Understanding Roles and Permissions¶
To get things done in Liferay DXP, Users must have the proper permissions. Roles join Users with permissions. Most administrative work for Roles and permissions is done in Control Panel → Users → Roles.
To skip straight to creating Roles and assigning Users, see
Site Teams have a dedicated permissions management User Interface.
Roles and Scope¶
To give Users the permissions they need to perform their intended function within Liferay DXP, you must first associate the set of permissions with a Role.
Using a Message Boards Admin Role and a User Jane Slaughter as an example, here are the steps you might follow:
Determine the function needed: Manage Message Boards in Liferay DXP.
Determine the scope: Throughout the Virtual Instance (globally).
Create the properly scoped Role, assigning the permissions that power the function: Message Boards Admin (Regular Role).
Create the User collection: a User Group called Message Boards Administrators.
Assign the Role to the User Collection: Message Boards Administrators → Message Boards Admin Role.
Assign Users to the User Collection: Jane Slaughter → Message Boards Administrators.
The conceptual diagram below shows how the User inherits the necessary permissions in Liferay DXP’s Roles and Permissions system. Only one fully-wired Role assignment is displayed here (for the User who becomes a Message Boards Administrator), but you can see how drawing new arrows would link the User with permissions via other User collections and Role assignments.
Roles have scope, so they apply at different levels.
|Permission Scope||Role Type||Where is it assigned to Users?||Available Assignments|
|Throughout the Virtual Instance (global)||Regular||Control Panel → Users → Roles (Click on the Role) → Assignees||User Groups
|A single Organization||Organization||Control Panel → Users → Users and Organizations → Organizations (Organization actions menu)||Individual Users|
|A single Site||Site||Site Administration → People → Memberships||User Groups
Individual Site Members
|A single Account||Account||Control Panel → Accounts → Accounts (Select Account) → Roles||Individual Account Members|
|A single Asset Library||Asset Library||Site/Library Administration of Asset Library → People → Memberships||Organizations
Individual Users can be manually assigned to Roles. This method is less efficient than using collections of Users. Users can also be automatically assigned to Roles of all scopes through a Virtual Instance Setting called Default User Associations.
Instance scoped Roles are called Regular Roles. These Roles grant permissions globally, or throughout the Virtual Instance.
Several User collections can be assigned to Regular Roles:
Organization scoped Roles are called Organization Roles. Permissions for Organization Roles are defined at the global level and are applied to one specific Organization. Users are added to Organizations individually and are assigned to Organization Roles individually.
Permissions are created by developers of applications. They define actions Users can perform or how much access a User has to a particular asset.
Application Scoped Permissions¶
Permissions can be granted on each widget instance that’s placed on a page in Liferay DXP, and each administrative application in the Site Menu → Content and Data section. See Widget Permissions for details.