This article reviews the inheritance of roles in MindTouch and how it applies to users, groups and page permissions. It is presented in the order in which permissions can be inherited or applied.
Before assigning permissions to users, groups and pages, the first level of security and permissions in MindTouch is site access. By default the site is set to public, meaning that any user can navigate the site without being logged in. You can restrict the site to private, which requires the user to log in to see any content:
- On the MindTouch toolbar select Site tools > Control Panel > Configuration.
- Check the Make site private (Anonymous users must sign in) checkbox.
Another component tied to user permissions is user management. There are two types of users in MindTouch: pro members and community members. Pro members are able to contribute to MindTouch, while community members are only allowed to view, comment and rate pages. For more information on how to create users and assign roles, review how to add users.
When a pro member is created in MindTouch, you have the ability to assign a role to that user. Role assignment is the first level of user access permission on your MindTouch site. Keep in mind that roles do not apply to Community Members. Pro member roles provide the first level of restricting what accessibility to features and functionality users have. Roles can be changed at anytime through the control panel.
Group permissions are set through roles at group creation and can be modified at any time via the control panel. The groups roles are the same as the user roles and allow you to aggregate users so that they can easily be applied to pages for permissions along with granting them a higher permission as a whole. Later in this article you'll learn what permissions the user inherits as a bottom line. Review how to create new groups to learn more about adding and configuring groups.
Once you have the users and the groups setup, then you can apply permissions at a page level which allows you to restrict what users and groups have access to page(s) and if they have access to the page, what they are able to do (i.e. edit, delete, etc.). When you apply the permissions you are applying a role for the group or user that could differ from their default role. This allows you to have very granular privileges within MindTouch. You can read on how to apply page permissions within our restrict access documentation.
Now that you understand all of the different areas in MindTouch where you can control permissions and restrictions, let's review how all of the role assignments apply so you can understand how to effectively apply roles and restrictions in order to get your desired result.
A role applied to a user dictates that user's default access permissions across the entire site. If the same user is added to a group that has a different role, the user gets the benefit of both roles.
Example: If I'm a pro member user with a viewer role and I get added to a group that has the author role, then I get the combination of author and viewer roles across the site. A community member cannot gain access permissions beyond a viewer role until they are promoted to pro member status, even if they are granted additional roles through group membership or page permissions.
Pages can restrict and/or enhance the privileges a user or group has, with the limitation that community members cannot gain access permissions beyond a viewer role. Page restrictions have the following effect, unless the user or group is explicitly granted access:
- Public pages revoke no permissions.
- Semi-public pages revoke permission to modify content. Users who access the page have read-only access to the content and attached files, but still have permission to post comments.
- Semi-private pages are hidden from the hierarchy and from search unless the user is added to the permission list or if the user has the URL for that page. Users on the permission list can see the page in the hierarchy and search without navigating to it. Users who only have the URL but are not on the permissions list, can see the page in the hierarchy, but cannot search for it.
- Private pages revoke all access permissions to all users and groups. Private pages are not shown in the hierarchy or in search results. When trying to directly accessing the page, a user will receive a message, stating that the user does not have permission to view the page.
Page privileges enable users and groups to regain access permissions after the page restriction has been applied. Unless a user, or a group the user is member of, is listed in the page permissions list, the user will not be able to perform operations they are otherwise granted on the site. Note that community members cannot gain access permissions beyond the viewer role. In other words, community members are never able to do more than view content.
If users are given the admin role through user or group membership, they have the ability to see all site content and cannot be restricted from any pages on the site. If the admin role is granted at a page level, then the user or group gets admin privileges for that pages, which ultimately allows them to add and execute unsafe HTML in the editor. Page-level admin privileges does not grant access to the control panel unless the admin role is applied at a user or group level.
It is strongly encouraged that as you set up roles and permissions that you have the users test their access to ensure the way you have applied the settings match your expectation for restrictions. As always, if you have questions on how to implement the restrictions, reach out to MindTouch Support.