Roles & Permissions Refresher
When launching a community, you will have access to documentation around roles, may take several training courses involving them, and will likely be walked through how to create and manage roles by a Community Strategist. Here is a quick refresher on some important elements when managing roles:
Follow the Principle of Least Privilege
Every user should only be able to access only the information and content necessary for their legitimate needs on the community.
Always create roles at the Community (highest) level
To keep things simple: roles are easier to manage, track, and grant at the community level. In addition, Khoros analytics tools only track user roles at the community level.
Here, we've created "Test Role 1" at the community level.
Remember, you can create a role with the exact same name (spaces included!) at the lower level of a community and grant the appropriate permissions there.
Here we've created Test Role 1 to apply to this TKB that you're reading (notice how the top bar changed from purple to pink, along with the location in the community structure?) Any permissions given to Test Role 1 here at this TKB will still be granted by Test Role 1 at the community (purple) level.
This is especially handy for giving a group of users (say, employees) access to dozens of areas while only giving them one role.
Tips for Managing Roles
- Keep it simple; only add when needed.
- Create as few exceptions to the default community permissions as you possibly can.
Making a section of the Community "private"
When making a new board, TKB, category, etc, you may want to make it private to all users except those who have a specific role. To do this, in your Admin panel. Use the "choose" button above to navigate to the particular area in the community you want to make private. From there, go to Users -> Permissions -> Defaults. From there, change the following permissions from "Default" to "Deny"
- Read Posts
- See Discussion Style Boards (this may appear as See Forums, See Blogs, See TKBs, etc)
- See Categories (if you are denying access to a Category)
With those 2-3 permissions set to Deny, only users with a specific role will be able to see them.
If you need a group of users to see this area, create a role and in that role, grant those 2-3 permissions. You don't need to change the rest of the permissions because unless they have access to the area, they will not be able to take other actions.
Managing Complicated Role/Permission Setups
You may end up in a situation where someone has been granted access to an area where they shouldn't, or should have access to an area where they don't. Grant permissions given through Roles will always override other permissions! Remember: every user should only be able to access only the information and content necessary for their legitimate needs on the community. So try to give Grant permissions through Roles at the lowest possible point in the structure, rather than the highest.
General rules of thumb:
Permissions Granted through a Role will always overrule other permission settings in a specific area, so grant these as deep in your community structure as you're comfortable with (generally at a specific board or category level).
Permissions Denied through a Role will always overrule default and permissions.
Non-Default/Inherited Permissions will always overrule default, inherited permissions.
Default, Inherited Permissions will always be overruled if an exception is created.