If a role were to win a Grammy or an Oscar or some other ego-feeding popularity contest, it better remember to thank all its permissions groupies during the acceptance speech, because they’re the ones doing the real work. The role is just the pretty face, so to speak.
Roles collect permissions that define a particular function within Liferay DXP, according to a particular scope. Roles collect permissions, and users are assigned to roles, either directly or through their association with a User Group, an Organization, or a Site.
Take a Message Board Administrator role, for example. A role with that name is likely to have permissions relevant to the specific Message Board portlets delegated to it. Users with this role inherit the permissions collected underneath the umbrella of the role.
Managing Roles in Liferay
Manage Liferay’s roles in the Control Panel (Control Panel → Users → Roles). There you’ll find an application for creating roles, granting them permissions, and assigning users to them. Roles can be scoped by portal, site, or organization.
To create a role, click the scope you want a role for and then click the Add () button. Enter a name, title, and description for the role. The name field is required but the title and description are optional. If you enter a name and a title, the title is displayed in the list of roles on the Roles page of the Control Panel. If you do not enter a title, the name is displayed. When you finish, click Save.
After you save, your role is added to the list of roles. To see what functions you can perform on your new role, click the Actions button.
Edit: lets you change the name, title or description of the role.
Permissions: allows you to define which users, user groups or roles have permissions to edit the role.
Define Permissions: defines the permissions the role contains.
Delete: permanently removes a role from the portal.
Once you have a role you want to configure, the first step is often to define its permissions.
Defining Role Permissions
Roles collect permissions, so when a user is given a role, they receive all the permissions defined by the role.
To add permissions to a role, click on the Actions () button for a regular role and select Define Permissions. Find the permissions you want to add by navigating the categories of permissions on the left side of the screen and click on a specific category (such as Site Administration → Navigation → Site Pages). Select any permissions that you’d like to add the role, then click Save.
There are three basic categories of permissions: Control Panel, Site Administration, and User. By default, any Liferay user can manage their user account via the permissions belonging to the User category. Site Administrators can access the site administration tools belonging to the Site Administration category. Portal Administrators can access the entire Control Panel. For custom roles, you can mix and match permissions from as many categories as you like.
The permissions in the Site Administration → Applications categories govern the content that can be created by core portlets such as the Wiki and Message Boards. If you pick one of the portlets from this list, you’ll get options for defining permissions on its content. For example, if you pick Message Boards, you’ll see permissions for creating categories and threads or deleting and moving topics.
Site application permissions affect the application as a whole. Using the Message Boards as an example, an application permission might define who can add the Message Boards portlet to a page.
The Control Panel permissions affect how the Control Panel appears to the user in the Control Panel. The Control Panel appears differently to different users, depending on their permissions. Some Control Panel portlets have a Configuration button and you can define who gets to see that. You can also fine-tune who gets to see various applications in the Control Panel.
If you want to change the scope of a permission, click the Change link next to the gear icon next to the permission and then choose a new scope. After you click Save, you’ll see a list of all permissions currently granted to the role. From the Summary view, you can add more permissions or go back to the Role Application default view by clicking on the Back () icon.
Sometimes you might find that a certain permission grants more or less access than what you expected–always test your permissions configurations!
Suppose you need to create a role called User Group Manager. You’d like to define the permissions for the User Group Manager role so that users assigned to this role can add users to or remove users from any user group. To do this, you can take the following steps:
- Go to the Control Panel and then click on Users → Roles.
- On the Regular Roles screen, click Add ().
- After naming your role and entering a title, click Save.
- Click on Actions () → Define Permissions and drill down in the menu on the left to
Control Panel → Users → User Groups.
- Under the General Permissions heading, flag Access in Control Panel and View. This lets user group managers access the User Groups Control Panel portlet and view existing user groups.
- Since you’d like user group managers to be able to view user groups and assign members to them, you’d also check the Assign Members and View permissions under the Resource Permissions → User Group heading.
- Click Save.
Once you create the role, assign it to its intended users. To assign roles to Users, Sites, Organizations, and User Groups, click on the role, then click on the Add button (). Choose the users and/or groups you want to assigned to the role. If assigning a group, note that all users assigned to that group will inherit the role as well.
You might expect that the role has all the permissions necessary for adding users to user groups. After all, user group managers can view user groups, assign members, and access User Groups in the Control Panel. However, we’re forgetting an important permission: the User Group Manager role can’t view users! This means that if they click Assign Members for a user group and click on the Available tab, they’ll see an empty list.
If you create a role with permission to access something in the Control Panel, keep in mind that the View Control Panel Menu permission will be automatically granted. Consider why this is necessary with an example.
To fix this, define the missing permission on the role by drilling down to the Control Panel → Users → Users and Organizations category and flag the View permission under the Resource Permissions → User heading. Once you’ve saved your permissions configuration, users who’ve been assigned to the User Group Manager role will be able to browse the portal’s entire list of users when assigning users to a user group.
Roles are very powerful and allow portal administrators to define various permissions in whatever combinations they like. This gives you as much flexibility as possible to build the site you have designed.
Permission for Delegating Social Activities Configuration
There’s a permission that allows site administrators to delegate responsibility for configuring social activities to other users. To add this permission to a role, click Actions next to the desired role and select Define Permissions. Find the Site Administration → Configuration → Social Activity permissions category. Flag all of the permissions and then click Save:
- Access in Site Administration
Once these permissions are assigned, assignees can manage the site’s Social Activities.
Deleting Asset Containers
A Web Content Folder contains Web Content articles. The Web Content Folder is an asset container, and the Web Content Article is an asset. It’s possible to give a role permission to delete an asset container without giving the role permission to delete individual assets. In that case, beware: if a role assignee deletes an asset container with individual assets in it, the individual assets themselves will be deleted as well.
Besides Web Content Folders, examples of asset containers include Bookmarks Folders, Message Boards Categories, Wiki Nodes, and Documents and Media Folders.
You might not need to create a role for a certain functionality. Liferay provides many pre-configured roles for your convenience.
Default Liferay Roles
In the Roles Application, you’ll see a list of all the roles in Liferay, by scope. These are some of the pre-configured roles:
- Guest: The Guest role is assigned to unauthenticated users and grants the lowest-level permissions within the portal.
- User: The User role is assigned to authenticated users and grants basic basic permissions within the portal (mostly Add to Page permissions for applications).
- Power User: The Power User role grants more permissions than the User role. It’s designed to be an extension point for distinguishing regular users from more privileged users. For example, you can set up your portal so that only Power Users have personal sites.
- Site Member: The Site Member role grants basic privileges within a site, such as the ability to visit the site’s private pages.
- Site Administrator: The Site Administrator role grants the ability to manage almost all aspects of a site including site content, site memberships, and site settings. Site Administrators cannot delete the membership of or remove roles from other Site Administrators or Site Owners. They also cannot assign other users as Site Administrators or Site Owners.
- Site Owner: The Site Owner role is the same as the Site Administrator role except that it grants the ability to manage all aspects of a site, including the ability to delete the membership of or remove roles from Site Administrators or other Site Owners. They can assign other users as Site Administrators or Site Owners.
- Organization User: The Organization User role grants basic privileges within an organization. If the organization has an attached site, the Organization User role implicitly grants the Site member role within the attached site.
- Organization Administrator: The Organization Administrator role grants the ability to manage almost all aspects of an organization including the organization’s users and the organization’s site (if it exists). Organization Administrators cannot delete the membership of or remove roles from other Organization Administrators or Organization Owners. They also cannot assign other users as Organization Administrators or Organization Owners.
- Organization Owner: The Organization Owner role is the same as the Organization Administrator role except that it grants the ability to manage all aspects of an organization, including the ability to delete the membership of or remove roles from Organization Administrators or other Organization Owners. They can assign other users as Organization Administrators or Organization Owners.
- Administrator: The administrator role grants the ability to manage the entire portal, including global portal settings and individual sites, organizations, and users.
Roles, and the permissions granted with their assignment, are foundational components in Liferay. Understanding their uses and configuration should enhance your ability to configure Liferay DXP to suit your organizational needs.