dotCMS objects can be permissioned directly to a user as well as receiving role based object permissions. Large groups of similarly permissioned users can all be easily assigned to the same role, however if a few users in that group need additional access to a few objects, permissions can be quickly extended to those unique users without affecting role distribution.
Who Can Assign User Permissions?
Only CMS Administrators can edit/modify user permissions from the Systemtab.
Assigning Roles Based Permissions to Users
Assigning users to roles is an efficient way of sharing one permission configuration amongst many users who need the same sort of dotCMS backend access. To assign a user to a role(s) hover over the Systemtab and click on Users. Select the user and then click the checkbox next to the role they will inherit and save the changes. Users can also be added to roles while editing the role. For more information see the Role Permissions documentation.
Further efficiencies can be achieved by configuring dotCMS to “auto-assign” roles based upon matching LDAP groups*.
*For more information please see our documentation on LDAP Configuration.
Distribution of User Permissions from System Host
User permissions can be set on dotCMS objects from the system host, a “parent” folder, or individual user permissions (non-inherited), can be set for any user from the System> Users backend page.
To view the permissions set on a user, click on the user from the System> Users portlet, then click the Permissions tab in the user detail area.
Permissions dotCMS objects are normally distributed through role-based access rather than specifying user-specific permissions. Although not the recommended default permissioning scheme, there are many cases where an individual user's access needs fall outside the scope of their roles. When defined roles do not extend enough access to a user, but that user is not a CMS Administrator either, then User based access to dotCMS objects can be a great solution.
Below is an image of a user whose object permissions are being set from the “System Host”. User “John Cook” is a content publisher who is also skilled enough to assist in creating new templates for the review of the Website Administrator. So in addition to having the “Content Publisher” role, John is being added to the System Host with “View” and “Edit” permissions to all templates and containers.
John will not be able to publish changes to containers and templates like a CMS Administrator but he will assist in their creation/modification. John will receive his customized user-based access as soon as the “Apply Changes” button is pressed and his user access is cascaded to all existing templates and containers on all hosts.
Assigning Individual User Permissions to an Object
While editing a dotCMS object, clicking on the Permissions tab and the “Permission Individually” button will stop any role inheritance coming from higher up the permission hierarchy and allows for permissions to be set on the object itself. Permissions to individual users can then be extended at the object level as in the image below where the permissions on an HTML page are being edited. For more information, see the documentation on dotCMS Object Permissions.