Applying advanced permissions

In my v9.1.3 site I’m trying to set up some very specific user controls. There will be various people editing certain parts of the site and I want to control what they can do.

Having created a user ‘editor’, I then set the one page it was to able to edit to allow editing. All seemed fine - when the logged in user went to that page they were presented with the ‘put page in edit’ icon.

However, I want even tighter control than that because that allows them to change ANYTHING on that page. I want them only to be able to edit one specific block so I took away the general ‘page can be edited’ permission and added that user as being able to edit that block, however when the user now goes to that page, there is no icon to allow editing.

It SEEMS that to get the edit icon I have to grant edit rights to the whole page.

Am I missing something or am I just trying to control the system too much? I find I can modify all the other areas of the page and remove that users rights but that’s going to be very long winded and tedious!

Also, I don’t seem to be able to control the global header and footer areas. Is that as expected?

Unfortunately if you want to get that granular is going to take quite a bit of setup. You will have to give access to the page and then remove access to all the parts of the page you don’t want them to edit.

Global areas are a different set of permissions, so that’s expected.

Thanks for that. I was beginning to think that was what I’d have to do - and it’s not quite as onerous as it might be since I can just copy new permissions (or non-permissions) to the areas I want to protect.

One problem I’ve found, now, is that when my restricted user goes top the page to edit it and selects an area and selects ‘add block’ (or clicks on the plus icon) the left pane opens up but no blocks are shown. Do I have to grant access to the blocks allowed and if so, where?

OK, I’ve found it! For anyone else who comes across this issue it’s in Blocks & Stacks > Stack & Block Permissions.

Rather than setting a complex knot of permissions for a user called ‘editor’, set up a group for Editors and set permissions for that group.

In the long run, that will make it much easier when you want to change which user can do the editing.

1 Like

I perhaps over-simplified my needs or didn’t explain clearly enough. I have actually got a group called ‘editors’ which have various assigned rights but there are individual users who have edit access to different parts of the system, eg. user ‘magazines’ can upload new magazines and set links to them, user ‘treasurer’ can update the page of fees and so on.

Having a single group would surely not allow me that level of control. I may be over thinking it but I don’t want an editor to go messing up areas they shouldn’t be able to modify. Maybe in the long run I’ll just accept that possibility and switch to a single group. Concrete certainly makes setting permissions for a group slightly easier than for a user!

I would still use groups rather than individuals. An individual can be in more than one group and a permission can allow or deny more than one group. So setting up groups for each role will save a lot of messing around when you fire the treasurer for dodgy accounting and move someone else into that role :scream:

1 Like

Ah, I think I see, so I’d set up each role as a group and then assign each user to the particular group. That does sound better (particularly since we have 3 treasurers!)

I’ve now converted to function groups and I think it is a better approach. Many thanks @JohntheFish