- Created by Dominika Kurek, last modified on Dec 16, 2015
The permission system in eZ allows you to very precisely define which users have access to which functions of the website. |
The permission system in eZ is complex, multi-level and very flexible.
Users can be assigned to User groups. Both User groups and individual Users can be assigned Roles and Policies, further defined with the use of Limitations.
Roles and Policies are set up in the Admin Panel.
Permissions overview
Overview of the permission system in eZ is best presented using an example:
Let us assume you are managing a newspaper website. Your crew consists of an editor-in-chief and several editors responsible for particular sections of the paper: general news, local news, sports etc. You also have contributors who occasionally add new articles.
You want to give the editor-in-chief access to most parts of your website, but the individual editors will only work with their own sections. To the contributors you want to give the permissions to create new Content, but not to modify or delete existing Content.
In order to have this setup you need to create a number of different Roles: Editor-in-Chief, different Editor(s) and Contributor.
Tip
Even if you plan on having only one editor-in-chief, it is good practice to create a User group to contain this user, and assign a Role to it instead of assigning permissions directly to the user.
To each of these Roles you need to assign proper Policies, giving them the right to perform certain actions.
The Editor-in-Chief Role would have the most Policies (although you may want to reserve some more advanced permissions only for system administrators). Regular Editors need Policies allowing them to create, modify and delete Content. Contributors can be given Policies permitting them to only create Content.
If you want to prohibit Editors from accessing Content from newspaper sections other than their own, you can add limitations to their Policies. This means that instead of one Editor you need to have separate Roles for each editor profile: Local Editor, Sports Editor etc. All of these Roles will have the same Policies, but to each Policy you need to assign a limitation which would mean that the permission covers only one Section (sports section, local news section etc.) that the editor works in.
Aside from Policies that define access to Content items, there are also many other Policy types concerned with administrating the system. They cover actions such as activating new Users, creating Sections, modifying Content Types etc.
See also:
For technical information on the permission system, see Permissions.
Roles
A Role consists of a number of Policies, each of which defines access to one functionality of one module (for example modifying articles).
Creating new Roles
1. In the Navigation hub click Admin panel.
2. Select Roles.
A list appears with all the currently configured Roles.
3. Click Create a role below the table.
4. Enter the name of the new Role and click Save.
Assigning Roles to Users
1. In the Navigation hub click Admin panel and select Roles.
2. Click Assign to users/groups next to the Role you want to modify.
The Universal Discovery Widget opens.
3. In the Users category select the Users or User groups you want to assign the Role to.
Tip
You can select more than one User or User group in this way. Navigate to each of them and click Choose this content. This User (or group) will be added to a list at the bottom left of the Discovery Widget. If you want to remove a previously selected User, click this list and remove the entry from it.
4. Click Confirm selection.
Tip
A User (or User group) can be assigned more than one Role.
Unassigning Roles
1. In the Navigation hub click Admin panel and select Roles.
2. Click the name of the Role you want to modify.
3. In the Role view, switch to the Users and groups using the <Role name> role tab.
4. Click Delete assignment next to the User or group you want to unassign.
Policies
A Policy can be understood as a permission for a single action in a specified part of the website system. Each Role can be assigned any number of Policies.
A Policy consists of:
- module - the part of the website or system it concerns, for example: Content, User, Role, Section
- function - the action on the module it allows, for example: Create, Edit, Assign
- (optional) limitations
Note
By default a User or User group has no permissions. Roles and Policies are used to grant permissions to do something, not to prohibit doing it.
Adding Policies
1. In the Navigation hub click Admin panel and select Roles.
2. Click the name of the Role you want to modify.
A list of all Policies of this Role appears.
3. Click Add new policy below the list.
4. Select a combination of module and function in the Policy type menu.
The menu lists all possible operations on all modules existing in the system.
5. Click Save to confirm the new Policy.
Tip
Click Save and add limitations if you want to immediately add limitations to the new Policy. You can also simply save it for now and add limitations later.
Tip
It is also possible to create your own Policies, other than the preset ones. For more information see Custom policies.
Limitations
Limitations further specify permissions granted by a Policy by narrowing their scope. For example, a limitation may state that a given Policy covers only a selected Content Type or Section.
Adding limitations
1. In the Navigation hub click Admin panel and select Roles. Click the name of the Role you want to modify.
2. Click Edit limitations next to the selected Policy.
A screen appears with a list of possible limitations. The types of limitations depend on the type of the Policy your are editing. For some Policies no additional limitations are available.
3. Select a limitation (or limitations) from one or more of the lists.
Tip
If you want to select more than one limitation of the same type (for example, several Sections), Ctrl-click or Command-click all these items on the list.
4. Click Save.
Details of the chosen limitation appear in the Policies list.
To change the name of an existing Role, click its name in the list to view its details and then click Edit role name. In this screen you can also remove a Role by clicking Delete.
See also:
For technical information on limitations, see Limitations reference.