This article reviews the inheritance of roles within MindTouch and how it applies to users, groups, and page permissions. It is presented in the order in which permissions can be inherited/applied.
Before drilling in on the individual permissions of Users, Groups, and Pages, the first level of Security and Permissions within MindTouch is site access. By default the site is set to Public, meaning that any user can navigate the site without being logged in. You can restrict the site to Private, which requires the user to login in order to see anything by going into the Control Panel > Configuration and checking the "Make site private (Anonymous users must sign in)" :
Once this configuration is set, then users will be required to login in order to access any content.
Note that when a site is restricted to Private, search engines will not be able to index MindTouch content unless a user specifically sets a page to public, and adds the "Anonymous User" with a role of Viewer via the Restrict Access menu.
User Seat Management
There is another component to User permissions which is tied to Seat Management. If a user is seated then that means they are able to, through permissions, be able to contribute to MindTouch. If the user is Unseated then they are automatically given the Community Member Role which allows them to view, comment, and rate the page(s).
For more details on how to create users and assign roles, review our User Management documentation.
When a user is created within MindTouch you have the ability to assign a Role to the user. The Role is the first level of permissions/access within MindTouch.
Roles are broken down into the following categories:
- Viewer - This allows the user to view, comment, and rate the page(s)
- Author - This allows the user to edit the page along with all of the privileges of the Community Member
- Editor - This provides all of the privileges of the Community Member and the Author along with the ability to Delete the page and apply permission changes (Note: You need to be an Editor to access the Restrict Access dialog)
- Admin - This provides all of the privileges of Community Member, Author, and Editor along with allowing unsafe content to add scripts that would usually be stripped out.
These Roles provide the first level of restricting what accessibility to features and functionality users have. Roles can be changed at anytime through the Control Panel.
Group Permissions are set as Roles at Group creation and can be modified at any time via the Control Panel. The Groups Roles are the same as the User Roles and allow you to aggregate users together so that they can easily be applied to pages for permissions along with granting them a higher permission as a whole. Later on in this article I'll explain what permissions the user inherits as a bottom line review. You can review our Group Management documentation to learn more about adding and configuring Groups.
Once you have the Users and the Groups setup, then you can apply permissions at a page level which allows you to restrict what users and Groups have access to page(s) and if they have access to the page, what they are able to do (i.e. edit, delete, etc). When you apply the permissions you are applying a Role for the Group or User that could differ from their default Role. This allows you to have very granular privileges within MindTouch. You can read on how to apply page permissions within our documentation.
Now that you understand all of the different areas within MindTouch where you can control permissions and restrictions, let's review how all of the Role assignments apply so you can understand how to effectively apply Roles and Restrictions in order to get your desired result.
A user has a Role applied to them which dictates their default access permissions across the entire site. If the same user is added to a group that has a different Role, the user gets the benefit of both Roles.
Example: If I'm a user with a Viewer Role and I get added to a group that has the Author Role, then I get the combination of Author and Viewer Roles across the site. Note that in order to inherit the Author Role, I need to have Pro Member status within the MindTouch site. A Community Member cannot gain access permissions beyond Viewer Role until they are promoted to Pro Member status, even when they are granted additional Roles through group membership or Page Grants.
Pages can restrict and/or enhance the privileges that a user or group has, with the limitation that Community Members cannot gain access permissions beyond Viewer Role. Page Restrictions have the following effect, unless the user or group is is explicitly granted access:
- Public pages revoke no permissions.
- Semi-Public pages revoke permission to modify content. Users who access the page have read-only access to the content and attached files, but still have permission to post comments.
- Semi-Private pages are hidden from the hierarchy and search unless the user is added to the Permission list or if the user has the URL for the page. If the user is on the permission list they will be able to see it in the hierarchy and search without navigating to it. If the user only has the URL, they will only see it in the hierarchy when they navigate to it, but it will still be hidden from search.
- Private pages revoke all access permissions to all users and groups. Private pages are not shown in the hierarchy or in search results. Even when directly accessing them, the user is shown a message that they do not have access permission to view the page.
Page Grants enable users and groups to regain access permissions after the page Restriction has been applied. Unless a user, or a group the user is member of, is listed in the Page Grants, the user will not be able to perform operations they are otherwise granted on the site. A limitation of Page Grants, is that a Community Member cannot gain access permissions beyond Viewer Role.
It is strongly encouraged that as you setup roles/permissions that you have test users to ensure the way you have applied the settings match your expectation for restrictions.