ridgedale

PW3 - Non-Superuser Roles Administration

Recommended Posts

Reference: PW 3.0.111 and uikit3 based site using the Regular-Master profile.

I wonder if anyone might be able to point me in the right direction. I need to restrict the superuser role to overall administrators of a group of sites, but provide role and permission administration for the administrators of the individual sites. My searches unearthed the following thread:

However, after having already created the sitemanager role and given site administrators the user-admin permission and having then created the role-admin permission and assigned that to the sitemanager role, the users with sitemanager permissions are able to see the Roles item under the Access menu of the backend but no submenu is displayed showing the Add Role option or any of the roles that the administrator should have access to. My intention is that the individual site adminstrators should have access to assign the guest and sitemanager roles (but not edit them) and be able to create roles with privileges beneath that of sitemanager.

Any advice would be greatly appreciated.

 

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thanks again for responding.

What I was doing was following the guidelines provided here: https://processwire.com/api/user-access/permissions/#user-admin-permissions

I had missed the following little nugget of information:

Quote

... a user must have that (user-admin-all (my addition for clarity) permission (in addition to user-admin permission) in order to edit "all" users in the site (superusers excluded, as before)

Now that the sitemanager can add/remove users s/he still does not have any access to add/remove roles or assign permissions despite the role-admin permission having been added and assigned to sitemanager. The Role menu item is displayed but no sub-menus are available and no Permissions menu is displayed at all.

Not sure what I'm doing wrong, now. Any guidance appreciated.

Share this post


Link to post
Share on other sites

Right, I understand now. You are wanting to give a role (let's call the role "manager") the ability to edit roles/permissions and add new roles/permissions.

First thing to know is that in doing this you would be going well off the map of what is documented in ProcessWire and straying into some potentially dangerous territory. Normally only superusers manage roles and permissions, and if you decide to deviate from that you'll want to do your own thorough testing. It sounds risky to me and not something to be done lightly.

But I took a look at what's needed to enable this and it seems that the steps are...

Manage roles

1. Create new permission "role-admin".

2. Give this permission to the manager role.

3. Open the "role" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children".

Manage permissions

1. Create new permission "permission-admin".

2. Give this permission to the manager role.

3. Open the "permission" template at Setup > Templates (you'll need to show system templates in the filter section). On the Access tab allow the manager role to "Edit Pages" and "Add Pages".

4. Open the "admin" template, and on the Access tab allow the manager role to "Add Children". You can skip this step if you already did it.

  • Like 1

Share this post


Link to post
Share on other sites

Hi @Robin S ,

Thank you again for your reply and detailed instructions.

I am very conscious of the potential pitfalls. What I am aiming to achieve overall is that sitmanagers only have control to manage roles and assign permissions that are equal to and beneath their own assigned rights. I hope that makes sense.

The reason for not allowing sitemanagers to be superusers in this particular instance is that it is a multi-site installation where we don't want sitemanagers creating/editing/deleting templates/fields/logs and/or installing modules. All the sites are effectively run using identical templates and modules. If we allow sitemanagers that level of control it will inevitably lead to an administrative nightmre for the superusers in the long run.

I will delve deeper and look further into this.

Many thanks again for your guidance.

Share this post


Link to post
Share on other sites

Update:

I can see adding the permission-admin permission to the sitemanager role gives the sitemanager access to all site permissions effectively allowing him/her to create a superuser equivalent role. That is definitely not what I am aiming for.

Is it possible to restrict the permissions the sitemanager can give/remove to those assigned to the sitemanager role?

Otherwise are there any alternative suggestions as to how to restrict sitemanager access, so s/he does not have access to modules, templates, fields and logs, but can manage users, roles and permissions at their own level or below?

 

Share this post


Link to post
Share on other sites

Maybe create a Process Module (say, Manage Users) that only Superusers and Site Admins can view. Create a simple GUI >>> add foo, add bar, etc. Behind the scenes, you use the API to manage users, roles and permissions. Obviously, you restrict the roles, permissions, etc that the Site Admins can manage. It might seem like re-inventing the wheel, but you avoid the red lines/pitfalls you've mentioned (site admins seeing modules, etc). 

Just my 2p.

Share this post


Link to post
Share on other sites

Thank you for your feedback @kongondo and insight.

I think at this stage the solution in the short-term is to only allow superusers to create/edit/remove roles and enable just the user-admin and user-admin-all permissions for sitemanagers to allow them to be able to assign the roles pre-defined by superusers. It will also keep the administration simple for future supersusers.

Thanks again to both of you for your assistance.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Guy Incognito
      Hi all. We've created a private log-in area for a client on their site that is restricted on a roles basis. Is there a simple solution available to let them upload files to a file field and then choose individual users that can access individual files?
      Does that make sense?!... it's hard to search for answers to this as all results pertain to server file permissions.
       
    • By joe_ma
      On a new pw 3.0.89 installation of mine I've got a problem with role permissions. The setup is like this:
      Templates: home, basic-page, text-only, folder
      All of these have no restrictions in the "family" section and all of them have the same access definitions (see edit-template.jpg below)
      There is a role "redaktor" that has permission to edit, add, delete, move and also clone pages (see permissions.jpg below).
      Now, when logged in as a user with this role, I can only choose from basic-page and folder. The text-only template is not available.


    • By ridgedale
      Reference: PW 3.0.62 and uikit3 based site using the Regular-Master profile.
      I have a table that needs some of its content to be hidden. I've tried applying the following classes and styles to <tr>, <td> and <a> elements all without success:
      class="hidden" class="uk-hidden" class="uk-invisible" style="display:none" style="visibility:none" style="visibility:collapse" <-- only applicable to rows in this case Is there any way to allow a user to hide content? Any assistance would be appreciated.
    • By dimitrios
      Hello,
      I have created a field of type Page Reference and input field type Page Auto Complete, so that users of role 'writer' can add new tags to their articles. However, only a superuser can add new tags through the field, even though 'writer' roles have the permission to create  pages of template 'tag', and the permission to add children in the parent template. New tags in the Page Tree can be added normally. Is there something I am missing?