Permissions in Platform form one of the most advanced permissions systems around, allowing you to define very fine-grained rights for your Editors, Visitors, Members and other users.

Overview

In the permission system a User by default does not have access to anything. To get access they need to inherit Roles, typically assigned to the User Group they belong to.

Model

Roles

First part of the permission model is the Roles, and they consist of the following parts:

RoleLimitation *- RoleAssignment >- Role -< Policy -*< Limitation

• A Role assignment can optionally have a Limitation, Role Limitation examples: SubTreeLimitation or SectionLimitation
• A Role can have several assignments, Role example: Editor, Member, ProSubscriber
  
• A Role consists of several Policies, Policy example: content/read/*, content/edit/* (where * refers to full access, that is no Limitation)
• A Policy optionally consists of several Limitations, Limitation example:ContentTypeLimitation,SectionLimitation,OwnerLimitation

Users

Second part of the model is made up of Users and User Groups:

User -*< UserGroup

• A User can be member of several User Groups, User Group examples: Administrator Users, Member Users, ProSubscriber Users

Role assignments

Last part on the permission model is the fact that Role assignments can be assigned to both Users and User Groups:

User - RoleAssignment - UserGroup

Extensibility

Two parts of the permissions system are extensible from a programmatic perspective: Policies and Limitations

• Policies: Custom Policies can be added for use in your own code, custom Policy example: comment/create
• Limitations: You can extend existing Policies, and hence extend the permissions of the CMS, example could be adding a SubscriptionLimitation to content/read Policy

Related topics:

• Limitations reference
• Custom policies