tags:

views:

807

answers:

8
+9  Q: 

Common CMS roles and access levels

I am currently writing a CMS and remember someone (it might have been on here) criticise the existing CMS for not having a robust enough user permissions system. I've got a method planned out but it I feel it has fallen into the usual trap of being a bit too fine-grained which makes understanding and implementing it a horror for end users.

I think having a range of default user roles with permissions would be the answer to this, so I suppose my question is this:

What are the default roles you would like to see in a CMS and what sort of permissions would be associated with these?

Thanks in advance!

+8  A: 

Have you researched existing solutions like RBAC? Whilst such a system would most likely be complete overkill for the particular nut you're trying to crack it would at least help to boost confidence that you're on the right track.

That aside, the general roles I'd expect would be along the lines of:

Administator - Total control of the system, can view logs (as you should be logging all changes), etc. plus...

Publisher - Can put content live plus...

Author - Can create content

However, how these roles are applied across the system is where things get tricky, as a specific user would presumably have different rights to different content areas/modules.

middaparka  2009-07-28 12:18:58
did you forget the 'moderator', who can control the users?
DaNieL  2009-12-11 06:28:30
Who moderates the moderators? ;)
Meep3D  2009-12-12 14:11:20
Jon Skeet? ;) .
MaxVT  2009-12-14 07:31:28
+1  A: 

Administrator - can create users + all below

Editor - can edit posts of others + all below

Author - can write posts, edit own posts

dusoft  2009-07-28 12:22:37
It's depends on CMS and requirements. I will add one more below Administrator -> Designer - can change layouts\templates + all below.
dario-g  2009-07-29 13:59:16
+8  A: 

This is the "best practice" I have ended up with in most projects and am very happy with:

1. Roles

When it comes to roles, I recommend great flexibility, i.e. the ability to create and define user accounts and groups freely (roles like "contributor", "manager" etc. are not hard-coded, but put into a configuration file that can be changed per application). The role configuration is unaccessible to the user, but the engine itself should be free from hard-coded roles.

2. Rights

Rights is where things need to be easy to understand and implement.

I have made very good experiences working with, and checking against, very fine-grained rights on the code / API level:

  • see
  • view
  • edit
  • change name
  • rename
  • delete
  • move
  • change rights
  • etc.

but the user never sees those. For them, they are grouped into a very small number of "right groups":

  • Read Only
  • Edit
  • Administer = Move, rename....

The user never sees the "move" right, but only the "Administer" rights group.

That way, you retain the full power of fine-grained rights in your code for the future - you can, for example, easily accommodate for a rule like "interns must be able to edit pages, but not be able to change their titles, nor to delete them", adding a valuable asset to the CMS. For the end user, this functionality remains invisible, and the rights system easy to use.

Pekka  2009-12-07 15:31:19
+4  A: 

For most applications, so I think it'll be true for CMSs as well, my customers usually prefer a rights-oriented approach. Here is how it goes :

  1. You list the main actions. In your CMS that would be : Create and edit content; Delete content; Classify/categorize content; Validate content; Publish content; Manage users; Etc.
  2. You define what actions are allowed or denied for each user

To make things a little better, you can create several roles (Editor; Administrator) to make typical users creation easier (by pre-filling the form when a role is chosen).

Nicolas  2009-12-07 15:52:24
+2  A: 

I have a custom CMS built on the Zend Framework that uses Zend's ACL to extends some basic roles (so you can deny resources specifically for additional users or allow others to access resources they normally couldn't). My basic roles go from CMS users all the way down to website "members" as follows (I just use one users table to store all my authentication).

Developer

Edit any content, edit layouts, settings, configuration. Use special tools that can call shell scripts and force cron jobs.

Admin

Edit any content, edit layouts, settings.

Author

Edit content.

Member

Can view the login screen, forgot password and bug report.

Now, Zend has a nice ACL implementation so you can easily extends your base ACL class and add new roles that extend from the basic roles. So I might make an "Admin" who has access to one of the Developer tools (e.g. purge or cache management) or lock an author to only be able to manage blogs (and not for example news).

Typeoneerror  2009-12-11 04:54:29
+5  A: 

I asked this question a little bit ago and got the following response.

admin           //Manage everything
manager         //Manage most aspects of the site
editor          //Scheduling and managing content
author          //Write important content
contributors    //Authors with limited rights
moderator       //Moderate user content
member          //Special user access
subscriber      //Paying Average Joe
user            //Average Joe
Xeoncross  2009-12-11 18:24:05
+2  A: 

I wouldn't necessarily dismiss the fine grained control system you have now. If you have one that is adaptable focus on hiding away the complexity by providing a simplified interface (eg use the facade pattern or the adapter pattern). The benefits are that you provide users with the simplified version (simple permissions like 'admin' can 'delete' a 'post') while still retaining the fine grained features should you need them later (eg more complicated permission handling is to allow to delete posts when the post is your own post in category X). Then you can provide an alternative to the simplified version for that need in some places.

koen  2009-12-12 11:39:13
+1  A: 

Admin : The one with all the rights

Author : The one who has all rights to a specific content (like a blog author who owns the blog), also has the permissions to add/invite users to collaborate/view the content

Collaborator : The one who can edit/add content to which the author has given rights, cannot delete the content or invite/add more collaborators

Viewer : The one who can view the content if the author has invited to view

Editors : The one who can approve/edit all types of content

Having a fine grain control is not a bad idea if you expect advanced users/developers to use the CMS. But for novice CMS managers, the basic roles make the system much more usable.

ranedk  2009-12-13 18:59:00

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases