Understanding Roles and Permissions
To get things done in Liferay DXP, Users must have the proper permissions. Roles join Users with permissions. Most administrative work for Roles and permissions is done in Control Panel → Users → Roles.
To skip straight to creating Roles and assigning Users, see
Site Teams have a dedicated permissions management User Interface.
Roles and Scope
To give Users the permissions they need to perform their intended function within Liferay DXP, you must first associate the set of permissions with a Role.
Using a Message Boards Admin Role and a User Jane Slaughter as an example, here are the steps you might follow:
- Determine the function needed: Manage Message Boards in Liferay DXP.
- Determine the scope: Throughout the Virtual Instance (globally).
- Create the properly scoped Role, assigning the permissions that power the function: Message Boards Admin (Regular Role).
- Create the User collection: a User Group called Message Boards Administrators.
- Assign the Role to the User Collection: Message Boards Administrators → Message Boards Admin Role.
- Assign Users to the User Collection: Jane Slaughter → Message Boards Administrators.
The conceptual diagram below shows how the User inherits the necessary permissions in Liferay DXP’s Roles and Permissions system. Only one fully-wired Role assignment is displayed here (for the User who becomes a Message Boards Administrator), but you can see how drawing new arrows would link the User with permissions via other User collections and Role assignments.
Roles have scope, so they apply at different levels.
|Permission Scope||Role Type||Where is it assigned to Users?||Available Assignments|
|Throughout the Virtual Instance (global)||Regular||Control Panel → Users → Roles (Click on the Role) → Assignees||User Groups
|A single Organization||Organization||Control Panel → Users → Users and Organizations → Organizations (Organization actions menu)||Individual Users|
|A single Site||Site||Site Administration → People → Memberships||User Groups
Individual Site Members
|A single Asset Library||Asset Library||Site/Library Administration of Asset Library → People → Memberships||Organizations
Individual Users can be manually assigned to Roles. This method is less efficient than using collections of Users. Users can also be automatically assigned to Roles of all scopes through a Virtual Instance Setting called Default User Associations.
Instance scoped Roles are called Regular Roles. These Roles grant permissions globally, or throughout the Virtual Instance.
Several User collections can be assigned to Regular Roles:
- Organizations hold Users of a shared hierarchical level.
- User Groups hold Users that only share the need to perform the same function.
- Sites hold Users (as Site Members) that might need to perform a certain action.
- Segments hold Users of a Site that match certain conditions.
Organization scoped Roles are called Organization Roles. Permissions for Organization Roles are defined at the global level and are applied to one specific Organization. Users are added to Organizations individually and are assigned to Organization Roles individually.
Site scoped Roles are called Site Roles. Permissions for Site Roles are defined at the global level and are applied to one specific Site. Individual Users, Organizations, and User Groups can be used both to control Site Membership and assign Site Roles.
Permissions are created by developers of applications. They define actions Users can perform or how much access a User has to a particular asset.
Application Scoped Permissions
Permissions can be granted on each widget instance that’s placed on a page in Liferay DXP, and each administrative application in the Site Menu → Content and Data section. See Widget Permissions for details.
Asset Scoped Permissions
Asset-level permissions (for instance, permission to edit an individual blog post, or view a folder in the Documents and Media library) are managed from the individual asset, not the Control Panel. See Widget Permissions for details.