Difference between revisions of "Manual:Extension/BlueSpicePermissionManager"

{{DISPLAYTITLE:Permission manager}}<section begin="description" />
        
        
        
        To manage permissions, the extension '''BlueSpicePermissionManager''' provides the administrator interface. It is located under ''Global actions > Management > Permission manager''. This links to the page <code>Special:PermissionManager</code>.<section end="description" />
        
        
        
        
        <br />[[File:PermissionManager1a.png|alt=Permission manager|center|650x650px|thumb|Permission manager]]
            
            
            
            
            <br />
            
            ==Role-based permissions== Role-based permissions ==
        
        In BlueSpice 3, roles were introduced as a way to manage wiki rights, .
        
        The main intention of using roles is to simplify rights management.
        
        
        
        Roles represent a '''collection of individual permissions''' that are necessary to perform certain functions on the wiki. For example, for a user who is supposed to only read the wiki, many permissions in addition to the "read" permission are needed: The ability to change their own settings,  to search the wiki, to view page ratings, and so on.
        
        
        
        All permissions that make up a logical group are encapsulated in a role, in this example the role "reader".
        
        If wiki admins want to grant read-only rights to a user group, they only need to assign that group the "reader" role, instead of assigning  many individual permissions that are needed to create a "read"-user. 
        
        
        
        By assigning roles to a group, all users belonging to that group receive the rights of these roles. Roles are never assigned directly to users, but always to groups instead. Users are then assigned to one or more groups.<br />
        
        [[File:RightsRolesGroups.drawio.png|alt=How users get their user rights|center|950x950px|How users get their user rights]]
        
        
        
        == Default roles ==
            
            By default, the Permission manager includes a number of predefined roles that serve most user needs. The individual permissions contained in a role can be seen by clicking the info icon in front of the role  name. It opens a dialog with a permissions list for the role.
            
            [[File:bot-permissions.png|alt=Screenshot: bot permissions|center|650x650px]]
            
            
            <br />
            
            
            
            *'''bot '''- typically assigned only to the ''bot'' group
            
            *'''admin '''- all available rights. It should be assigned only to wiki-admin groups
            
            *'''maintenanceadmin '''- very similar to the ''admin'' role, used for user groups that are responsible for maintaining wiki integrity
            
            *'''author '''- all permissions necessary for creating content on the wiki
            
            *'''editor '''- create content, edit and delete content, create reviews
            
            *'''reviewer '''- all reviewing actions
            
            *'''accountmanager '''- user account management rights
            
            *'''structuremanager '''- move (rename) pages, create and delete namespaces
            
            *'''reader''' - basic read-only access
            
            *'''accountselfcreate '''- this role must be assigned to the "*" groups to allow users to self-create user accounts
            
            *'''commenter '''- cannot create and edit content, can only comment on existing content
            
            {{Box Note|boxtype=important|Note text=The default roles and related permissions are different in the [[Manual:Extension/BlueSpicePermissionManager/Cloud|BlueSpice pro Cloud permission manager]].}}
            
            ==The roles The roles matrix==
        
        The permission manager consists of the group tree (1) and the role matrix (2):<br />
        
        [[File:Manual:PermissionManager2a.png|alt=Associating groups with roles in namespaces|center|thumb|650x650px|Associating groups with roles in namespaces]]
        
        
        
        
        
        The '''group tree'''  shows all existing groups:
        
        
        
        *'''Group "*":''' all non-logged-in (anonymous) users
        
        *'''Group "user":''' all logged-in users, the default group for all users
        
        *'''Subgroups of group "user":''' all groups that are defined on the wiki, eiter by default, by MediaWiki, or custom groups created by an administrator. System groups, created by MediaWiki, can be hidden by unchecking the "Show system groups" checkbox above the tree.
        
        
        
        
        
        The columns in the '''role matrix''' are:
        
        
        
        *'''Role information''' (info icon): Clicking the icon shows all the permissions  in a role. This list is exportable.
        
        *'''Role name'''
        
        *'''Wiki:''' Assignment of a role to the entire wiki. By assigning the role in this column, a user group gets permissions in this role on the wiki (all namespaces).
        
        *'''Individual namespaces:''' The following columns list every (applicable) namespace on the wiki.
        
        **Roles can be assigned to individual namespaces. For example, the group ''user'' can get the ''editor'' role only in the namespace ''Public. Users in this group cannot edit content in any other'' . By granting a role to a particular group in a particular namespace, means that all other groups will lose permissions from this role, eg. granting role "reader" in namespace "Private" to group "sysop" means that all users in any other groups won't be able to read pages in "Private" namespace, even if they have "reader" role granted on the wiki level ("Wiki" column).
        
        **The same role can be granted to multiple groups for the same namespace.
        
        **Additional namespaces can be added in the matrix by clicking on the arrow in table header, then "Columns". Then the namespaces can be selected.
        
        
        
        ===Role inheritance===
        
        By default, all roles granted to the (*) group will be granted to the ''user'' group, and all roles granted to the ''user'' group are granted to its subgroups.
        
        If a group inherits the role from an upper-level group field, this is indicated in the role matrix with a green background, but the checkbox is empty.
        
        
        
            
            ====Default roles==
            
            By default, the Permission manager includes a number of predefined roles that serve most user needs. The individual permissions contained in a role can be seen by clicking the info icon in front of the role  name. It opens a dialog with a permissions list for the role.[[File:bot-permissions.png|alt=Screenshot: bot permissions|center|650x650px|link=https://en.wiki.bluespice.com/wiki/File:bot-permissions.png]]
            
            
            
            *'''bot '''- typically assigned only to the ''bot'' group
            
            *'''admin '''- all available rights. It should be assigned only to wiki-admin groups
            
            *'''maintenanceadmin '''- very similar to the ''admin'' role, used for user groups that are responsible for maintaining wiki integrity
            
            *'''author '''- all permissions necessary for creating content on the wiki
            
            *'''editor '''- create content, edit and delete content, create reviews
            
            *'''reviewer '''- all reviewing actions
            
            *'''accountmanager '''- user account management rights
            
            *'''structuremanager '''- move (rename) pages, create and delete namespaces
            
            *'''reader''' - basic read-only access
            
            *'''accountselfcreate '''- this role must be assigned to the "*" groups to allow users to self-create user accounts
            
            *'''commenter '''- cannot create and edit content, can only comment on existing content
            
            {{Box Note|boxtype=important|Note text=The default roles and related permissions are different in the [[Manual:Extension/BlueSpicePermissionManager/Cloud|BlueSpice pro Cloud permission manager]].}}
            
            ==Technical info==
        
        ===Logging===
        
        Every change to the roles is logged in the MediaWiki log book, found under <code>Special:Log</code> under , in the <code> Permission Manager log</code> type.
        
        These logs are availbleavailable only to wiki administrators (users in groups with the role ''admin'').
        
        ==Configuration==
        
        All changes to the role matrix  are backed up. By default, the last 5 backups are kept. This limit can be changed in [[Manual:Extension/BlueSpiceConfigManager|Config manager]], under extension BlueSpicePermissionManager.<br />{{#dpl:title=Manual:Extension/BlueSpiceConfigManager|include=#BlueSpicePermissionManager}}
        
        
        
        {{Box Links-en
        
        |Topic1=[[Reference:PermissionManager]]
        
        |Topic2=[[Manual:Extension/BlueSpiceGroupManager|Managing groups]]
        
        |Topic3=[[Rights_concepts|Rights concepts]]
        
        }}
        
        {{Translation}}
        
        
        
        [[Category:Permissions]]