Implementing permissions across multiple user groups

Implementing permissions across multiple user groups

Paul B

XenForo moderator
Staff member
Brogan submitted a new resource:

Implementing permissions across multiple user groups (version 1.0) - How to make best use of the cumulative permission function.

Having logged in to quite a few installations to resolve permission issues, it's clear that a lot of people haven't quite grasped the concept.

So here are a few pointers:

1. All members should have the Registered user group as their primary group - that includes moderators, administrators and super administrators. Like so:​

Read more about this resource...
 
Brogan thank you this is very helpful as I am redoing my permissions now I understand better.

Your system makes Registered a default set of permissions for all members, which makes good sense.
It seems to me it would be very helpful under your system to have a display of these default/ Registered permissions on all other usergroups. Not as a column to edit just for the info to compare.
Permissions.webp

This makes it easy to see where I don't need to add permissions to a secondary group because they are already there.
My workaround when is to have two tabs open, one with the Registered group, and the other the group I'm editing/ creating. But it's tedious to keep going backwards and forwards to check.

I don't understand the notifications override above the permissions stack.
Permis-notifications.webp
Of course I understand this is a global override. But I don't know where a usergroup can have notifications enabled per usergroup so this is relevant?
 
It seems to me it would be very helpful under your system to have a display of these default/ Registered permissions on all other usergroups.
I spoke to Mike about that a while ago and proposed this:
permissions.webp

Not sure yet whether it will make it into a future release or not.

I don't understand the notifications override above the permissions stack.
That looks to be from an add-on.
 
Yours looks good but that only shows us from the perspective of a node.
I think a comparison in the usergroup editor as I have shown, would be equally useful.
 
I have the new structure as advised with all my members Primary as Registered.
That means only being able to view content (and Conversation with one other member)

I made a new usergroup ACTIVE which adds the standard abilities to post, create, edit and Conversation functions.
This will be what I manually add to a self registered member if I approve them.
The other secondary usergroups just affect access to some areas, or change the user's displayed title based on location or offline issues in our community - this is all manual allocation to additional secondary usergroups by me.

Then there's a Sleeper secondary usergroup which isn't active on the board - it really matches Registered: view titles not content. But the displayed title is Sleeper.

All my members should be either ACTIVE (able to do stuff) or Sleeper (gone latent).

I went through them all changing to the new system so all members Primary usergroup is Registered (view only, no view on content)
then ACTIVE overrides that.
But one poor member didn't get the crucial tick on ACTIVE to enable post, , edit etc.
I got a worried message asking me what's up ... Now I'M worried if I missed anyone else.

I really don't want to plod through all those accounts again individually checking that they all have ACTIVE or Sleeper so how do I check that?
Ive looked around for a check or search on members and can't find any. All I can do is select one or other, or both usergroups to search on. There's no way to get a list of members NOT in a usergroup or set of usergroups.
 
Brogan I set the user group to Registered User and selected the additional permission group which has it's own color. However it's showing the primary user groups color (Registered User). I'm I doing something wrong?
 
To be honest... I didnt have much issue with this. We don't it like this either...

Registered is for default users, We use "Member" for the private area + registered access
 
I'm again in need for your help Brogan;

In certain forums the member who belongs to the "Registered" member group should not have the permission to open threads. So the way I did it I set "Never" for the "Registered" group to open thread at the node level:

caps1.webp

Now I can't open threads in this node either since I belong to the same group (I gave my user group permission to open a thread)

post-new-thread.webp

I'm obviously doing something terribly wrong.
 
I'm again in need for your help Brogan;
...

Never overrides everything. That literally means that members of the Registered group will never have that permission regardless of allowances in other groups or nodes.

Instead you should edit the node permissions and restrict only those forums:

Admin CP -> Applications -> Display Node Tree -> Permissions

Set Revoke for the Registered group, and Allow for the Admin group. That will accomplish the desired result.
 
Never overrides everything. That literally means that members of the Registered group will never have that permission regardless of allowances in other groups or nodes.

Instead you should edit the node permissions and restrict only those forums:

Admin CP -> Applications -> Display Node Tree -> Permissions

Set Revoke for the Registered group, and Allow for the Admin group. That will accomplish the desired result.

I was hoping to avoid that because there is only one user group that has not permission to open threads, the rest of the user groups can. I will have to give 8 user groups multiplied by 100 nodes permission to open threads :(
 
I'm again in need for your help Brogan;

In certain forums the member who belongs to the "Registered" member group should not have the permission to open threads. So the way I did it I set "Never" for the "Registered" group to open thread at the node level:

View attachment 28662

Now I can't open threads in this node either since I belong to the same group (I gave my user group permission to open a thread)

View attachment 28665

I'm obviously doing something terribly wrong.

As Brogan said, NEVER use NEVER.
Administrators are Registered, so you've set things up such that no registered members can posts.
 
Never overrides everything. That literally means that members of the Registered group will never have that permission regardless of allowances in other groups or nodes.

Instead you should edit the node permissions and restrict only those forums:

Admin CP -> Applications -> Display Node Tree -> Permissions

Set Revoke for the Registered group, and Allow for the Admin group. That will accomplish the desired result.
Is there a way to have sub-groups? Trying to reduce my permission checks...
 
Is there a way to have sub-groups? Trying to reduce my permission checks...

Sure. You can create a new group and put people in it. That way you don't have to Revoke + Allow like you do with the default Registered group (of which everyone is a member).
 
Sure. You can create a new group and put people in it. That way you don't have to Revoke + Allow like you do with the default Registered group (of which everyone is a member).
Right, I have about 20 groups as is... no one stays in default, I dont think...
 
So what if you have many secondary usergroups?
If you use 'registered users' as the base.
Then the real usergroup as secondary.
And then 'subscribing member' also as additional.
Then how do the permissions of the additional groups override each other?
 
Top Bottom