• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
Implementing permissions across multiple user groups

Implementing permissions across multiple user groups

How to make best use of the cumulative permission function.

Brogan

XenForo moderator
Staff member
#1
Brogan submitted a new resource:

Implementing permissions across multiple user groups (version 1.0) - How to make best use of the cumulative permission function.

Having logged in to quite a few installations to resolve permission issues, it's clear that a lot of people haven't quite grasped the concept.

So here are a few pointers:

1. All members should be in the Registered group as their Primary - that includes moderators, administrators and super administrators.

2. Set the Registered user group to the minimum permissions you want all members to have. Set those permissions you want them to have to Allow, leave everything else at Not...
Read more about this resource...
 

Morgain

Well-known member
#2
Brogan thank you this is very helpful as I am redoing my permissions now I understand better.

Your system makes Registered a default set of permissions for all members, which makes good sense.
It seems to me it would be very helpful under your system to have a display of these default/ Registered permissions on all other usergroups. Not as a column to edit just for the info to compare.
Permissions.png

This makes it easy to see where I don't need to add permissions to a secondary group because they are already there.
My workaround when is to have two tabs open, one with the Registered group, and the other the group I'm editing/ creating. But it's tedious to keep going backwards and forwards to check.

I don't understand the notifications override above the permissions stack.
Permis-notifications.png
Of course I understand this is a global override. But I don't know where a usergroup can have notifications enabled per usergroup so this is relevant?
 

Brogan

XenForo moderator
Staff member
#3
It seems to me it would be very helpful under your system to have a display of these default/ Registered permissions on all other usergroups.
I spoke to Mike about that a while ago and proposed this:
permissions.png

Not sure yet whether it will make it into a future release or not.

I don't understand the notifications override above the permissions stack.
That looks to be from an add-on.
 

Morgain

Well-known member
#4
Yours looks good but that only shows us from the perspective of a node.
I think a comparison in the usergroup editor as I have shown, would be equally useful.
 

Morgain

Well-known member
#6
I have the new structure as advised with all my members Primary as Registered.
That means only being able to view content (and Conversation with one other member)

I made a new usergroup ACTIVE which adds the standard abilities to post, create, edit and Conversation functions.
This will be what I manually add to a self registered member if I approve them.
The other secondary usergroups just affect access to some areas, or change the user's displayed title based on location or offline issues in our community - this is all manual allocation to additional secondary usergroups by me.

Then there's a Sleeper secondary usergroup which isn't active on the board - it really matches Registered: view titles not content. But the displayed title is Sleeper.

All my members should be either ACTIVE (able to do stuff) or Sleeper (gone latent).

I went through them all changing to the new system so all members Primary usergroup is Registered (view only, no view on content)
then ACTIVE overrides that.
But one poor member didn't get the crucial tick on ACTIVE to enable post, , edit etc.
I got a worried message asking me what's up ... Now I'M worried if I missed anyone else.

I really don't want to plod through all those accounts again individually checking that they all have ACTIVE or Sleeper so how do I check that?
Ive looked around for a check or search on members and can't find any. All I can do is select one or other, or both usergroups to search on. There's no way to get a list of members NOT in a usergroup or set of usergroups.
 

yavuz

Well-known member
#7
Brogan I set the user group to Registered User and selected the additional permission group which has it's own color. However it's showing the primary user groups color (Registered User). I'm I doing something wrong?
 

Kainzo

Active member
#10
To be honest... I didnt have much issue with this. We don't it like this either...

Registered is for default users, We use "Member" for the private area + registered access
 

yavuz

Well-known member
#11
I'm again in need for your help Brogan;

In certain forums the member who belongs to the "Registered" member group should not have the permission to open threads. So the way I did it I set "Never" for the "Registered" group to open thread at the node level:

caps1.jpg

Now I can't open threads in this node either since I belong to the same group (I gave my user group permission to open a thread)

post-new-thread.png

I'm obviously doing something terribly wrong.
 

Jake Bunce

XenForo moderator
Staff member
#12
I'm again in need for your help Brogan;
...
Never overrides everything. That literally means that members of the Registered group will never have that permission regardless of allowances in other groups or nodes.

Instead you should edit the node permissions and restrict only those forums:

Admin CP -> Applications -> Display Node Tree -> Permissions

Set Revoke for the Registered group, and Allow for the Admin group. That will accomplish the desired result.
 

yavuz

Well-known member
#13
Never overrides everything. That literally means that members of the Registered group will never have that permission regardless of allowances in other groups or nodes.

Instead you should edit the node permissions and restrict only those forums:

Admin CP -> Applications -> Display Node Tree -> Permissions

Set Revoke for the Registered group, and Allow for the Admin group. That will accomplish the desired result.
I was hoping to avoid that because there is only one user group that has not permission to open threads, the rest of the user groups can. I will have to give 8 user groups multiplied by 100 nodes permission to open threads :(
 

Digital Doctor

Well-known member
#14
I'm again in need for your help Brogan;

In certain forums the member who belongs to the "Registered" member group should not have the permission to open threads. So the way I did it I set "Never" for the "Registered" group to open thread at the node level:

View attachment 28662

Now I can't open threads in this node either since I belong to the same group (I gave my user group permission to open a thread)

View attachment 28665

I'm obviously doing something terribly wrong.
As Brogan said, NEVER use NEVER.
Administrators are Registered, so you've set things up such that no registered members can posts.
 

Kainzo

Active member
#17
Never overrides everything. That literally means that members of the Registered group will never have that permission regardless of allowances in other groups or nodes.

Instead you should edit the node permissions and restrict only those forums:

Admin CP -> Applications -> Display Node Tree -> Permissions

Set Revoke for the Registered group, and Allow for the Admin group. That will accomplish the desired result.
Is there a way to have sub-groups? Trying to reduce my permission checks...
 

Jake Bunce

XenForo moderator
Staff member
#18
Is there a way to have sub-groups? Trying to reduce my permission checks...
Sure. You can create a new group and put people in it. That way you don't have to Revoke + Allow like you do with the default Registered group (of which everyone is a member).
 

Alfa1

Well-known member
#20
So what if you have many secondary usergroups?
If you use 'registered users' as the base.
Then the real usergroup as secondary.
And then 'subscribing member' also as additional.
Then how do the permissions of the additional groups override each other?