Defining and Assigning Roles to Clarity’s Users

Liferay employs a role-based access control (RBAC) model to manage user permissions. Roles and permissions are fundamental to Liferay’s security architecture. Roles are collections of permissions granted to users or groups. Permissions are granular checks that determine how a user can interact with Liferay’s applications and resources. This article guides you through creating roles, defining their permissions, and assigning these roles to Clarity’s users.

Exercise: Creating and Assigning User Roles

Each Clarity persona belongs to different teams with different responsibilities. You can use Liferay roles to model this structure. A role is a list of permissions that empower users to perform specific actions within the Liferay instance.

While Clarity can leverage many of Liferay’s out-of-the-box roles, they also want these custom roles:

Type	Title	Description
Regular	Content Manager	Clarity role for those managing content on Liferay.
Regular	IT Manager	Clarity role for a manager within the IT department.
Regular	Web Developer	Clarity role for a front end developer within the IT Department.
Regular	Marketing Coordinator	Clarity role for an individual contributor from the marketing team.
Site	Site Content Contributor	Site based role for those contributing to the Clarity site.

The training workspace includes all of these roles except for Marketing Coordinator. Here you’ll create and assign the Marketing Coordinator role as the Clarity Admin user.

To begin,

1. Open the Global Menu (), go to the Control Panel tab, and click Roles.

2. Click New.

3. Enter these details for the role:

   Field	Value
   Type	Regular
   Title	Marketing Coordinator
   Description	Clarity role for an individual contributor from the marketing team.
   Key	Marketing Coordinator

   

4. Click Save.

   This creates the role, so you can add permissions and assign it to users. Since this role should apply to all marketing team members, you can assign it to the Marketing user group.

5. Go to the Assignees tab and click User Groups

   

6. Click New.

7. Select Marketing.

   

8. Click Add.

Great! You’ve created and assigned a role to Clarity’s marketing users. However, the role doesn’t have any permissions yet. Next, you’ll add permissions to the role. This enables anyone with the role to fulfill their responsibilities in the Clarity website.

Exercise: Defining Role Permissions

Permissions grant the ability to access data and perform specific actions in a Liferay instance. Now that you’ve created the Marketing Coordinator role, you’ll start adding specific permissions associated with the role as the Clarity Admin user.

Throughout this process, you’ll impersonate Christian Carter to see the practical effect of granting the Marketing Coordinator role additional permissions.

To do this,

1. Open the Global Menu (), go to the Control Panel tab, and click Users and Organizations.

2. Click Actions () for Christian Carter and select Impersonate User.

   

   This opens a new tab where you can view the Liferay instance using Christian Carter’s permissions.

   Notice how he doesn’t have access to any of the applications or resources he needs as a marketing coordinator.

   

   Clarity needs all Marketing Coordinators to have access to assets in the team’s asset library.

3. Return to the Clarity Admin tab, go to the Roles application, and click the Marketing Coordinator role to begin editing it.

4. Go to the Define Permissions tab.

5. In the left menu, go to Applications Menu → Content → Asset Libraries.

   Tip: Enter “Asset Libraries” into the search bar to quickly locate this section.

   

6. Select these permissions:

   Section	Permission
   Application Permissions	Access in Control Panel
   Application Permissions	View
   Resource Permissions > Asset Library Entry	View Site and Asset Library Administration Menu

7. Click Save.

   This updates the Marketing Coordinator role’s permissions.

   Note: Liferay automatically assigns the Portal: View Control Panel Menu permission when you grant the Access in Control Panel permission.

8. Refresh the tab where you’re impersonating Christian Carter.

   Now he can access the Asset Libraries application in the Global Menu ().

   

9. Go to the Asset Libraries application.

   Although Christian Carter can access the application, he cannot view or access any libraries included in the bootcamp workspace:

   • Error Pages
   • HR
   • Leadership
   • Legal
   • Marketing Assets
   • Product Images

   Since Christian Carter and other marketing team members need access to the Marketing Assets library, let’s grant grant them membership using the Marketing user group.

10. Return to the Clarity Admin tab.

11. In the Global Menu, go to Asset Libraries and click Marketing Assets.

12. Click Memberships and go to the User Groups tab.

13. Click New.

14. Select Marketing and click Done.

    

15. Refresh the tab where you’re impersonating Christian Carter.

    Now he can access the Marketing Assets library, but he still cannot access the library’s applications or data.

    To solve this, let’s assign the default Asset Library Administrator role to the Marketing user group.

16. Return to the Clarity Admin tab.

17. Click Actions () for the Marketing user group and select Assign Roles.

    

    Here you can select from available asset library roles. These roles grant permissions for individual libraries.

18. Select the Asset Library Administrator role and click Done.

19. Refresh the tab where you’re impersonating Christian Carter.

    Now he can access the library’s applications.

    

    Although Christian Carter can access the library’s applications, he doesn’t have the application permissions necessary for fulfilling his responsibilities (e.g., uploading documents, editing articles).

    Let’s add these permissions to the Marketing Coordinator role.

20. Return to the Clarity Admin tab, go to the Roles application, and click the Marketing Coordinator role to begin editing it.

21. Go to the Define Permissions tab.

22. In the left menu, go to Site and Asset Library Administration → Content & Data → Documents and Media.

    Note: If you search “Documents and Media,” two options appear with the same name. Select the option under Content & Data.

23. Select these permissions:

    Section	Permission
    General Permissions	Access in Site and Asset Library Administration
    General Permissions	View
    Resource Permissions > Documents	Add Document
    Resource Permissions > Documents	Add Folder
    Resource Permissions > Documents	Update
    Resource Permissions > Documents	View
    Resource Permissions > Documents Folder	View

24. Click Save.

25. In the left menu, go to Site and Asset Library Administration → Content & Data → Web Content.

    Note: If you search “Web Content,” two options appear with the same name. Select the option under Content & Data.

26. Select these permissions:

    Section	Permission
    General Permissions	Access in Site and Asset Library Administration
    General Permissions	View
    Resource Permissions > Web Content	Add Folder
    Resource Permissions > Web Content	Add Structure
    Resource Permissions > Web Content	Add Template
    Resource Permissions > Web Content	Add Web Content
    Resource Permissions > Web Content	Update
    Resource Permissions > Web Content	View
    Resource Permissions > Web Content Article	Update
    Resource Permissions > Web Content Structure	View
    Resource Permissions > Web Content Template	View

27. Click Save.

28. In the left menu, go to Site and Asset Library Administration → Categorization → Categories.

29. Select these permissions:

    Section	Permission
    Resource Permissions > Asset Categories	Add Category
    Resource Permissions > Asset Categories	Add Vocabulary

30. Refresh the tab where you’re impersonating Christian Carter.

    He can now perform all content actions necessary for his responsibilities (e.g., create and edit web content). Next, marketing coordinators need the ability to update site pages.

31. Return to the Clarity Admin tab.

32. In the left menu, go to Site and Asset Library Administration → Site Builder → Pages.

    

33. Select this permission.

    Section	Permission
    Resource Permissions > Page	Update

34. Click Save.

35. Refresh the tab where you’re impersonating Christian Carter.

    Notice that he can now access edit tools for site pages.

    

Well done! Now all members of the Marketing user group have the correct base permissions. By assigning additional roles, Clarity can ensure they have access to the applications and data they need.

Next, you can opt to learn more about roles and user permissions by creating a manager role. Otherwise, you can move to Lesson 4 and explore how to create and configure sites.

Exercise: Fine Tuning Manager Permissions (Bonus)

So far you’ve been using the Clarity Admin user to make changes. This user is the omni-administator and has all Liferay permissions. In real world scenarios, companies should strictly guard access to this user and greatly restrict which users have full admin privileges. Companies like Clarity should set up manager roles that only have the permissions necessary for their responsibilities.

Here you’ll set up a management group that has authority to configure permissions for their team members, without granting them full admin privileges as the Clarity Admin user.

To do this,

1. Go to the User Groups application in the Global Menu.

2. Create a Marketing Managers user group.

3. Add Clara Murphy to the group.

4. Go to the Roles application in the Global Menu.

5. Create a Marketing Manager role.

6. While editing the Marketing Manager role, go to the Define Permissions tab.

7. In the left menu, go to Control Panel → Users → User Groups.

8. Select this permission:

   Section	Permission
   Application Permissions	Access in Control Panel

9. Click Save.

10. In the left menu, go to Control Panel → Users → Users and Organizations.

11. Select this permission:

    Section	Permission
    Resource > User	View

12. Click Save.

13. Go to the Assignees tab and assign this role to the Marketing Managers user group.

    These permissions grant the ability to view the User Groups application and view users. Next, you’ll give the Marketing Manager role permission to view and add members for the Marketing user group.

14. Go to the User Groups application in the Global Menu.

15. Click Actions () for the Marketing user group and select Permissions.

    

16. For the Marketing Manager role, select these permissions and click Save:

    Role	Permission
    Marketing Manager	Assign Members
    Marketing Manager	View Members
    Marketing Manager	View

    

17. Go to the Users and Organizations application in the Global Menu.

18. Impersonate Clara Murphy to verify the Marketing Manager role permissions.

    Clara should see the Marketing user group. She should also be able to view members of the user group and add new members to the group.

    

    Note: This is just an example of the types of permissions you can assign to manager roles.

Conclusion

Congratulation! You’ve completed Module 4: Security and Identity Management. Throughout this module, you’ve learned best practices for authenticating and authorizing users in Liferay DXP. You also finished setting up Clarity’s users, user groups, and roles for their public enterprise website.

In the next module, you’ll learn about building sites with Liferay.

Next Up: Module 5: Site Building

Additional Resources

See official documentation to learn more about managing roles and permissions:

• Understanding Roles and Permissions
• Creating and Managing User Groups