Difference between revisions of "Manual:Extension/BlueSpicePermissionManager"
| [unchecked revision] | [unchecked revision] |
Fbaeckmann (talk | contribs) m (Tag: 2017 source edit) |
(Tag: 2017 source edit) |
Contents
- 1 What is PermissionManagerBlueSpicePermissionManager?
- 2 Where to find the function PermissionManager?BlueSpicePermissionManager
-
3 Using the BlueSpicePermissionManager
The functionality of PermissionManager
- .1 The role system PERMISSION MANAGER EXPLAINED
- 3.2 BlueSpice
- Layout of BlueSpicePermissionManager
- 3.3 MediaWiki Extensions
- Role matrix
4 Permission-templates
- 4 Technical Create templates
- 4.3 Assign group permissions
- 5 Preferences 6
- Add template
- 5 See also
What is PermissionManagerBlueSpicePermissionManager?[edit | edit source]
PermissionManager allows an easy and convenient management of usergroup rights in a graphical interfaceBlueSpicePermissionManager offers easy and user-friendy way to manage user permissions on the wiki.
Where to find the function PermissionManager?BlueSpicePermissionManager[edit | edit source]
Firstly, you will need admin rights in order to call up the permission manager. If you have the right permissions, you will find "Permission manager" in the left navigation bar under "Admin". Click on the link and you will be taken to the administration page.
BlueSpicePermissionManager is available from the left navigation, under "Global actions" tab, under the section "Management", or by navigating directly to Special:PermissionManager
Using the BlueSpicePermissionManager[edit | edit source]
Choose one of the three work modes in the drop-down menu:
- Group: An array is displayed for a chosen user group showing the namespaces and the permissions attached.
- Namespace: An array is displayed for a chosen namespace showing the user groups and the permissions attached.
- Permission: An array is displayed for a chosen permission showing the user groups and the namespaces.
PERMISSION MANAGER EXPLAINEDThe role system[edit | edit source]
Permission manager is used to grant or revoke permissions. On the left side there is Groups menu that can be shown by clicking on the arrow at the top. It shows permission groups hierarchy. The asterisk (*) group includes all users that enter wiki, regardless of whether they are logged in or not. The "user" group applies to all logged in users. This groups holds different sub-groups, some of which are default to MediaWiki while others may be custom. Clicking on the group name shows (in the list to the right) all permissions granted to the group. You can add permissions by checking appropriate check box.
Assigning permissions Permissions can be granted for entire wiki (by checking "Wiki" checkbox) or only for selected namespaces. Assigning permissions follows an inheritance model. If you add permission to (*) group it will also be assigned to "user" and all sub-groups of "user". It will show like green unchecked field. When a permission is not explicitly granted to a group but its inherited from a parent group, field will appear as green and not checked
When explicitly adding permission to one groups (for entire wiki or just for one namespace) all other groups in the same hierarchy level will lose this permission.
Templates You can create templates for permissions. Templates represent collection of permissions to make permission management more straight-forward. Templates are added/edited in Template editor (click on "Edit templates" buttom at the bottom). Enter name for template, description and select permissions that will be managed by this template. When template is added it will appear at the top of the permission lists and assigning it to a group will grant all permissions defined in the template, and at the same time revoke these permissions from other groups in the same hierarchy level.
Assign the permissions as you want in the table. The permissions are colour coded. The explatation for the coding can be found in "Good to know". You can also work with permission-templates, also called roles. Such roles contain a collection of permissions.
Screenshot: Settings in the PermissionManager
Good to know:
- Assigning permissions to groups and namespaces can be done either by choosing a permission-template (role) or by choosing individual permissions.
- Permission-templates are defined by using unique (descriptive) names.
- A permission-template is a freely definable collection of permissions.
- Management of permission-templates is a component of the PermissionManager (with its own dialogue).
- The first step to set permissions is to set them in the first folder - for the whole wiki (*).
- The permissions you set for a group, will be set automatically for the following folders, for the wiki and all namespaces (green coloured - not checked).
- If you want to give the groups more/different permissions - maybe in different namespaces - you can select them manually, but if you do that, the other groups, in the same hierarchy level, lose that permission for the namespace you choosen.
User:
- Read: lets the user view pages.
- Edit: allows the user to edit unprotected pages.
- Create page: allows the user to create new pages (edit permission is needed here).
- Rollback: lets the user roll back the article with a click, restoring a previous version from another author. If this permission is activated, you can find the rollback button under History next to "undo" by the last change.
- Import: allows the user to import an article from another wiki in one go (Transwiki).
Sysop:
- Createtalk: allows the user to create a new talk page (edit permission is needed here).
- Writeapi: controls access to the write API ($wgEnableWriteAPI must be set to true), this means commands can be given using this external interface.
- Upload: allows the creation of new pictures and files, i.e. pictures and files can be uploaded.
- Files: allows the user to view files which have been uploaded (needs secure:Image), e.g. unregistered users can not see word or PDF documents.
- Delete: allows the user to delete pages (can be found under more).
- Move: allows the user to change the title of unprotected pages (edit permission is needed here) via move (can be found under more).
- Move-subpages: this moves subpages along with the main page to which they are assigned (move permission is needed here). If the user has this permission, subpages are automatically moved with main pages.
- Protect: allows the user to lock a page preventing it from being edited or moved (protect can be found under more). Editing a protected page is possible for those with this permission.
- Block: allows the user to block IP addresses and registered users. There are various block options including stopping a user from editing and from registering new accounts and automatic blocking of other users with the same IP address. This takes place via the special page Block user.
- Createaccount: allows the user to create new accounts (via WikiAdmin - User manager).
- Bigdelete: allows the user to delete pages which are larger than the limit $wgDeleteRevisionsLimit. The variable DeleteRevisionsLimit can be set up in advance.
- Undelete: allows the user to restore deleted pages.
- Editusercssjs: allows the user to create and edit their own Monobook style and scripts.
- Markbotedits: lets the user mark a rollback as a bot edit.
- Suppressredirect: allows moving a page without automatically setting up a redirect. A token can be placed when the page is moved.
- Apihighlimits: gives a user a higher limit for API queries; this ia a special permission to allow several actions to be carried out at once.
- Browsearchive: allows the user to search for prefixes of titles of deleted pages via Special:Undelete.
- Noratelimit: the user is not affected by rate limits.
BlueSpice[edit | edit source]
WikiAdmin
|
User permissions |
Definition |
user group |
|---|---|---|
|
editadmin |
gives the user access to the module Search and, where appropriate PageTemplates in the WikiAdmin area |
sysop |
|
useradmin |
gives the user access to the module User and if appropriate Groups in the WikiAdmin area |
sysop |
|
wikiadmin |
grants the user full access to the WikiAdmin area |
sysop |
Responsible editor
|
User permissions |
Definition |
User group |
|---|---|---|
|
responsibleeditors-changeresponsibility |
lets the user change the responsible editors for a page. |
sysop |
|
responsibleeditors-viewspecialpage |
lets the user see the overview of the responsible editors. |
user |
|
responsibleeditors-takeresponsibility |
lets the user be assigned as a responsible editor for an article. |
user |
SecureFileStore
|
User permissions |
Definition |
User group |
|---|---|---|
|
viewfiles |
lets the user download and/or view files which have been uploaded. |
user |
ExtendedSearch
|
User permissions |
Definition |
User group |
|---|---|---|
|
searchfiles |
allows the user to search for files. Lets the user tick the extended search option Search files. |
user |
Review
|
User permissions |
Definition |
User group |
|---|---|---|
|
workflowview |
lets the user view work flows |
user |
|
workflowedit |
lets the user create, edit, change and delete work flows |
sysop |
SecureFileStore
|
User permissions |
Definition |
user group |
|---|---|---|
|
viewfiles |
lets the user download and/or view files which have been uploaded. |
user |
Shoutbox
|
User permissions |
Definition |
user group |
|---|---|---|
|
readshoutbox |
lets the user read commentaries made using the Shoutbox. |
user |
|
writeshoutbox |
lets the user add comments to the Shoutbox |
sysop |
Universal Export
|
User permissions |
Definition |
user group |
|---|---|---|
|
universalexport-export |
allows the user to create PDF files. |
user |
|
universalexport-export-with-attachments |
allows the user to create PDF files with file attachments. |
user |
MediaWiki Extensions[edit | edit source]
Flagged Revisions
|
User permissions |
Definition |
user group |
|---|---|---|
|
review |
lets the user review changes. |
sysop |
|
validate |
lets the user validate changes. |
- |
|
autoreview |
automatically marks those edits which a user has made themselves as reviewed |
sysop |
|
unreviewedpages |
lets the user see the page Special:Unreviewed pages. |
sysop |
Nuke
|
User permissions |
Definition |
user group |
|---|---|---|
|
nuke |
allows the user to delete articles on mass. |
sysop |
Permission-templates[edit | edit source]
PermissonManager lets you make regularly recurring assignments easily by using permission templates, or roles. For example, when you need to supply a new namespace with the relevant group permissions.
Create templates[edit | edit source]
To create a new role, click on "Admin" in the left hand navigation bar. Then choose "Permission manager". And click on "Edit templates".
Add template[edit | edit source]
To add a new role, you can simply click the "New" button. Existing templates can be selected and then edited. The description is only for internal use for wiki admins. All permissions known to the wiki are listed here and can be selected and deselected.
Screenshot: Template editor of the permission managers
Assign group permissions[edit | edit source]
After saving, the groups will be chosen which should be assigned the permissions of the role. A simple click on the desired namespace is enough to validate the role.
Preferences[edit | edit source]
Have a look at the admin preferences to define the PermissionManager.
Screenshots: Admin preferences
See also[edit | edit source]
Our reference pageSince BlueSpice version 3.0, roles, as a way to manage wiki rights, are introduced. The main intention of using roles is to simplify rights management and make it more straigh-forward. Roles represent a collection of individual permissions that are necessary to perform certain function on the wiki. For example, for a user who is supposed only to be able to read the wiki, many permissions in addition to the "read" permissions are needed, like ability to change own settings, be able to search the wiki, view page ratings... All those permissions that make a logical group, are encapsulated to a role, in this example to the role "reader". This way, if wiki admins want to grant ability to have read-only rights on the wiki to a user group, they only need to assign that group "reader" role, instead of assigning tens of different rights, which would such user group require.
Other functions on the wiki would also rights required for them encapsulated in a role.
By assigning role to a group, all users belonging to that group will receive rights contained in the role.
BlueSpicePermissionManager, since version 3.0, allows managing role assignment, instead of permission assignment as was the case in previous versions.
Default roles[edit | edit source]
By default BlueSpicePermissionManager offers a number of pre-defined roles that are created to serve most of the user needs on the wiki:
- bot - role that should be typically assigned only to the "bot" group.
- admin - role that contains all available rights, and should be assigned only to wiki-admin groups.
- maintenanceadmin - very similar to "admin" role, used for user groups that are responsible for maintaining wiki integrity
- author - this role contains all permissions necessary for creating content on the wiki.
- editor - role meant for user groups that are able to not only create own content, but to edit, create reviews and delete all content of the wik
- reviewer - role that allows users to perform all reviewing actions on the wiki
- accountmanager - role means for users that will manage user accounts
- structuremanager - this role allows users to manage the structure of the wiki - move (rename) pages, create and delete namespaces...
- reader - role that allows basic read-only access to the wiki
- accountselfcreate - this role must be assinged to the "*" groups, in order to allow users to create user accounts by themselves
- commenter - role for users that cannot create and edit content, but can comment on the existing content
Layout of BlueSpicePermissionManager[edit | edit source]
BlueSpicePermissionManager consists of:
-
the group tree on the left - showing all the groups available on the wiki in the hierarchy.
- Group "*" - all non-logged-in users (anonymous) users belong to this group
- Group "user" - all logged-in users belong to this group. This is the default group for all users on the wiki, every user belongs to this group by default
- Subgroups of group "user" - all groups that are defined on the wiki, eiter by default, by MediaWiki, or custom groups created by the wiki admins. System groups, created by MediaWiki, can be hidden by unchecking "Show system groups" checkbox above the tree.
- Role matrix - table showing namespaces in columns and roles in rows
Role matrix[edit | edit source]
The columns in the role matrix are:
- Role information column - represented by an info icon. Clicking on this icon opens a dialog listing all the permissions contained in a particular role. The list shows permission names and short description. This list is exportable.
- Role name
- "Wiki" column - this column represents assignment of a role to the entire wiki. By assigning the role in this column, user group will receive permissions in the role everywhere on the wiki (all namespaces).
-
Individual namespaces - Following columns represent every (applicable) namespace on the wiki.
- Roles can be assigned to only certain namespace, eg. group "user" can be granted role "editor" only in namespace "Public", in order to be able to edit only pages in this namespaces. By granting a role to a particular group in a particular namespace, means that all other groups will lose permissions from this role, eg. granting role "reader" in namespace "Private" to group "sysop" means that all users in any other groups won't be able to read pages in "Private" namespace, even if they have "reader" role granted on the wiki level ("Wiki" column).
- Same role can be granted to multiple groups for the same namespace.
- Which namespace will appear in the matrix can be controlled by adding column to the grid, by clicking on the arrow in table header, then "Columns" and selecting desired columns.
Role inheritance[edit | edit source]
By default, all roles granted to "*" group will be granted to "user" group, and all roles granted to "user" group will be granted to all of the groups that are a sub-group of the group "user". If a group inherits the role from upper-level group field in the role matrix will be shown in green, but the checkbox won't be checked.
Technical[edit | edit source]
Logging[edit | edit source]
Every change to the roles is logged in the MediaWiki log book, found under Special:Log under Permission Manager log type. These logs are availble only to wiki administrators (users in groups that have "admin" role granted).
Backups[edit | edit source]
All changes to role matrix is backed-up. By default, last 5 backups are being kept. This limit can be changed in BlueSpiceConfigManager, under configs for extension BlueSpicePermissionManager.
See also[edit | edit source]
Reference page for this extension.