Difference between revisions of "Manual:Extension/BlueSpicePermissionManager"
| [unchecked revision] | [quality revision] |
(Tag: Visual edit) |
Where to find the function PermissionManager?
Contents
- 1 What is PermissionManager?
- 2 Where to find the function PermissionManager? 3 The functionality of PermissionManager
- Accessing the Permission manager
- 2 Role-based permissions
-
3 The roles matrix
- 3.1 PERMISSION MANAGER EXPLAINED
- 3.2 BlueSpice
- 3.3 MediaWiki Extensions
- 4 Permission-templates
- 5 Preferences
- 6 See also
PermissionManager allows an easy and convenient management of usergroup rights in a graphical interface.
Accessing the Permission manager[edit | edit source]
FirstlyTo manage permissions, you will need admin rights in order to call up the permission manager. If you have the right permissions, you will find "Permission manager" in the left navigation bar under "Admin". Click on the link and you will be taken to the administration page.
Sceenshot: Open the permission manager in the admin areaThe functionality of PermissionManager
use the Permission manager. It is located under Global actions > Management > Permission manager. This links to the page Special:PermissionManager.
Role-based permissions[edit | edit source]
Choose one of the three work modes in the drop-down menu:
- Group: An array is displayed for a chosen user group showing the namespaces and the permissions attached.
- Namespace: An array is displayed for a chosen namespace showing the user groups and the permissions attached.
- Permission: An array is displayed for a chosen permission showing the user groups and the namespaces.
PERMISSION MANAGER EXPLAINED[edit | edit source]
Permission manager is used to grant or revoke permissions. On the left side there is Groups menu that can be shown by clicking on the arrow at the top. It shows permission groups hierarchy. The asterisk (*) group includes all users that enter wiki, regardless of whether they are logged in or not. The "user" group applies to all logged in users. This groups holds different sub-groups, some of which are default to MediaWiki while others may be custom. Clicking on the group name shows (in the list to the right) all permissions granted to the group. You can add permissions by checking appropriate check box.
Assigning permissions Permissions can be granted for entire wiki (by checking "Wiki" checkbox) or only for selected namespaces. Assigning permissions follows an inheritance model. If you add permission to (*) group it will also be assigned to "user" and all sub-groups of "user". It will show like green unchecked field. When a permission is not explicitly granted to a group but its inherited from a parent group, field will appear as green and not checked
When explicitly adding permission to one groups (for entire wiki or just for one namespace) all other groups in the same hierarchy level will lose this permission.
Templates You can create templates for permissions. Templates represent collection of permissions to make permission management more straight-forward. Templates are added/edited in Template editor (click on "Edit templates" buttom at the bottom). Enter name for template, description and select permissions that will be managed by this template. When template is added it will appear at the top of the permission lists and assigning it to a group will grant all permissions defined in the template, and at the same time revoke these permissions from other groups in the same hierarchy level.
Assign the permissions as you want in the table. The permissions are colour coded. The explatation for the coding can be found in "Good to know". You can also work with permission-templates, also called roles. Such roles contain a collection of permissions.
Screenshot: Settings in the PermissionManager
Good to know:
- Assigning permissions to groups and namespaces can be done either by choosing a permission-template (role) or by choosing individual permissions.
- Permission-templates are defined by using unique (descriptive) names.
- A permission-template is a freely definable collection of permissions.
- Management of permission-templates is a component of the PermissionManager (with its own dialogue).
- The first step to set permissions is to set them in the first folder - for the whole wiki (*).
- The permissions you set for a group, will be set automatically for the following folders, for the wiki and all namespaces (green coloured - not checked).
- If you want to give the groups more/different permissions - maybe in different namespaces - you can select them manually, but if you do that, the other groups, in the same hierarchy level, lose that permission for the namespace you choosen.
User:
- Read: lets the user view pages.
- Edit: allows the user to edit unprotected pages.
- Create page: allows the user to create new pages (edit permission is needed here).
- Rollback: lets the user roll back the article with a click, restoring a previous version from another author. If this permission is activated, you can find the rollback button under History next to "undo" by the last change.
- Import: allows the user to import an article from another wiki in one go (Transwiki).
Sysop:
- Createtalk: allows the user to create a new talk page (edit permission is needed here).
- Writeapi: controls access to the write API ($wgEnableWriteAPI must be set to true), this means commands can be given using this external interface.
- Upload: allows the creation of new pictures and files, i.e. pictures and files can be uploaded.
- Files: allows the user to view files which have been uploaded (needs secure:Image), e.g. unregistered users can not see word or PDF documents.
- Delete: allows the user to delete pages (can be found under more).
- Move: allows the user to change the title of unprotected pages (edit permission is needed here) via move (can be found under more).
- Move-subpages: this moves subpages along with the main page to which they are assigned (move permission is needed here). If the user has this permission, subpages are automatically moved with main pages.
- Protect: allows the user to lock a page preventing it from being edited or moved (protect can be found under more). Editing a protected page is possible for those with this permission.
- Block: allows the user to block IP addresses and registered users. There are various block options including stopping a user from editing and from registering new accounts and automatic blocking of other users with the same IP address. This takes place via the special page Block user.
- Createaccount: allows the user to create new accounts (via WikiAdmin - User manager).
- Bigdelete: allows the user to delete pages which are larger than the limit $wgDeleteRevisionsLimit. The variable DeleteRevisionsLimit can be set up in advance.
- Undelete: allows the user to restore deleted pages.
- Editusercssjs: allows the user to create and edit their own Monobook style and scripts.
- Markbotedits: lets the user mark a rollback as a bot edit.
- Suppressredirect: allows moving a page without automatically setting up a redirect. A token can be placed when the page is moved.
- Apihighlimits: gives a user a higher limit for API queries; this ia a special permission to allow several actions to be carried out at once.
- Browsearchive: allows the user to search for prefixes of titles of deleted pages via Special:Undelete.
- Noratelimit: the user is not affected by rate limits.
BlueSpice[edit | edit source]
WikiAdmin
|
User permissions |
Definition |
user group |
|---|---|---|
|
editadmin |
gives the user access to the module Search and, where appropriate PageTemplates in the WikiAdmin area |
sysop |
|
useradmin |
gives the user access to the module User and if appropriate Groups in the WikiAdmin area |
sysop |
|
wikiadmin |
grants the user full access to the WikiAdmin area |
sysop |
Responsible editor
|
User permissions |
Definition |
User group |
|---|---|---|
|
responsibleeditors-changeresponsibility |
lets the user change the responsible editors for a page. |
sysop |
|
responsibleeditors-viewspecialpage |
lets the user see the overview of the responsible editors. |
user |
|
responsibleeditors-takeresponsibility |
lets the user be assigned as a responsible editor for an article. |
user |
SecureFileStore
|
User permissions |
Definition |
User group |
|---|---|---|
|
viewfiles |
lets the user download and/or view files which have been uploaded. |
user |
ExtendedSearch
|
User permissions |
Definition |
User group |
|---|---|---|
|
searchfiles |
allows the user to search for files. Lets the user tick the extended search option Search files. |
user |
Review
|
User permissions |
Definition |
User group |
|---|---|---|
|
workflowview |
lets the user view work flows |
user |
|
workflowedit |
lets the user create, edit, change and delete work flows |
sysop |
SecureFileStore
|
User permissions |
Definition |
user group |
|---|---|---|
|
viewfiles |
lets the user download and/or view files which have been uploaded. |
user |
Shoutbox
|
User permissions |
Definition |
user group |
|---|---|---|
|
readshoutbox |
lets the user read commentaries made using the Shoutbox. |
user |
|
writeshoutbox |
lets the user add comments to the Shoutbox |
sysop |
Universal Export
|
User permissions |
Definition |
user group |
|---|---|---|
|
universalexport-export |
allows the user to create PDF files. |
user |
|
universalexport-export-with-attachments |
allows the user to create PDF files with file attachments. |
user |
MediaWiki Extensions[edit | edit source]
Flagged Revisions
|
User permissions |
Definition |
user group |
|---|---|---|
|
review |
lets the user review changes. |
sysop |
|
validate |
lets the user validate changes. |
- |
|
autoreview |
automatically marks those edits which a user has made themselves as reviewed |
sysop |
|
unreviewedpages |
lets the user see the page Special:Unreviewed pages. |
sysop |
Nuke
|
User permissions |
Definition |
user group |
|---|---|---|
|
nuke |
allows the user to delete articles on mass. |
sysop |
Permission-templates[edit | edit source]
PermissonManager lets you make regularly recurring assignments easily by using permission templates, or roles. For example, when you need to supply a new namespace with the relevant group permissions.
Create templates[edit | edit source]
To create a new role, click on "Admin" in the left hand navigation bar. Then choose "Permission manager". And click on "Edit templates".
Add template[edit | edit source]
To add a new role, you can simply click the "New" button. Existing templates can be selected and then edited. The description is only for internal use for wiki admins. All permissions known to the wiki are listed here and can be selected and deselected.
Screenshot: Template editor of the permission managers
Assign group permissions[edit | edit source]
After saving, the groups will be chosen which should be assigned the permissions of the role. A simple click on the desired namespace is enough to validate the role.
Preferences[edit | edit source]
Have a look at the admin preferences to define the PermissionManager.
Screenshots: Admin preferences
See also[edit | edit source]
Our reference page.
In BlueSpice 3, roles were introduced as a way to manage user rights. The main intention of using roles is to simplify rights management.
Roles represent a collection of individual permissions that are necessary to perform certain functions on the wiki. For example, for a user who is supposed to only read the wiki, many permissions in addition to the "read" permission are needed: The ability to change their own settings, to search the wiki, to view page ratings, and so on.
All permissions that make up a logical group are encapsulated in a role, in this example the role "reader". If wiki admins want to grant read-only rights to a user group, they only need to assign that group the "reader" role, instead of assigning many individual permissions that are needed to create a "read"-user.
By assigning roles to a group, all users belonging to that group receive the rights of these roles. Roles are never assigned directly to users, but always to groups instead. Users are then assigned to one or more groups.
The roles matrix[edit | edit source]
The permission manager consists of the group tree (1) and the role matrix (2):
The group tree shows all existing groups:
- Group "*": all non-logged-in (anonymous) users
- Group "user": all logged-in users, the default group for all users
- Subgroups of group "user": all groups that are defined on the wiki, eiter by default, by MediaWiki, or custom groups created by an administrator. System groups, created by MediaWiki, can be hidden by unchecking the "Show system groups" checkbox above the tree.
The columns in the role matrix are:
- Role information (info icon): Clicking the icon shows all the permissions in a role. This list is exportable.
- Role name
- Wiki: Assignment of a role to the entire wiki. By assigning the role in this column, a user group gets permissions in this role on the wiki (all namespaces).
-
Individual namespaces: The following columns list every (applicable) namespace on the wiki.
- Roles can be assigned to individual namespaces. For example, the group user can get the editor role only in the namespace Public. Users in this group cannot edit content in any other . By granting a role to a particular group in a particular namespace, means that all other groups will lose permissions from this role, eg. granting role "reader" in namespace "Private" to group "sysop" means that all users in any other groups won't be able to read pages in "Private" namespace, even if they have "reader" role granted on the wiki level ("Wiki" column).
- The same role can be granted to multiple groups for the same namespace.
- Additional namespaces can be added in the matrix by clicking on the arrow in table header, then "Columns". Then the namespaces can be selected.
Role inheritance[edit | edit source]
By default, all roles granted to the (*) group will be granted to the user group, and all roles granted to the user group are granted to its subgroups. If a group inherits the role from an upper-level group field, this is indicated in the role matrix with a green background, but the checkbox is empty.
Default roles[edit | edit source]
By default, the Permission manager includes a number of predefined roles that serve most user needs. The individual permissions contained in a role can be seen by clicking the info icon in front of the role name. It opens a dialog with a permissions list for the role.
- bot: exists to achieve recurring system actions. This role is assigned to the user BSMaintenance in Bluespice via the group bot. The group bot should not be changed.
- admin: Grants access to all administrative special pages and to all typical administrative features.
- maintenanceadmin: Similar to the admin role, but with extended admin rights for maintaining wiki integrity.
- author: all permissions necessary for creating content on the wiki. Editing, moving, or deleting pages is not possible.
- editor: create content, edit and delete content.
- reviewer: If you have activated the review function and, therefore, work draft pages in a namespace, there must be at least one group with the role of reviewer. By default, the group “reviewer” is available for this purpose. Only users in the reviewer role can approve draft pages. Reviewers generally need read, write and review rights via the corresponding three roles of reader, editor and reviewer. However, if you have not activated the review function in any namespace, you do not need this role in your wiki.
- accountmanager: enables the administration of user accounts. Since user accounts are managed independently of namespaces in the wiki, this role cannot be restricted to individual namespaces. Grayed-out namespaces have no meaning here as long as the role in the wiki itself is highlighted in green.
- structuremanager: allows some actions for wiki maintenance such as moving pages, mass deleting pages or searching and replacing text, as well as renaming namespaces.
- accountselfcreate: enables the automatic creation of new user accounts and is required for single-sign-on. You can assign this role, for example, to anonymous users who can create their own account.
- commenter: allows the creation of discussion contributions and page ratings, but not of the pages themselves. The editor role includes all the rights of the commenter role. If a group has editor rights, it does not need special commenter rights.
-
reader: Basic read access. Users can also edit their personal settings.
Important! The default roles and related permissions are different in the BlueSpice pro Cloud permission manager.
Technical info[edit | edit source]
Logging[edit | edit source]
Every change to the roles is logged in Special:Log, in the Permission Manager log . These logs are available only to wiki administrators (users in groups with the role admin).
Configuration[edit | edit source]
All changes to the role matrix are backed up. By default, the last 5 backups are kept. This limit can be changed in Config manager, under extension BlueSpicePermissionManager.
- Backup limit: Sets the number of backups for the permissions manager. Each time the page Special:PermissionManager is saved, a backup is created. If the backup limit is set to 5, the last five versions of the permissions configuration are saved as backups.