1.7.1 User Roles and Permissions

Disclaimer

Plone Groups

Although Plone offers a wide range of distinct authorisation roles, only two are actually required for the purposes of this example in its default "Simple Publication Workflow": users who create material, Contributors, and Reviewers who edit, retract, or publish content

Setting up authorisations in Plone groups and then allocating users to these groups based on their site responsibilities is best practice

See the full default set of Roles available in Plone

By default, Plone only offers groups for Reviers and Site administrators

• Reviewer - Group with content reviewer role and can edit/publish content that has been submitted for review, but cannot create new content.
• Site Administrator - Super user powers within Plone site with full access to manage content and configuration in a Plone site

The manager users does the systems administration and can be ignored in the CMS context. The authenticated user group can be used to differentiate between anonymous visitors and signed in users when showing pages

Creating new users

Navigate as admin user to the Users and Groups page from the site setup. The current list of users is shown in a table of roles of which any number may be assigned to them

You may edit users' roles here too

Click [Add new User] and complete the form including a password. It is better to have the system mail the new user authorisation credentials - leave the password fields empty and select 'Send a Confirmation'

You may also assign the new user to existing groups here already

Creating a new Group

Site administrators can create new groups and give them exclusive access to certain parts of the site. E.g. create a group for the users who work on SOP development and share only those folders with group members

On the Groups page, click  [Add an new group] and complete the next page, you may also provide an email address for the group

Click [Save]

To add users to the group, click its Group Members tab and search for users, select them and click [Add]

Not that groups can be nested, any group may include sub groups

Sharing private folders

User roles for every site section are inherited from higher levels but it is possible to let users have specific roles on certain context using the Sharing tab for folders. It allows the Site Administrator to add users or user groups to have rights to add, edit or review content at that specific folder and sub structure

In the example members of the SOP Development group is given specific permissions on the SOPs folder

***

More about Users and Groups by the Quinta group