Permissions¶
Site-wide roles¶
| Role | Description |
|---|---|
| Anonymous | Site visitors before login |
| Authenticated | All user after login, almost no permissions |
| Host | not sure if we really need that |
| Manager | Has some extra permissions on the site |
| Content Manager | Can create event and session content types and configure them |
| DevOps | Only used by devops |
| Administrator | Not used by any user, only for emergency tasks by devops |
Group-level roles¶
| Role | Scope | Sync | Organisation | Event | Session | Description |
|---|---|---|---|---|---|---|
| Anonymous | Outsider | Anonymous | x | x | x | no permissions |
| Outsider | Outsider | Authenticated | x | x | x | no permissions |
| Member | Insider | Authenticated | x | x | x | no permissions |
| Observer | Individual | n/a | x | x | TBD | |
| Attendee / Delegate | Individual | n/a | x | x | TBD | |
| Moderator | Individual | n/a | x | x | TBD | |
| Speaker / Tutor | Individual | n/a | x | x | TBD | |
| Service Provider | Individual | n/a | x | x | TBD | |
| Host / Sponsor | Individual | n/a | x | x | x | TBD |
| Manager | Individual | n/a | x | x | x | TBD |
| DevOps | Outsider | DevOps | x | x | x | Should see everything |
| DevOps | Insider | DevOps | x | x | x | Should see everything |
| Administrator | Outsider | Administrator | x | x | x | Should see everything |
| Administrator | Insider | Administrator | x | x | x | Should see everything |
Scope
- Outsider roles are all users of the site, that are not member of the group
- Insider roles are all members of the group
- Individual roles are assigned automatically
Sync
Insiders and outsiders get those group related roles assigned depending upon their site-wide roles.
Roles with the individual scope will not sync with any side-wide role, they get assigned to members individually.
Permissions¶
Setting and maintaining permissions is not difficult, but complex. For side-wide roles and permissions, we've developed the Roles permission builder. Instead of using the default config form for permissions, we build the mapping between roles and permissions in a yaml-file like this one: https://gitlab.lakedrops.com/fedms/components/federation/-/blob/a9f0e9948aa5e8db0f8084f46bb3ee2bb98b29f7/config/roles_permissions.yml
This allows for much simpler setup but also for reliable re-build of roles and permissions on existing sites.
With groups, that's different as each group type has their own permission setup form with all those insider and outsider roles and also the long list of permissions on content and sub-groups.
My suggestion: let's enhance the Roles permission builder module to also support groups.
After that, we have to carefully define, which role should get which permissions and collect them in that yaml file.