Submit Feedback

Creating and Assigning Roles to Clarity’s Users

Liferay employs a role-based access control (RBAC) model to manage user permissions. Roles and permissions are fundamental to Liferay’s security architecture. Roles are collections of permissions granted to users or groups. Permissions are granular checks that determine how a user can interact with Liferay’s applications and resources. This article guides you through creating roles, defining their permissions, and assigning these roles to Clarity’s users.

Exercise: Creating and Assigning User Roles

Each Clarity persona belongs to different teams with different responsibilities. You can use Liferay roles to model this structure. A role is a list of permissions that empower users to perform specific actions within the Liferay instance.

While Clarity can leverage many of Liferay’s out-of-the-box roles, they also want these custom roles:

TypeTitleDescription
RegularContent ManagerClarity role for those managing content on Liferay.
RegularIT ManagerClarity role for a manager within the IT department.
RegularWeb DeveloperClarity role for a front end developer within the IT Department.
RegularMarketing CoordinatorClarity role for an individual contributor from the marketing team.
SiteSite Content ContributorSite based role for those contributing to the Clarity site.

The training workspace includes all of these roles except for Marketing Coordinator. Here you’ll create and assign the Marketing Coordinator role as the Clarity Admin user.

To begin,

  1. Open the Global Menu (Global Menu), go to the Control Panel tab, and click Roles.

  2. Click New.

  3. Enter these details for the role:

    FieldValue
    TypeRegular
    TitleMarketing Coordinator
    DescriptionClarity role for an individual contributor from the marketing team.
    KeyMarketing Coordinator

    Create the Marketing Coordinator role.

  4. Click Save.

    This creates the role, so you can add permissions and assign it to users. Since this role should apply to all marketing team members, you can assign it to the Marketing user group.

  5. Go to the Assignees tab and click User Groups

    Go to the User Groups tab under Assignees.

  6. Click New.

  7. Select Marketing.

    Select the Marketing user group.

  8. Click Add.

Great! You’ve created and assigned a role to Clarity’s marketing users. However, the role doesn’t have any permissions yet. Next, you’ll add permissions to the role. This enables anyone with the role to fulfill their responsibilities in the Clarity website.

Exercise: Defining Role Permissions

Permissions grant the ability to access data and perform specific actions in a Liferay instance. Now that you’ve created the Marketing Coordinator role, you’ll start adding specific permissions associated with the role as the Clarity Admin user.

Throughout this process, you’ll impersonate Christian Carter to see the practical effect of granting the Marketing Coordinator role additional permissions.

To do this,

  1. Open the Global Menu (Global Menu), go to the Control Panel tab, and click Users and Organizations.

  2. Click Actions (Actions Button) for Christian Carter and select Impersonate User.

    Impersonate Christian Carter.

    This opens a new tab where you can view the Liferay instance using Christian Carter’s permissions.

    Notice how he doesn’t have access to any of the applications or resources he needs as a marketing coordinator.

    Christian Carter doesn't have access to any of the applications or resources he needs as a marketing coordinator.

    Clarity needs all Marketing Coordinators to have access to assets in the team’s asset library.

  3. Return to the Clarity Admin tab, go to the Roles application and click the Marketing Coordinator role to begin editing as the Clarity Admin user.

  4. Go to the Define Permissions tab.

  5. In the left menu, go to Applications MenuContentAsset Libraries.

    Tip: Enter “Asset Libraries” into the search bar to quickly locate this section.

    Assign Asset Library permissions to the Marketing Coordinator role.

  6. Select these permissions:

    SectionPermission
    Application PermissionsAccess in Control Panel
    Application PermissionsView
    Resource Permissions > Asset Library EntryView Site and Asset Library Administration Menu

  7. Click Save.

    This updates the Marketing Coordinator role’s permissions.

    Note: Liferay automatically assigns the Portal: View Control Panel Menu permission when you grant the Access in Control Panel permission.

  8. Refresh the tab where you’re impersonating Christian Carter.

    Notice that he can now access the Asset Libraries application in the Global Menu.

    Christian Carter can now access the Asset Libraries application in the Global Menu.

    Marketing Coordinators also need to access files in the Documents and Media application.

  9. Return to the Clarity Admin tab.

  10. In the left menu, go to Site and Asset Library AdministrationContent & DataDocuments and Media.

    Note: If you search “Documents and Media” two options appear with the same name. Select the option under Content & Data.

    Assign Documents and Media permissions to the Marketing Coordinator role.

  11. Select these permissions:

    SectionPermission
    General PermissionsAccess in Site and Asset Library Administration
    General PermissionsView
    Resource Permissions > DocumentsView
    Resource Permissions > Documents FolderView

  12. Click Save.

  13. Refresh the tab where you’re impersonating Christian Carter.

    Notice that he can now access the Documents and Media application in the Site Menu.

    Christian Carter can now access the Documents and Media application in the Site Menu.

    Marketing Coordinators also need the ability to update pages.

  14. Return to the Clarity Admin tab.

  15. In the left menu, go to Site and Asset Library AdministrationSite BuilderPages.

    Assign Page permissions to the Marketing Coordinator role.

  16. Select this permission.

    SectionPermission
    Resource Permissions > PageUpdate

  17. Click Save.

  18. Refresh the tab where you’re impersonating Christian Carter.

    Notice that he can now access edit tools for site pages.

    Christian Carter can now access edit tools for site pages.

Well done! Now all members of the Marketing user group have the correct base permissions. Clarity can assign additional roles to individual users or user groups to grant the ability to access more data or perform other actions.

Next, you can opt to learn more about roles and user permissions by creating a manager role. Otherwise, you can move to Lesson 4 and explore how to create and configure sites.

Exercise: Fine Tuning Manager Permissions (Bonus)

So far you’ve been using the Clarity Admin user to make changes. This user is the omni-administator and has all Liferay permissions. In real world scenarios, companies should strictly guard access to this user and greatly restrict which users have full admin privileges. Companies like Clarity should set up manager roles that only have the permissions necessary for their responsibilities.

Here you’ll set up a management group that has authority to configure permissions for their team members, without granting them full admin privileges as the Clarity Admin user.

To do this,

  1. Go to the User Groups application in the Global Menu.

  2. Create a Marketing Managers user group.

  3. Add Clara Murphy to the group.

  4. Go to the Roles application in the Global Menu.

  5. Create a Marketing Manager role.

  6. While editing the Marketing Manager role, go to the Define Permissions tab.

  7. In the left menu, go to Control PanelUsersUser Groups.

  8. Select this permission:

    SectionPermission
    Application PermissionsAccess in Control Panel

  9. Click Save.

  10. In the left menu, go to Control PanelUsersUsers and Organizations.

  11. Select this permission:

    SectionPermission
    Resource > UserView

  12. Click Save.

  13. Go to the Assignees tab and assign this role to the Marketing Managers user group.

    These permissions grant the ability to view the User Groups application and view users. Next, you’ll give the Marketing Manager role permission to view and add members for the Marketing user group.

  14. Go to the User Groups application in the Global Menu.

  15. Click Actions (Actions Button) for the Marketing user group and select Permissions.

    Select Permissions in the Actions menu for the Marketing user group.

  16. For the Marketing Manager role, select these permissions and click Save:

    RolePermission
    Marketing ManagerAssign Members
    Marketing ManagerView Members
    Marketing ManagerView

    Give view and add members permissions to the marketing manager role.

  17. Go to the Users and Organizations application in the Global Menu.

  18. Impersonate Clara Murphy to verify the Marketing Manager role permissions.

    Clara should see the Marketing user group. She should also be able to view members of the user group and add new members to the group.

    Clara can add other Clarity users to the marketing user group.

    Note: This is just an example of the types of permissions you can assign to manager roles.

Conclusion

Congratulation! You’ve completed Module 4: Security and Identity Management. Throughout this module, you’ve learned best practices for authenticating and authorizing users in Liferay DXP. You also finished setting up Clarity’s users, user groups, and roles for their public enterprise website.

In the next module, you’ll learn about building sites with Liferay.

Next Up: Module 5: Site Building

Additional Resources

See official documentation to learn more about managing roles and permissions:

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy