Understanding Roles and Permissions

To give users the necessary permissions to perform their intended function within Liferay DXP, you must first associate the set of permissions with a role.

Roles and Scope

Using a Message Boards Admin role and a user Jane Slaughter as an example, here are the steps you might follow:

  1. Determine the function needed: Manage Message Boards in Liferay DXP.
  2. Determine the scope: Throughout the Virtual Instance (globally).
  3. Create the properly scoped role, assigning the permissions that power the function: Message Boards Admin (Regular Role).
  4. Create the user collection: a User Group called Message Boards Administrators.
  5. Assign the role to the user collection: Message Boards Administrators → Message Boards Admin Role.
  6. Assign users to the user collection: Jane Slaughter → Message Boards Administrators.

The conceptual diagram below shows how the user inherits the necessary permissions in Liferay’s roles and permissions system. Only one fully-wired role assignment appears here (for the user who becomes a Message Boards Administrator), but you can see how drawing new arrows would link the user with permissions via other user collections and role assignments.

Roles exist to link permissions efficiently with users.

Roles have scope, so they apply at different levels.

Permission ScopeRole TypeWhere is it assigned to users?Available Assignments
Throughout the Virtual Instance (global)RegularControl Panel → Users → Roles (Click on the Role) → AssigneesUser groups
Organizations
Sites
Segments
Individual users
A single organizationOrganizationControl Panel → Users → Users and Organizations → Organizations (Organization actions menu)Individual users
A single SiteSiteSite Administration → People → MembershipsUser groups
Organizations
Segments
Individual site members
A single Asset LibraryAsset LibrarySite/Library Administration of Asset Library → People → MembershipsOrganizations
User groups
Individual users

Individual users can be manually assigned to roles. This method is less efficient than using collections of users. Users can also be automatically assigned to roles of all scopes through a virtual instance setting called Default User Associations.

Regular Roles

Instance-scoped roles are called regular roles. These roles grant permissions globally, or throughout the virtual instance.

Several user collections can be assigned to regular roles:

  • Organizations hold users of a shared hierarchical level.
  • User Groups hold users performing the same function.
  • Sites hold users (as site members) that may perform a certain action.
  • Segments hold users of a site that match certain conditions.

Organization Roles

Organization-scoped roles are called organization roles. Permissions for organization roles are defined at the global level and are applied to one specific organization. users are added to organizations individually and are assigned to organization roles individually.

Site Roles

Site scoped roles are called site roles. Permissions for site roles are defined at the global level and are applied to one specific Site. You can use individual users, organizations, and user groups to control site membership and assign site roles.

Permissions

Permissions are created by developers of applications. They define actions users can perform or what functions users are allowed to perform on a particular asset.

Application Scoped Permissions

Permissions can be granted on each widget instance that’s placed on a page in Liferay DXP, and each administrative application in the Site Menu → Content and Data section. See Widget Permissions for details.

Asset Scoped Permissions

Asset-level permissions (for instance, permission to edit an individual blog post, or view a folder in the Documents and Media library) are managed from the individual asset, not the Control Panel. See Widget Permissions for details.

Capabilities

Product

Contact Us

Connect

Powered by Liferay
© 2024 Liferay Inc. All Rights Reserved • Privacy Policy