HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.
Proud to be a PHP Open Source CMS
Learn more

ocPortal Tutorial: Access control and privileges

Written by Philip Withnall, ocProducts
Any large site will have areas that it wants certain members to be able to access, but not others. For example:
  • Categories of information that are visible to the eyes of members from only one group.
  • Pages available only if you're new to the site.
ocPortal has a powerful access control and privilege system built into its core.
For an overview of the ocPortal permission system, see the 'Advanced configuration' tutorial.


Table of contents

  1. ocPortal Tutorial: Access control and privileges
    1. Access control
      1. Editing zone permissions
      2. Editing page permissions
      3. Editing category permissions
      4. Match key permissions
    2. Specific permissions
    3. Testing access and privileges
    4. Adding a new group for a non-OCF site
    5. See also

Access control

Thumbnail: The Permission Tree Editor

The Permission Tree Editor
To edit permissions in ocPortal you can either use:
  • The permissions tree editor
  • Manual configuration

{!DOC_PERMISSIONS_TREE}

The remainder of this section is concerned with manual permission setting.

Editing zone permissions

Thumbnail: Setting zone permissions

Setting zone permissions
You can edit zone permissions by editing the zone for which you want to change the permissions.

Choose a zone to edit (bear in mind that you can't change permissions for the Welcome Zone, as everybody is allowed to access it), and continue.

Thumbnail: Choosing a zone to edit

Choosing a zone to edit
You will be presented with the zone editing form. Near the bottom are the options for usergroup access permissions; one binary "can/can't" access permission per usergroup. Toggle the checkboxes as you see fit (if a checkbox is unchecked, the corresponding group can't enter the zone, but if it is checked, the group can enter the zone without problem), and submit the form.




Editing page permissions

Thumbnail: Editing page permissions

Editing page permissions
To edit a page's permissions manually, you need to go to the page permissions page. Once more, choose a zone to edit, and submit the form. You will be presented with a checkbox-grid of the permissions for every page in your selected zone. Along the top are the names of all the groups on your site, and down the side are the names of all the pages in your selected zone. In the middle is a checkbox-grid for the permissions, and down the right is a column of buttons for inverting a whole row of checkboxes at once [Example ].

Once all the access permissions are set as appropriate, submit the form.


Editing category permissions

Thumbnail: Editing category permissions

Editing category permissions
Group access permissions exist for just about any type of category ocPortal provides: from calendar entry types to news categories, you can easily set the group access permissions through the category edit page. In this example, we'll change the group access permissions for a news category.

Click on the edit category link for the category type you want to edit.

Select the category to edit, and submit the form.

Then, set the permissions as necessary, and submit the form once more.
Thumbnail: Choosing a category to edit

Choosing a category to edit

The process is the same for editing the permissions of any type of category.

Match key permissions

Thumbnail: Here we have removed banner submission for guests. Normally we would restrict based on content visibility level, but that is less fine-grained.

Here we have removed banner submission for guests. Normally we would restrict based on content visibility level, but that is less fine-grained.
{!DOC_PAGE_MATCH_KEY_ACCESS}

Specific permissions

Thumbnail: Choosing a specific permission section to edit permissions within

Choosing a specific permission section to edit permissions within
{!DOC_SPECIFIC_PERMISSIONS}

Testing access and privileges

Thumbnail: The SU feature is incredibly quick and easy: just enter a name and click a button

The SU feature is incredibly quick and easy: just enter a name and click a button
To test access permissions and specific permissions, it's best to create a test user, or to assume the identity of a lower-ranking (non-administrator) member. This section is concerned with the use of the "su" function. If you want to learn how to create a member, or edit member ranks, go to the [relevant tutorials].

Thumbnail: Setting specific permissions

Setting specific permissions
The "su" function allows an administrator to quickly and easily assume the identity of somebody else, for whatever nefarious or benevolent purposes he sees fit. To use "su", simply enter the name of the member who's identity you would like to assume into the "su" box (in your personal statistics block), and click the "Su" button. A new window will open on the same page, but as the specified user. You can navigate around as this user, experiencing the site through his eyes (so to speak), as all the permissions are as they are for this normal user. This can easily and effectively be used to test out permissions changes to make sure they are as required.

Adding a new group for a non-OCF site

If you are not using OCF and decide to add a new user-group, then ocPortal will not have any permissions associated with it.
Fortunately ocPortal has a special feature for this situation: under the 'Security' section of the Admin Zone you will find an icon, Absorb usergroup-permissions, for it. You may use this feature to take the permissions of an existing user-group and copy them so that the new user-group has those same permissions.







Concepts

access permission
Whether members of a certain usergroup have permission to access somewhere (a zone, page, or category, for example); a member does not need all their user-groups to have access, only one
specific permission
Whether a certain usergroup has permission to do specific things (such as using high-level Comcode, or bypass the word-filter)
su
Named after the Unix command

See also