Implementing permissions across multiple user groups

Implementing permissions across multiple user groups

Overview Updates (4) Reviews (36) Discussion
Permissions are cumulative, there is no hierarchy across user groups.

Never overrides Allow, which overrides Not Set (No).


Permission Value Priority

Each permission may be set to a different value. If a user is in multiple groups or has specific permissions set, this may cause multiple conflicting values for a permission. For example, a user may have both not set (no) and allow for the view node permission, so what takes priority?
Permission value priority is set in this order: (highest priority first)
  1. Never – this will not grant the permission. This can never be overridden, so should be used sparingly.
  2. Allow – this will grant the permission.
  3. Not Set (No) – this will not grant the permission. This is the lowest priority value; any explicit allow will override this.
Thus, if a user has not set (no) and allow for a permission, the final value will be allow. The Test Permissions system can help confirm that permissions are set correctly.
Note that the permission terminology is slightly different for node permissions.

http://xenforo.com/help/permissions/
 
Reading more into this. I know I'm doing something wrong, just trying to grasp it and I feel infantile haha.
 
Does this help?

permissions.webp

That is how the permissions are set up on my site.

Members of just the Registered group can't edit their signature and posts are moderated.
When they are added to the Verified group as well as the Registered group, they can then post without being moderated.
Members of all three groups have all of the permissions in green.

You only need to set the base permissions in the Registered group, which all members will have all of the time.
Then add to them with other groups.

Would it surprise you to know that the Administrative group on my site is all default?
Administrators get all the permissions they need from other groups they are members of.
 
Brogan said:
Does this help?

View attachment 42792

That is how the permissions are set up on my site.

Members of just the Registered group can't edit their signature and posts are moderated.
When they are added to the Verified group as well as the Registered group, they can then post without being moderated.
Members of all three groups have all of the permissions in green.

You only need to set the base permissions in the Registered group, which all members will have all of the time.
Then add to them with other groups.

Would it surprise you to know that the Administrative group on my site is all default?
Administrators get all the permissions they need from other groups they are members of.
Click to expand...
hmm k then I definitely did something wrong.

I have it set up like this. "Most" everyone is a member of the Registered users group. So everyone generally keeps that. I cloned the registered group and also made a group called "Herocraft Members" so they can have access to a special area in the forums that registered cant see. There's a lot less "members" than registered.
 
Brogan said:
Put them all in Registered as the default and go from there.
Click to expand...
Is there a query I can run? this will take some time to convert 1000+ members....
Also - I can add them all to registered, thats fine... but what will that change without changing up other things?
Still trying to grasp it!
 
It can't be done with queries due to permission sets.

I can't really explain it any more than I have - permissions are cumulative - build on the base set with other groups.
 
Brogan said:
It can't be done with queries due to permission sets.

I can't really explain it any more than I have - permissions are cumulative - build on the base set with other groups.
Click to expand...
K, just one last question...

Everyone should be in "Registered"
If someone has purchased membership to access the VIP area - I would simply add them to VIP group and keep them in Registered.
There's no way for VIP to inherit Registered and adding them both groups would be the right thing to do, correct?
 
Correct.

Just make changes to the VIP user group to add to the permissions they already have from the Registered group.
 
Brogan said:
Correct.

Just make changes to the VIP user group to add to the permissions they already have from the Registered group.
Click to expand...
Okay, that's what I have by default. I'll just need to clear up the Member group to also have them in the Registered and not set explicit / same permissions between Members and Registered like I have.

I think I understand this a bit better and probably was reading into it more than necessary.
 
As I understand usergroup promotions add a user to the promoted usergroup as a secondary group. This way additive permission work flawlessly. My question is how do I implement this on a migrated forum where the users are only part of one usergroup?
 
I don't understand the question.
By migrated forum do you mean imported?

If the members satisfy the criteria for the promotion(s) they will be promoted and added to the relevant user group(s).
 
Yes imported. Let's say a user is part of user group 'promoted' as imported from VB.

Registered users have permissions A, B, C and D.
Promoted group has only E as per the permissions layering system and is supposed to inherit the Registered permissions.

So in that case user will not have permissions for task A, B, C and D because he is only part of 'promoted' user group.
 
Renegade said:
Yes imported. Let's say a user is part of user group 'promoted' as imported from VB.

Registered users have permissions A, B, C and D.
Promoted group has only E as per the permissions layering system and is supposed to inherit the Registered permissions.

So in that case user will not have permissions for task A, B, C and D because he is only part of 'promoted' user group.
Click to expand...

AFAIK it's a flaw in the importing concept, considering the different way usergroup permissions are applied in XF.

I have around ten custom usergroups in my vB install; these are all primary usergroups for members who belong to them. Using the standard vB importer in XF would replicate the usergroups and the primary usergroups migrated users belong in. That causes the issue you're describing - most of my members would not even belong to the registered usergroup, hence the whole idea of additive permissions wouldn't work.

Hence I decided to remap old primary usergroups from my vB install to new secondary usergroups in XF and migrate vB users accordingly. That required some editing of the vBulletin importer script.
 
Thanks for your reply AlexT. Now if someone can tell me how to go about it AFTER the import. One possible way that I can think of is deleting the old usergroup and then creating new usergroup along with promotion settings. This will be really painful as the promotion takes place after some time of logging in and by then the members will go berserk.
 
Very useful! I took the liberty and combined the permission tables provided by Brogan for better understanding:
Xenforo User Group Permission.webp
 
You must log in or register to reply here.

Similar threads

O
  • Suggestion Suggestion
Lack of interest Change permissions for multiple user groups at the same time
Replies
1
Views
780
James
J
Top Bottom