BlueSpicePermissionManager

What is BlueSpicePermissionManager?

BlueSpicePermissionManager offers easy and user-friendy way to manage user permissions on the wiki.

Where to find BlueSpicePermissionManager

BlueSpicePermissionManager is available from the left navigation, under "Global actions" tab, under the section "Management", or by navigating directly to Special:PermissionManager

Using the BlueSpicePermissionManager

The role system

Since BlueSpice version 3.0, roles, as a way to manage wiki rights, are introduced. The main intention of using roles is to simplify rights management and make it more straigh-forward. Roles represent a collection of individual permissions that are necessary to perform certain function on the wiki. For example, for a user who is supposed only to be able to read the wiki, many permissions in addition to the "read" permissions are needed, like ability to change own settings, be able to search the wiki, view page ratings... All those permissions that make a logical group, are encapsulated to a role, in this example to the role "reader". This way, if wiki admins want to grant ability to have read-only rights on the wiki to a user group, they only need to assign that group "reader" role, instead of assigning tens of different rights, which would such user group require.

Other functions on the wiki would also rights required for them encapsulated in a role.

By assigning role to a group, all users belonging to that group will receive rights contained in the role.

BlueSpicePermissionManager, since version 3.0, allows managing role assignment, instead of permission assignment as was the case in previous versions.

Default roles

By default BlueSpicePermissionManager offers a number of pre-defined roles that are created to serve most of the user needs on the wiki:

• bot - role that should be typically assigned only to the "bot" group.
• admin - role that contains all available rights, and should be assigned only to wiki-admin groups.
• maintenanceadmin - very similar to "admin" role, used for user groups that are responsible for maintaining wiki integrity
• author - this role contains all permissions necessary for creating content on the wiki.
• editor - role meant for user groups that are able to not only create own content, but to edit, create reviews and delete all content of the wik
• reviewer - role that allows users to perform all reviewing actions on the wiki
• accountmanager - role means for users that will manage user accounts
• structuremanager - this role allows users to manage the structure of the wiki - move (rename) pages, create and delete namespaces...
• reader - role that allows basic read-only access to the wiki
• accountselfcreate - this role must be assinged to the "*" groups, in order to allow users to create user accounts by themselves
• commenter - role for users that cannot create and edit content, but can comment on the existing content

Layout of BlueSpicePermissionManager

Adding namespaces to the role matrix

BlueSpicePermissionManager consists of:

• the group tree on the left - showing all the groups available on the wiki in the hierarchy.
  • Group "*" - all non-logged-in users (anonymous) users belong to this group
  • Group "user" - all logged-in users belong to this group. This is the default group for all users on the wiki, every user belongs to this group by default
  • Subgroups of group "user" - all groups that are defined on the wiki, eiter by default, by MediaWiki, or custom groups created by the wiki admins. System groups, created by MediaWiki, can be hidden by unchecking "Show system groups" checkbox above the tree.
• Role matrix - table showing namespaces in columns and roles in rows

Role matrix

Viewing permissions contained in a role

The columns in the role matrix are:

• Role information column - represented by an info icon. Clicking on this icon opens a dialog listing all the permissions contained in a particular role. The list shows permission names and short description. This list is exportable.
• Role name
• "Wiki" column - this column represents assignment of a role to the entire wiki. By assigning the role in this column, user group will receive permissions in the role everywhere on the wiki (all namespaces).
• Individual namespaces - Following columns represent every (applicable) namespace on the wiki.
  • Roles can be assigned to only certain namespace, eg. group "user" can be granted role "editor" only in namespace "Public", in order to be able to edit only pages in this namespaces. By granting a role to a particular group in a particular namespace, means that all other groups will lose permissions from this role, eg. granting role "reader" in namespace "Private" to group "sysop" means that all users in any other groups won't be able to read pages in "Private" namespace, even if they have "reader" role granted on the wiki level ("Wiki" column).
  • Same role can be granted to multiple groups for the same namespace.
  • Which namespace will appear in the matrix can be controlled by adding column to the grid, by clicking on the arrow in table header, then "Columns" and selecting desired columns.

Role inheritance

By default, all roles granted to "*" group will be granted to "user" group, and all roles granted to "user" group will be granted to all of the groups that are a sub-group of the group "user". If a group inherits the role from upper-level group field in the role matrix will be shown in green, but the checkbox won't be checked.

Technical

Logging

Every change to the roles is logged in the MediaWiki log book, found under Special:Log under Permission Manager log type. These logs are availble only to wiki administrators (users in groups that have "admin" role granted).

Backups

All changes to role matrix is backed-up. By default, last 5 backups are being kept. This limit can be changed in BlueSpiceConfigManager, under configs for extension BlueSpicePermissionManager.

See also

Reference page for this extension.