Understanding Roles and Permissions
To give users the necessary permissions to perform their intended function within Liferay DXP, you must first associate the set of permissions with a role.
Roles and Scope
Using a Message Boards Admin role and a user Jane Slaughter as an example, here are the steps you might follow:
- Determine the function needed: Manage Message Boards in Liferay DXP.
- Determine the scope: Throughout the Virtual Instance (globally).
- Create the properly scoped role, assigning the permissions that power the function: Message Boards Admin (Regular Role).
- Create the user collection: a User Group called Message Boards Administrators.
- Assign the role to the user collection: Message Boards Administrators → Message Boards Admin Role.
- Assign users to the user collection: Jane Slaughter → Message Boards Administrators.
The conceptual diagram below shows how the user inherits the necessary permissions in Liferay’s roles and permissions system. Only one fully-wired role assignment appears here (for the user who becomes a Message Boards Administrator), but you can see how drawing new arrows would link the user with permissions via other user collections and role assignments.
Roles have scope, so they apply at different levels.
| Permission Scope | Role Type | Where is it assigned to users? | Available Assignments |
|---|---|---|---|
| Throughout the Virtual Instance (global) | Regular | Control Panel → Users → Roles (Click on the Role) → Assignees | User groups Organizations Sites Segments Individual users |
| A single organization | Organization | Control Panel → Users → Users and Organizations → Organizations (Organization actions menu) | Individual users |
| A single Site | Site | Site Administration → People → Memberships | User groups Organizations Segments Individual site members |
| A single Asset Library | Asset Library | Site/Library Administration of Asset Library → People → Memberships | Organizations User groups Individual users |
Individual users can be manually assigned to roles. This method is less efficient than using collections of users. Users can also be automatically assigned to roles of all scopes through a virtual instance setting called Default User Associations.
Regular Roles
Instance-scoped roles are called regular roles. These roles grant permissions globally, or throughout the virtual instance.
Several user collections can be assigned to regular roles:
- Organizations hold users of a shared hierarchical level.
- User Groups hold users performing the same function.
- Sites hold users (as site members) that may perform a certain action.
- Segments hold users of a site that match certain conditions.
Organization Roles
Organization-scoped roles are called organization roles. Permissions for organization roles are defined at the global level and are applied to one specific organization. users are added to organizations individually and are assigned to organization roles individually.
Site Roles
Site scoped roles are called site roles. Permissions for site roles are defined at the global level and are applied to one specific site. You can use individual users, organizations, and user groups to control site membership. Site roles, however, can only be assigned to individual users and user groups.
Permissions
Permissions are created by developers of applications. They define actions users can perform or what functions users are allowed to perform on a particular asset.
Application Scoped Permissions
Permissions can be granted on each widget instance that’s placed on a page in Liferay DXP, and each administrative application in the Site Menu → Content and Data section. See Widget Permissions for details.
Asset Scoped Permissions
Asset-level permissions (for instance, permission to edit an individual blog post, or view a folder in the Documents and Media library) are managed from the individual asset, not the Control Panel. See Widget Permissions for details.