EvelineUsing this guide is at your own risk, if you've never used ACL please contact our first.
ACL is short for Access Control List. Giving rights to users of Anymeta sites is done with user groups and content groups: User groups have rights to do certain actions to content groups.
In this article:
1. User groups
User groups are called Aro’s (Acces control list Request Object). Not all groups are available on every Anymeta site. Users that register are automatically added to a certain user group, but this can be changed in the Member Administration (see image below). New users are added to the user group members by default. For a detailed article about the Member Administration go here.
Change the user groups in the Member Administration
In the table below you can see what rights the different groups have (installer):
| Everybody | Everybody can view public content |
| Guests | Guests can view public content |
| Humans | The user group is used on websites were visitors (without profile) can leave comments |
| Known user | The base group for registered users. All groups below inherit all rights the known users have. Known users can create comments and tags and can view content in the content group protected |
| New member | New members can create articles, organisations, locations, persons etc, but can't publish or delete them. New members can only edit there own things. |
| Member | Members can create things. They can also edit, publish and delete their own things. |
| Senior member | Senior members have Superview-rights. This means they can view all content no matter what the trust permissions are. Senior members can also edit, delete and publish all public and forum content. Senior members can also edit, publish and alias content in the contentgroup persons. This ARO is used for users that help new members and members in using the website |
| New editor | New editors have access to the admin (backend), but have no publish or delete rights. They also have limited access to the admintools (Link Checker, Statistics). New editors can create artefacts, articles, attachments, organisations, locations, persons and sets in the content groups public, guests, protected and editorial. They can create all types and they have superview and edit rights on all content in the content groups public, guests, protected, forum and editorial. |
| Editor | Editors can publish and delete. They can also change content groups and change owners. |
| Senior editor | Senior editors can create meta data. Senior editors also have access to the Member Administration. Senior editors can import data from spreadsheets and configure the spamfilter |
| Sysadmin | System administrators can use all system administration functions, but can't install new modules. |
| Spammer | Spammers inherit the rights of everybody but the notifications and mail actions are denied. |
In Anymeta higher usergroups inherit the rights of the lower groups. In the graphs below you can see there are different branches of user groups; one for the members and one for editors:
Hierarchy of the editors
- Everybody
- Guests
- Humans
- Known users
- New editors
- Editors
- Senior editors
- System administrators
- Senior editors
- Editors
- New editors
Hierarchy of the members
- Everybody
- Guests
- Humans
- Known users
- New members
- Members
- Senior members
- Members
- New members
2. Content groups
Content groups are also called Axo's, which is short for Access eXtension Objects. Users can belong to different user groups, but content can only belong to óne content group. The content group can be selected / changed on two different places in the admin and in the Member Administration.
Admin
Create a new item and select content group
Change content group in the admin
Member Administration
Change content group in Member Administration
Below you will find an overview of the most common content groups and what they mean:
| Public | Public content, visible for everyone, can be deleted by members if they are the owner |
| Guests | Content intended only for anonymous visitors, also visible and editable for editors |
| Persons | Persons, can't be deleted by owners |
| Editorial | Content only intended for editors |
| Protected | Content only intended for logged in users |
| Metadata | Content group for keywords, roles, languages, types, listpublished and listedits. Visible for everyone, editable only for senior editors |
| Templates | Content group for templates |
| System related content | eg. HOME_ARTICLE, NAVIGATION, LP_SEARCH |
| Imported | Content imported from other websites |
| Forum | Content group for forums, topics, notes |
3. How do I add or edit an ACL rule?
Changes in the ACL are applied directly, you don't need to flush the cache.
When you create a new ACL rule you need to make sure the three most right boxes have information in them.
Screen shot 2010-11-30 at 5.23.59 PM
1. Acces
By default Allow and enabled are checked. You can choose deny to exclude certain rights. You can check Important to make sure one rule overrules another if they conflict.
2. Member Groups
Check for which member group(s) you want to create an ACL rule. Keep in mind that there are different branches, one for members and one for editors. Also keep in mind that higher user groups will inherit the rights of the lower groups.
3. Action Sections & Action objects
Click an action section in the first column. The actions that belong to that section will appear in the second box. Select the actions and click on the arrows (>>). You can undo selected actions by clicking the arrows pointing to the left (<<). All actions including explanation you can find in the tables at the end of this article
4. Sections & Access eXtension Objects
Click a section in the first column. The AXO's will appear in the second column. Select the ones you want by clicking the arrows (>>). You can undo selected AXO's by clicking the arrows pointing to the left (<<).
5. Note
Please add the reason you added or changed an ACL rule
6. Save
Don't forget to save the rule.
4. Trust settings
On top of the ACL permission settings you can set your own trust settings per item on the website. You can set these on the edit page of every thing and you can set a default in your preferences. These settings are not based on user- or content groups, but are based on your own social network.
5. Actions
In the ACL you can configure what user groups can do what actions in which content groups.
The following actions can be configured:
| ACTION | If this action is configured, the user group has the permission to.. | |
| View | ||
| view | View content | |
| view all (super view) | view anything, even though the view permissions are set to private | |
| Link | ||
| -all- | Make all links from content | |
| eg. about, lived, located_at | <all roles of that site> | |
| Link to | ||
| -all- | Make links to content (by default all knows users are allowed to create links to all content) | |
| eg. about, lived, located_at | <all roles of that site> | |
| Edit | ||
| edit | Edit all things | |
| publish | Publish all things | |
| delete | Delete all things | |
| make alias relation | Alias two or more things together | |
| trusted content | Add HTML in text | |
| access control | ||
| transfer to another axo | Change the content group | |
| link | ? | |
| change owner | Change the owner of the thing | |
| own: edit | Edit your own things | |
| own: publish | Publish your own things | |
| own: delete | Delete your own things | |
| own: transfer to another axo | Change the content group of your own thing | |
| own: link | ? | |
| own: change owner | Change the owner of your own things | |
| <all rate ratings #> | Give rating #x to things * | |
| own: <all rate ratings #> | Give rating #x to own things | |
| Create kind | ||
| -all- | Create all kinds | |
| eg. artefact, topic, role | <all kinds for that site> | |
| Create type | ||
| -all- | Create all types | |
| eg. event, exhibition, rsvp | <all types for that site> | |
| Administrate | ||
| use | Access and configure modules and systems | |
| Access | ||
| use | Access modules and systems |
Older versions
| Edit | |
| delete edit version | |
| own: delete edit version | |
| View | |
| view edit version | This doesn't exist anymore in Anymeta versions > 4.12 |
6. Sections
| SECTION | |
| content | |
| eg. public, guests, protected | <all content groups> |
| system | |
| system configuration | |
| system administration tools | |
| editorial interface (any_any) | Access to the admin |
| access control lists | |
| flush the system cache | |
| import data from spreadsheet | |
| checkout administration | |
| shop administration | |
| user administration | |
| scene selection | |
| user mail | |
| send mailing | |
| mailinglist | |
| edit configuration | |
| wizard configuration | |
| moderation | |
| run the task queue | |
| statistics | |
| check links in content | |
| spam filter configuration | |
| empty trash | |
| sharing configuration | |
| backup and restore system | |
| identity configuration | |
| language priority | |
| module | |
| eg. email, MailForm, pubsub | <All installed modules for that site that need ACL settings > |
| mime | |
| eg. image/jpeg, video/mp4 | <all kinds of media formats> |
| node | ? |
| * | |
| status/* | |
| id/* |
To do:
- Figure out what every user group can do and update the documentation about this: http://www.mediamatic.nl/page/2415/en
- Check if forum settings cause the comment trustsetting dropdown to disappear
- Check what settings overrule what
- Write something about the ACL check in the templates
- http://www.anymeta.net/article-717-nl.html
- Story telling sites have extra rules for new- and senior members. These rules should be in the default installer too.
Jeana
Ino
Heleen
