous visitors and signed in users when showing pages

Creating new users

Navigate as admin user to the Users and Groups page from the site setup. The current list of users is shown in a table of roles of which any number may be assigned to them

You may edit users' roles here too

Click [Add new User] and complete the form including a password. It is better to have the system mail the new user authorisation credentials - leave the password fields empty and select 'Send a Confirmation'

You may also assign the new user to existing groups here already

Creating a new Group

Site administrators can create new groups and give them exclusive access to certain parts of the site. E.g. create a group for the users who work on SOP development and share only those folders with group members

On the Groups page, click  [Add an new group] and complete the next page, you may also provide an email address for the group

Click [Save]

To add users to the group, click its Group Members tab and search for users, select them and click [Add]

Not that groups can be nested, any group may include sub groups

Sharing private folders

User roles for every site section are inherited from higher levels but it is possible to let users have specific roles on certain context using the Sharing tab for folders. It allows the Site Administrator to add users or user groups to have rights to add, edit or review content at that specific folder and sub structure

In the example members of the SOP Development group is given specific permissions on the SOPs folder

***

More about Users and Groups by the Quinta group