XF 1.4 Hierarchy of Permissions and Fora (Forums)

[Steve Freides]

I have looked at the help on Permissions - I get it, sort of, but need help implementing a hierarchy.

In the organization our forum serves, most of the forums are open to the public. The Nodes and Forums are arranged according to content.

Our organization has "Leadership" which consists of a hierarchy of 5 ranks. Let's call them

UN President (world)

President (country)

Governor (state)

Mayor (city)

Borough President (part of the city)

I need to have a forum structure so that each of the above groups has its own forum, and each can see their own level and below, but not above. E.g., Governors can see that group, and Mayors, and Borough Presidents, but not the two levels above them.

The idea is that I would put each member into the appropriate group and that would handle all the permissions, and that each member only has to go into the group that represents their level in the leadership structure.

I'm not quite sure how to handle this - would one forum be a sub-sub-sub-sub forum, which end would be up, do I need a separate node for each or just a separate forum? I already have the group structures in place, but not the forum nodes and forums. A separate Node for each level would give me the option to have multiple fora in each level but I don't necessarily need that.

Thank you yet again for your guidance as I learn how to do all this.

-S-

 

[Ingenious]

I have similar and do it by creating a private forum for each forum/node and a corresponding secondary user group for each one with no permissions set, but the node permissions grant view access for that secondary user group. Then just tick secondary user groups to add or remove members accordingly to that group and give them access. So you'd start by ticking "Borough President" at the lowest level for that user then add additional user groups as you promote them. You can fine tune access for any combination of private forums this way and easily list who has access to what using search users by secondary group, as well as implementing promotions if you want to.

This is a lot easier than it sounds.

 

[Steve Freides]

So using my example, the UN President would be a member of all 5 groups?

-S-

 

[Ingenious]

Yes - they'd have all 5 secondary groups ticked.

This approach has the advantage that any combination of unique access can be done for each user. So let's call the usergroups A, B, C, D and E. You'd add them first by ticking A, then AB, then ABC etc to end up with ABCDE ticked. Here's the thing though, for each user you can fine tune it, maybe not so important in your case but you could have ABE or AE or CDE, so it's completely flexible.

On VBulletin I used to struggle with having different usergroups for different combinations of access and once you get more than a few permutations it gets so complicated. With XF's approach using secondary usergroups, each group simply defines a new permission or a new private forum and you tick/untick as required.

So here the idea is that access is cumulative in terms of adding new secondary groups.

However, it's not the only way to do this, I'm sure there will be other suggestions.

 

[Steve Freides]

I see. Thank you.

I was hoping to do this through inheritance of some sort, since my will always be strictly hierarchical. E.g., create a group of Borough Presidents, have Mayors inherit from that, have Governors inherit from Mayors, etc. I wasn't sure if this inheritance should be at level of the group or the forum or what, though.

I was also hoping that keeping each person in a single group rather than up to five groups, would make handle the on-screen label under their avatar easier as well, e.g., I don't want to see that a Mayor is a Borough President because he's not.

I'm still hoping there's a neater way to do this - your solution sounds good for your situation, and like it would work for mine but I'm hoping for something more elegant in terms of hierarchy and inheritance of permissions.

-S-

 

[James]

The best way would be as above. Have 5 different groups with 5 levels of access and then assign all 5 groups to the UN president, 4 to president etc.

Each group has access to the relevant node level for that group and then by having all 5 groups you'll have access to all 5 nodes. Remember that when setting permissions for these 5 groups you only need to set the permissions for the node and leave the rest as not set (no) as they will be inherited by the other registered/mod/admin group whatever they're assigned to.

 

[James]

I was also hoping that keeping each person in a single group rather than up to five groups, would make handle the on-screen label under their avatar easier as well, e.g., I don't want to see that a Mayor is a Borough President because he's not.

I'm still hoping there's a neater way to do this - your solution sounds good for your situation, and like it would work for mine but I'm hoping for something more elegant in terms of hierarchy and inheritance of permissions

You are able to create 5 groups and then assign the UN President user group to all and the President user group to 4 and so on and then just add to one group but that's not how the permissions were intended to be used.

 

[Ingenious]

Steve, as James says above, you could do this with five groups, each one a promotion, so people end up in one and only one additional group. But you're so rigidly fixed then and it's not future-proof. Using a secondary group for each additional private forum achieves the same thing and gives you much more flexibility in giving people custom access.

I think we have a tendency to be a bit frightened of lots of secondary groups, because we think a single group is simpler. But actually, secondary groups are a genius way of making complex permissions simple, because from an admin point of view, you just tick/untick as required.

There are settings to determine priority too when it comes to user titles etc.

 

[Steve Freides]

Thanks, folks. Things to think about. This isn't something where "custom" access would ever happen. It's a ranking system and you are what rank you are. Custom access could always be done on an individual level, anyway, I'd think.

We have a test area - I will experiment and see what I can figure out.

-S-

 

[James]

I realise you have a preference but consider the following guides first:
https://xenforo.com/community/resources/implementing-permissions-across-multiple-user-groups.358/
https://xenforo.com/help/permissions/

 

[Steve Freides]

James, I have read both of those links already (but I don't mind the reminder and just looked at both again).

Am I correct in understanding that only a Node can inherit, and from the Node above it, and that this concept of inheritance does not exist on the User Group level?

-S-

 

[James]

User groups cannot inherit as they aren't hierarchical. You assign the groups based on the permissions you want the users to have (unless you go against the grain and set them up as I mentioned above). Either way, your permissions can be set up the recommended way or the old vBulletin way, but you may find debugging easier in future if you set up the recommended way.

Child forums do inherit from their parent unless their child permissions have been explicitly changed from that of their parent.

 

[Steve Freides]

I will play in our test area and report back on how it goes.

Thank you very much.

-S-

 

[Harvey]

Child forums do inherit from their parent unless their child permissions have been explicitly changed from that of their parent.

If you want no new posts in the parent, but posting allowed in all the children, how do you do it? For Registered users, not not Admins.

Registered User Group

Parent > Create New Post > Yes
Child > Create New Post > No

Doesn't seem to do it.

Sorry if this is the wrong place to post this.

 

[James]

If you want no new posts in the parent, but posting allowed in all the children, how do you do it? For Registered users, not not Admins.

Registered User Group

Parent > Create New Post > Yes
Child > Create New Post > No

Doesn't seem to do it.

Sorry if this is the wrong place to post this.

You need to switch. Child yes parent no. I haven't touched an XF install for a long time but logic dictates this would be the obvious solution - apologies if it's not.