How Roles, Groups, Permissions Work under the Webtop

Introduction

In order to make a particular FarCry installation more manageable for many users, there is a built in role management system. One might wonder, however, what the different uses of roles vs. groups vs. permissions are. This little page hopes to explain the difference. It will do so through an example in setting up a user for an imaginary "Artist Gallery" tab. Just replace that tab with any other tab under the webtop.

For a great diagram describing the security model, as it was in FC4 (and is mostly valid for FC5), go here.

Overview

The user / role system in FarCry might seem complicated at first, but it is at least logical. There are many users, each of which can belong to any number of groups.

A group is an easier way of organizing an assembly of roles.

A role is an easy way of organizing permissions.

A permission gives a specific right to do something within FarCry, whether it is to view an object, view a webskin, edit an event, delete an object, etc.

There are several default groups, about the same amount of roles, and a lot of default permissions. You can change or delete as many of them as you wish, but beware of changing too much!

If you experience any problems due to changed default settings, which you can't resolve by set them back to default, then never copy new tables (the ones that are responsible for the groups, roles, permissions etc) over the current tables but setup a new database and copy the current content tables etc to the new database.

  • This action is only used as a last resort

Under the webtop

Under the webtop, a site or system admin has the permission to edit users, groups, roles and permissions. How this works is:

  • Users belong to groups
  • Groups only have titles
  • Roles are assigned to multiple groups and have multiple permissions
  • Permissions can be assigned to multiple roles

Setting up a User

Introduction

Say you have a FarCry installation that has an artist gallery (say, for an art gallery). Also assume that this is under its own tab in the webtop, and it resides right next to the content tab. Finally, assume you are logged in as a Site Admin or System Admin, and that you have only the default user directory.

Notes about the tutorial

This is not meant to be a catch-all. Just an introduction to roles and groups and how to make it all work. You can do the following steps in any order you wish, you might just end up editing something twice because a precursor isn't created yet.

Step 1: Create a Group

You want a group of users to be able to edit and approve that gallery. Ok, so first, create a group by going to the admin tab, and selecting groups under the User Directory section. On a default setup, you will already have some groups defined for you. Ignore these for now.

Click 'Add' to add a new group. You will see that you only have one string input to make: the name of the group. Type in "Artist Gallery Admin".

Step 2: Create the Permissions

Once the group is made, click on 'Admin' > 'Permissions' under the "Roles & Permissions" section. You should see many permissions already defined. Click on 'Add' and add a new permission.

For now, ignore everything but the 'Title' and 'Shortcut' sections.

  • Title is what you will see when picking out the permission later
  • Shortcut is what you need to setup the permissions via the webtop xml files.
    For 'Title' then, type in "Artist Gallery Tab", and "artistGalleryTab" for the shortcut.

Now, stop ignoring the other things. The other important aspect for now is the Roles input. This is a list where you can select multiple roles for this permission to attach to. Since the "SiteAdmin" and "SysAdmin" roles are already defined,

Step 3: Setup the Webtop

Once the permission is created, go and edit your xml file that corresponds to the "Artist Gallery" tab. There, add permission="artistGalleryTab" to the <section> declaration of the xml file. (Note: the permissions declaration can have a comma separated list as well)

Next, go to the admin tab of the webtop, click on "Developer Tools" > "Reload Application". Reload the Webtop and the Security model.

Step 4: Create the Role

Here everything comes together. Create a new role by going to "Roles" under the admin tab. On the first page, you will see a place for a title, add "Artist Gallery Admin" as the title. You will also see a list of groups that you can attach the role to. Ctrl-Click to add your "Artist Gallery Admin" group, as well as the "SiteAdmin" and "SysAdmin" groups for good measure. Go on to the next page.

Here you will see the library option for the permissions. Open the library and find your newly created permission "Artist Gallery Tab". Make sure it is selected and close the library.

Save the role.

Step 5: Create the User

Go to the users portion of the admin tab and add a new user. Select the "Artist Gallery Admin" group and save the user after defining the name, userid, and password.

Congratulations, you have a user with permission to view everything under the "Artist Gallery" tab. For any types that you have defined under there, the generic edit, approve, delete permissions will take over unless you have defined your own using the scaffold system.