101 Managing Permissions
Overview
AnswerHub has a very granular and powerful permission management system. Permissions are the way in which the system administrator can configure what each user and group of users are able to see and do in the system.
There are two ways to grant permissions to your users, on an individual user and/or through group membership. The permission settings cascade from site-wide to individual spaces and determine what areas and actions your user can leverage within your community.
Granting Permissions
USERS & GROUPS
Manage Menu
- Manage / Users:
You can view individual users in the admin. This view displays a number of options to gain additional insight into a specific user, including activity, email address, authentication mode, group membership, and user specific permissions.
-
Tip: User specific permissions will always outrank permissions being applied to a user through group membership. Altering permissions for an individual user is not recommended with the exception of testing purposes. Over time it can become a management nightmare and cause unwanted access/capabilities to remain in place for a user despite their group membership.
-
Manage / Groups:
- Default groups:
AnswerHub provides 5 standard groups by default, and clients may easily create additional groups to effectively customize the experience for different types of users. It is recommended that additional groups be created to manage access to private spaces, and to improve the ability to track the activities of discrete groups of users such as employees, support agents, business partners, etc.
- Default groups:
-
Network Administrators: You must be a member of this group to view the Manage Plugins page under the Plugins menu. This allows you to disable/enable plugins, which provide a large majority of the functionality to users within your community. This group should have the lowest number of members and is typically added to a subset of members of the super user group.
-
Super Users: This is where all of the "power" comes from; being a member of this group will grant you access to the admin area for your community. Keep this group to a minimum number of users. If you need to grant additional powers to certain types of users, it is best to create a new group and grant only the additional permissions needed. Having too many members in the super user group may create security or privacy risks and make it difficult to track.
-
Moderators: By default, your primary purpose as moderators involves making edits/changes to content you are not the author of. In addition, you'll also have access to the Moderation and Reported content queue; use the avatar drop-down to access these tabs.
-
Users: All users are automatically added to this group, the permissions set for this group serve as the foundation for your community. Because of this, it typically tends to be the most restrictive group. If you are a Super User, you will need to make sure you are removed from this Users group.
-
Anonymous: This group represents all unauthenticated, or users who have not logged in.
-
Private communities: all permissions are revoked from a site-wide level.
-
Public communities: the permissions to view content are typically granted site-wide, however, you may also have a private space or specific space you'd like to revoke Anonymous user access to.
-
Weighting
-
Each group comes with a default weight. This is how AnswerHub determines what rights your user should or shouldn't have when they are a member of multiple groups with conflicting permissions.
- Tip: Permissions are one of the more complex areas within AnswerHub, adjusting the weight of a group adds an additional layer of complexity to the long-term management of your user groups and the permissions associated with them.
-
Because of this, we recommend never altering the weight of a group. The default weights will satisfy 90% of various workflows that are implemented. In most cases, if adjusting the weight seems necessary, it is best to reach out to your dedicated Account Manager for confirmation before doing so. Typically, your desired workflow can be implemented without altering weights if the permissions are set up properly.
Default Weights
- Network Administrators: 1,000
- Super Users: 1,000
- Moderators: 10,000
- Users: 100,000
- Anonymous: NA (once logged in, the permissions applied to this group no longer impact the authenticated user)
- Custom groups: 10
Permissions Table
- Regardless of where you're making changes to permissions, either from the user specific view or for a user group, the table structure displayed to apply permissions will remain the same.
- Dark Blue Column: The two column headers will be highlighted in grey and represent Network Server Defaults and Site-Wide permissions.
- Light Blue Column: Each new column header represents the Spaces; sub-spaces can be seen by expanding within a specific space.
- Sub-spaces: If you have implemented a hierarchy within your space structure by creating sub-spaces, you can click on the Expand button below the parent space name, to go down a level and view the sub-spaces (child spaces). For multiple levels of sub-space, continue the same click path to view any additional sub-sub-space and so on.
- Tip: By default, all child spaces will inherit the permissions set at the parent space level, if nothing has been set there, they will then inherit the site-wide settings. If there haven't been any changes to the site-wide settings, the server default permissions will be applied. This allows for easier management long-term but still allows you to apply different permissions to your lower-level spaces as well.
Making Permission Changes
Regardless of whether or not you are making changes to the site-wide settings, space, sub-space, or a specific user, all of the options presented to you are the same when clicking the wrench icon. There are a few options when it comes to making permission changes. You can grant, revoke, and clear all permissions in bulk and/or set each individual permission to the same options; you can also set permissions by reputation ranges when looking at the Advanced view. You will see the following sentence, “If you prefer the more advanced view, please click here” to navigate to the Advanced view with the legend for the various permission color coding.
- Grouping of Permissions: To make things a bit easier, each individual permission is part of a larger category of permissions.
- Bulk Changes: If you select Clear all, Grant all, or Revoke all, a light box will appear displaying each category of permissions for you to select and apply the bulk change to the following options:
- Anonymous roles
- Standard roles
- Other standard roles
- Moderation roles
- Site administration roles
- Site Owner roles
- Other roles
- Custom roles **
- Advanced View: By clicking the Advanced option in the gear icon drop-down, the grouping of permission roles will expand, showing you each individual permission that makes up the larger category of permissions. This allows you to implement more intricate workflows for your various user groups.
- Tip: All article (KB entry) and idea related permissions are held within the Custom roles category of permissions, provided the individual plugins are enabled.
- The same is true for any new functionality implemented by enabling a plugin. For example, when the Shield Plugin is enabled, a new permission called the Spam Moderator becomes available. In order to access the admin configurations for the Shield plugin, you must be granted this permission once the plugin is enabled.
- If your community has implemented custom functionality (typically done in the form of a custom plugin) that includes new permissions to support the additional functionality then these unique permissions will appear in the Custom Roles category by default as well.
- Tip: All article (KB entry) and idea related permissions are held within the Custom roles category of permissions, provided the individual plugins are enabled.
Permission Conflicts
AnswerHub views the lower weighted group as the "winner" when resolving conflicting permissions being inherited and applied to a user who is a member of multiple groups.
Resolving a Permission Conflict
By looking at the advanced permissions table view for an individual user you can hover over each permission role status to determine where the permission is coming from.
- For example, if I know Sally is supposed to have access to the Internal Process space, I would go to the admin, Users & Groups category / Manage / Users, find Sally, and click the wrench icon, then select Edit Permissions.
- From here, scroll through the permission table until you see the Process space column.
- Click the wrench icon for this space and select the Advanced view.
- Now, begin to look at the color of the individual permission statuses. Since Sally was getting an access denied, the majority of the role should appear red representing a revoked status.
- Now, hover your mouse over one permission, like Register with the site in the Anonymous roles grouping of permissions. It says, "Revoked on Internal Process to Employees" There is an X and a Y part to this tool tip (Revoked on X to Y).
- X = where the permission is revoked, either sitewide, space or on a sub-space.
- Y = the group where the permission is being inherited from
- Following this path, you're able to easily see a breadcrumb trail of where each individual permission is coming from so that you can make the necessary changes. Keep in mind that while this is helpful, group weights are also taken into account when it comes to inheriting permissions from multiple group memberships.
- Always be sure to make one change at a time, refresh the user specific permission view, and then re-review to determine if further changes need to be made.
Testing Permissions
The best way to test permissions is to create a test user. Once that's done we recommend opening up an incognito window and logging in. This way you have one main browser window logged in as your admin and an additional Incognito window logged in as your test user.
Begin by either:
- Making changes to the individual user's permissions
- Creating a new group, adding the user and making permissions there
- Simply adding the test user to various combinations of existing groups to test out the workflows you currently have in place.
Each time a change is made by your admin be sure to refresh your incognito window page before you begin testing.
- Tip: Once you're done with your test user, clear out any permissions applied to the individual user and remove them from all groups other than the standard user group. This will prevent you from getting mixed/inaccurate test results down the line.
Updated over 5 years ago