What are access groups?
Access groups allow you enable and disable access to any number of administration tools for an entire group, which means if you could create a staff access group, and any members you add to this group would inherit all the rights of the group. Additionally, members can belong to any number of access groups.
Further, access groups can be configured as "system access groups", which are access groups Theia is told to use for different conditions, for everyone - regardless of whether they belong to the access group. To manage the system access groups, load up the "tooks" page and look under the "security settings" area for a tool reading "control system access groups" (admin tool 115).
On a fresh installation, only a few of the "system access groups" will be configured by default. For example, the "item owners" system access group should already be set up for you. What this does is applies the rights of the access group associated with it, for everyone who owns and item, on a restrictive scope. What this means is, everyone gains any rights outlined in the "item owners" access group, but these rights can only be applied to items they own. In other words, if the "item owners" system access group allows for editing items or tagging items, it will merely mean that the item owner can edit or tag THEIR OWN items, as this system access group is applied on a restrictive level.
The same thing applies to the "section moderators" system access group; any permissions provided within its setup are given to any members automatically, whenever they moderate a section, but on a restrictive scale (meaning, any item management permissions enabled in the access group will only be applied for items within the moderator's sections).
The following system access groups operate restrictively:
- section owners
- section moderators
- item owners
Additionally, you do not need to manually assign any members to any of the above access groups, as they the nature of their behavior means they will automatically be applied when relevant. If you do assign any member to any of the above groups manually, then it will mean that they inherit all of the permissions on a GLOBAL scope as well.
Setting permissions for all members
If you want to give all members of your site certain permissions, that are otherwise required by default, then there is an easy way to do this!
The process basically involves two things:
- First you will need to create the access group itself, as this is not setup on a fresh installation. Look below to see how to create an access group,
- After the access group is created, remember its ID (this is displayed when managing the access list), and go back to the "control system access groups" (admin tool 115) and make sure that ID is entered for the "members" system access group.
Whatever you have set for the "members" system access group means every member of your site will have those permissions on a global scale, so use it with caution.
Setting permissions for everyone
If you want to give everyone who accesses your site (and this includes guests) certain permissions, that are otherwise required by default, then there is an easy way to do this, and it involves the same exact two step process as with giving all members certain permissions.
- First you will need to create the access group itself, as this is not setup on a fresh installation. Look below to see how to create an access group,
- After the access group is created, remember its ID (this is displayed when managing the access list), and go back to the "control system access groups" (admin tool 115) and make sure that ID is entered for the "everyone" system access group.
Remember that whatever you have set for the "everyone" system access group means every single person who goes to your site will have those permissions on a global scale, so use it with extreme caution, as only certain tools should ever be given to guests.
Create an access group
To create an access group, locate the "set access priveleges" tool (admin tool 999) under "security settings" in "tools".
On the first page are two links; click the first one reading set group access privileges".
On the second page are three areas: manage, create and delete. For the create area, enter in any name you want to use for the new access group. For this example, let's say we are calling it "members".
After clicking the make new access group button, the page will reload, with the new access group already selected for both the manage and delete areas.
Managing an access list
When you have the access group selected, click the next... button in the create area and you will be brought to a really long form with every permission available in Theia.
WARNING: be very careful with these permissions. Some of them can be very dangerous in the wrong hands. Pay attention to what you are enabling so you don't make any mistakes, and if you are unsure on what something does, consult the documentation first. Additionally, it is strongly encouraged to only reserve admin permission 999 for a single admin user, although how you run your site is up to you.
All of the other system access groups operate globally (including those you create yourself).
For instance, any permission set in the "administration" system access group will provide any users assigned to it complete global access for content anywhere on the site.
