An introduction to rights management
More than 100 permissions are necessary to control the user access to all wiki functions and extensions.
Depending on the actions a user needs to take, many of these permissions are related and consequently need to be granted to a certain type of user. A user with read access, for example, needs to also be able to change the user profile and add pages to a watch list. For this reason, BlueSpice uses roles and groups to manage the rights of individual users.
The following entities are part of the rights management system:
- Permission: Allows a specific action.
- Role: A set of permissions (permissions can only be set by selecting roles).
- User: Entity in the wiki instance database. Has a unique user name and user id.
- User group: A collection of users. A user is assigned to one or more groups. There are system internal groups (cannot be removed or renamed) and custom groups. In many cases the group name consists of the role and a namespace name
- Namespace: Permissions can be set on a namespace level. But not on a per-page-level.
Use case: Managing department information
Anna (HR Manager) and Phil (HR Specialist) are maintaining all content related to the Human Resources department on the company wiki.
Some content is visible to all employees. Other content has to be restricted and only be visible to upper management and to Lea, the company's legal advisor.
After reviewing the content and access requirements, the company decides to create HR content in two namespaces: All unrestricted content goes in the Main namespace of the wiki. Sensitive information is maintained in a custom namespace called "HR".
To reflect these specific HR requirements, the wiki adminstrator needs to complete the following steps:
- Create the namespace (HR:) on the page
- Create the necessary groups on the page
- HR_visitor: Users in this group have only view permissions to the (HR:) namespace
- HR_editor: Users in this group can create and edit pages in the (HR:) namespace
- HR_reviewer: Users in this group can, additionally, approve documents. For this to work, the function "FlaggedRevs" is activated for the namespace. These groups are initially "empty".
- Assign roles to each group on the page
Special:PermissionManager. After this, each group has specific sets of permissions:
- The group HR_visitor:
The administrator selects the group "HR_visitor" and checks the Role "reader" only in the HR namespace. Since the reader role in the HR namespace is now assigned to the group "HR_visitor", all other groups no longer have any view permissions for this namespace:
- The group HR_editor: The administrator selects the role editor only in the namespace HR. Since the editor role does not inherit all permissions from the reader role, the administrator also has to check the reader permissions in addition:
- The group HR_reviewer: The administrator selects the role of reviewer only for the namespace HR. Since the roles HR_visitor and HR_editor have been reserved for the groups HR_visitor and/or HR_editor before, the editor and reader permissions have to be granted as well:
- The group HR_visitor:
- Add users to the correct user groups: Since Anna needs to be able to edit and approve the documents both in the HR and in the Main namespace, she has to be added to both the "HR_reviewer" and the standard "reviewer" groups:
The administrator also adds the other affected users to the correct groups. The result is the following permissions configuration:
|user||is in groups||roles in namespace HR||roles in namespace Main||description|
|Anna (HR manager)||HR_reviewer
|Anna can now read, edit and approve pages in both the HR and the Main namespaces.|
|Phil (HR specialist)||HR_editor
|Phil can now read and edit pages in both the HR and the Main namespaces|
|reader||editor||Edith can now read pages in the HR namespace and edit pages in the Main namespace.|
|Lea (Legal advice)||HR_viewer||reader||-||Lea can only read pages in the HR namespace.|
|All employees||reader||-||reader||All employees can read pages in the Main namespace. They cannot read the pages in the HR namespace.|
In addition, the administrator should ensure that Anna is not the only person who can approve content. Otherwise, there would be a problem when Anna is on vacation or has no time for reviewing page edits.
- Extension: BlueSpiceNamespaceManager
- Extension: BlueSpicePermission Manager
- Extension: BlueSpiceGroupManager