You are here: Home / Web Services / Tutorials / How to Tutorials / Delegate Manage User Rights

Delegate Manage User Rights

by brian.ortiz — last modified Aug 28, 2014 05:39 PM
You have now learned how to create and organize your own content. Now, it's time for you to allow other people to create and edit content on your site. In this section, we will show you how to create Users and Groups, and how to give them specific permissions to add, edit, and view the content on your site.

Delegate or Share Content Management with Other People

You have now learned how to create and organize your own content. Now, it's time for you to allow other people to create and edit content on your site.


In this section we'll show you how to create Users and Groups, and how to give them specific permissions to add, edit, and view the content on your site.

This section requires that you log in with the Manager role.

Creating users and groups

Before you can delegate permissions to other users, you need to have some other users on your site. To create Users and Groups, you need to begin by entering the Site Setup section:
You can find that usually in the top right corner of your website as shown below:
Propertyshelf MLS Webservices Manage Users
At this point, you will need to decide if you want to create users yourself, or let users add themselves without interaction on your part. We will first go over the basics of how to create a user account, and then move on to the various other ways in which Plone allows users to be created.

Creating a user

Start by navigating to Site Setup, then to the Users and Groups section from the control panel, and then select Add New User.
Propertyshelf MLS Webservices Manage Users


After you click the Register button, an email is sent to the email address provided, assuming that a mailhost has been configured for your site. The email will contain a link that will bring the user back to the site to complete the registration process.
Plone will delete the account if it isn't accessed within 168 hours from time of initial creation.

Allowing users to register themselves

If you want to let users add themselves to your site, you need to select the Security link, and then select the Enable self-registration checkbox, as shown below:


Propertyshelf MLS Webservices Registration

Delegate Content Management to Other People

After saving the security settings, you can visit your home page, and you'll see the following portlet where an anonymous user can register themselves:

Propertyshelf MLS Webservices Manage User Security Settings

On clicking the New user? link, users will be brought to a page where they can fill out their details as described previously, with the only difference being that they are filling out the registration form, and not you.
Once they have registered, users are assigned to the Member role by default. Details of the various roles and their permissions are described in the Roles and Permissions section of this section.
If you are going to allow self registration, it's recommended that you do not enable the Enable User Folders option, as the user may truly be anonymous. You also shouldn't enable the Let users select their own passwords option, as that would let anyone create an account without verifying themselves as valid users via the email mechanism.


Creating users with initial passwords

Note: see screenshot above
If you want to control the creation of users, you will need to first ensure that the Enable self registration option in the security section is disabled.
If you have to assign an initial password for any new user, you should deselect the Let users select their own password checkbox.
Specifying these options will enable you, as the administrator, to create users and assign initial passwords to them. This can be useful in situations when you are setting up many accounts and want to bypass the email confirmation process, or in scenarios where users may not have email accounts.
After a user has been authenticated for your site, they can go into the personal profile as described in a previous chapter and change their password.

Roles and permissions

Plone's security and permissions model is based on the idea of roles. A role is a bundle of permissions. For example, the Reader role may only have the permission to view content, while the Contributor role can view content and also add new content. Plone ships with a number of pre-defined roles, which cover most common situations. You can also define new roles, but that is beyond the scope of this introductory section.

Propertyshelf MLS Webservices Manage Permission Rights

Plone's built-in roles are as follows:


The Contributor role grants users the ability to add content to the site. Contributors can edit the content they have created, but cannot edit others' content. Contributors can copy and paste content objects into folders for which they have the Contributor permission.


The Editor role is more limited then the Contributor role in that editors can edit others' content but are not able to create their own content. The editor role also has the ability to Submit for Publication. The Editor role is useful when content needs to be proofread or edited before (or after) being published.


The Reader role has view permissions for the content items created that are in the private state. With this role, the user only can view content. No other action is available, as demonstrated by the following screenshot:


The Reviewer role has permission to publish items that are in the Submit for Publication state. They can't see items that are in the private state.
The reviewer can see items in the Publish queue via a portlet. By default, the Review List portlet is set up in the personal dashboard for the user, as well as on the right-side columns of the site:


Propertyshelf MLS Webservices Review Process
The reviewer also has the option to publish the page, send it back to the contributor, or go to the Advanced... options:
Propertyshelf MLS Webservices Publication Process

Within the Advanced... section, the reviewer can publish, send back to the contributor, or submit for publication on a specific date, as well as have the content expire (make unavailable to site visitors) on a certain date.


The Manager role is the Site Administrator role. It's also known as a super user account. This role has all possible permissions within the site, including access to the Site Setup section, where Users and Groups can be created. Typically, this role is reserved for a limited number of people. When applying permissions at the folder level within the site, a sharing tab is available to the Manager role so that specific permissions can be granted for that top-level folder, which then propagates down to all of the subfolders, either existing, or yet to be created.
As new subfolders are created, the Manager role can create new folder permissions within those subfolders, if necessary.
The tab Sharing shows our progress so far, as we have applied permissions to the Clubs folder structure:

Propertyshelf MLS Webservices Manage Users

As can be seen in the preceding screenshot, we have only one role selected for each user account. As mentioned earlier, the Reviewer role currently can't see the private items. We could also assign the Reader role, which would enable access to the private content. We could even give more control to the Reviewer by selecting the Can add and Can edit permissions. Doing this would give the Reviewer role maximum control over the content where the permission is applied. This makes a lot of sense for smaller sites.

Using groups to control security

If you expect your site to grow beyond a handful of content contributors, you should consider assigning Roles to Groups, instead of to individual users, whenever possible. This will greatly ease the administrative burden as you add and remove users from your site.
For example, imagine that you have four specific sections of your site for which 10 different users have the Contributor role. As time goes by, one of the members of that group may no longer be involved. If you assigned the Contributor role to each user in each section individually, you would need to take that specific user out of each section.
If, on the other hand, you created a group and gave that group Contributor permission on the appropriate sections of your site, all you would need to do is remove one user from the group. By doing so, the permissions set up for the group takes care of all of the four sections, with this one change.

Creating groups

To create a new group, go to Site Setup, and then click on Users and Groups. Once you are in the Users and Groups section, click on the Groups tab.
In this section, you can define groups that will contain users. As you apply permissions throughout your site's folder structure, you can apply group permissions in addition to or in lieu of users. Plone's default groups are:
• Administrators
• Reviewers
• Authenticated Users
Assigning a user to the Administrators group gives that user the Manager role for the whole site. Assigning a user to the Reviewers group grants the Reviewer role to the user for all sections of the site. The Authenticated Users group is a Virtual Group that includes all of the logged-in users for your site. There are no assigned users in this group.
We will now create some groups that will make sense for the High School demo site used in our previous tutorials.
We'll create a structure where parents can contribute pages for the High School's sports program. The coaches will have the Editor role, and the Athletics Director will have the Reviewer role. The Groups we will create are as follows:
• Sports Contributors (Assign registered parents to this group)
• Sports Editors (Assign coaches to this group)
• Sports Reviewers (Assign the Athletics Director to this group)
To create the new Groups, navigate to the Groups section, click on Add new Group, and then specify a name for the new group:
After we have created all of the groups, we can assign users to the groups, and then assign the groups to the Sports section.
Don't assign any roles to the groups in the Site Setup section unless you want that group to have these permissions across your entire site. You can assign roles specific to users, and groups roles, within specific sections of your site. This will limit their roles to only what you explicitly define.

Adding users to groups

To add users to a group, you need to go to Users and Groups, and then click on the Groups tab. Click on the group name to which you want to add users. This will bring up a page where you can search for users. Once you have found the users to be added, select the checkbox next to their names:
You can also add a group as a member of another group.

Assigning roles to specific places in your site

We can now go to the Sports section, and apply the group permissions to it. Navigate to the Sharing tab, and then deselect the Inherit Permissions from Higher Levels option, as we want to have specific permissions within this section. We can display all of the users and groups that we want to add, but to limit the results, we can filter by typing in sports, as shown below:
By selecting the appropriate roles, the members of these specific groups will have the roles they need for their specific content areas.
This methodology provides a great solution for large sites as you can scale towards many different subject matter experts or authors.


In this section, we have learned how to:
• Enable self-registration
• Create user accounts with initial passwords
• Create user accounts with email verification
• Set up roles and permissions for users to be able to work in Plone
• Create groups
• Add members to a group
• Apply permissions via users and/or groups to folders
Using what you have learned in this chapter, you should be ready to add users and groups to your site. This, in turn, will enable your site members to start adding content to your site in a more controlled fashion.