Loading...
 
permissions
Home  »  Tiki Administrator Guide  »  User - group - perms  »  Permissions

Permissions Settings

Related Pages: Groups, Groups Admin, Category, Category Admin, Permissions List




Understanding Tiki Permissions

After setting the features, setting permissions is the most important part of Tiki administration. This page describes the basic concepts in Tiki’s permission system and how they interact. A complete list of permissions can be found on the Permissions List page.

How Permissions Work

Basic facts you need to know to understand the permission system in Tiki

  • When Tiki is installed, there are at least two pre-defined Groups of users:
    • Anonymous: Users that are not logged automatically belong to the anonymous group.
    • Registered group: Users logged in automatically belong to this group.
  • Administrators can create and edit Groups of users.
    • Each Group can have a fully customized access to all site features.
    • Users can be assigned to one or several groups.
    • Groups can have subgroups.
    • Permissions are assigned to Groups of users, NOT to single users.
  • Individual objects can have permissions applied to them directly
  • If no permissions are specified for a Group to an object or to a content category, then global permisions apply.
  • Administrators can create and edit a content Category.
    • Objects (after 1.9) can be added to content categories.
    • a content category can then be assigned to a group.
    • category based permissions, when used (advanced), give members of the Groups the permissions assigned to them.


What order are permissions settings applied?

It is important to understand that Tiki uses several types of permissions:
  • Global permissions: Each site visitor belongs to a Group (such as Anonymous or Registered). The permissions you assign to the group define the global permissions for that user.
  • Category permissions: These permissions define the actions that users can take for objects in a specific content category.
  • Object permissions: These permissions define the actions that user can take for an individual object.

    Tip: The setup of permissions is much easier when you are still learning how to master them if you avoid the level of Category permissions, and you only use Global and Object permissions.

Permissions are inherited from from the top-down, but override from the bottom-up.
The relationship of Group-Category-Object permissions
This image illustrates the relationship among Group, Category, and Object permissions.


Tiki’s permissions model may look like complex... but may also be very customizable.

 

Starting with Release 4.x, Tiki has a dramatically different (and friendlier) method of assigning permissions than earlier versions.


Permissions Example

Consider the following example for a company using Tiki:
You have the groups:
  • Anonymous
  • Employees
  • Board of Directors
Listing Groups page
The Groups for ABC Company


Notice that some groups include other groups. For example, members of the Board of Directors group will include, in addition to their own permissions, the permissions from the Employees, Registered, and Anonymous groups.

You have the categories:
  • Financial Information
  • Press Releases

You want to give:
  • Everyone permission to read most pages
  • Employees permission to edit most wiki pages
  • Board Members only, access to the company’s financial information.


Global (Group) Permissions

First, you need to define the global permissions for each group.
Global Permissions
Defining the Global permissions for each group.


Anonymous

  • To let the general public (that is, anonymous visitors) view wiki pages, assign tiki_p_view to Anonymous.


Employees

  • The Employee group includes the Anonymous group (that is, everyone) and Registered group (that is, users who are logged in). Therefore, the Employee group inherits the tiki_p_view permission from these groups.
  • To let employees edit pages, assign tiki_p_edit to Employees.


Board of Directors

  • The Board of Directors group includes the Anonymous, Registered, and Employees groups. Therefore, the Board of Directors group inherits the tiki_p_view and tiki_p_edit permission from these groups.
    This group does not require any additional permissions.


Category Permissions

Now that the Global permissions are set, you can adjust the permissions for each category. These settings will override the Global permissions.

Note:
Remember that Category permissions are an advanced feature only recommended for experienced users of Tiki, mastering already how Global and Object permissions work.


Press Releases

Currently, Anonymous can view press releases, and Employees can edit them (as defined by the Global permissions). To allow only the Board of Directors to edit press releases, you must assign permissions to the category. This will override the default group (global) permissions:
  • For the Press Releases category, remove tiki_p_edit from Employee. Now only the Board of Directors group can edit wiki pages in the category.
  • Anonymous visitors (and all groups that inherit the Anonymous group’s permissions) can still view the pages.
Category Permissions
Defining the Category permissions for the Press Releases category.



Financial Information

Currently, Anonymous can view Financial Information, and Employees can edit them. But we want only the Board of Directors to have access (both view and edit) to these pages. You’ll need to make the same adjustments to the Financial Information category’s permissions:
  • Remove tiki_p_edit from Employee. Now only the Board of Directors group can edit wiki pages in the category.
  • Remove tiki_p_view from Employee, Registered, and Anonymous. Now only the Board of Directors can see the pages.


Object Permissions

But what if you want one item in the Financial Information category, to be visible to the public? You can override all other permissions, by assigning specific permissions to the object itself. For example, the ABC Company may have a public disclosure form, issued by the government, that it needs to make public (but that only the government can change or update):
  • For the individual item, remove tiki_p_edit from the Employee and Board of Directors group. Since this form is issued by the government, no one should be able to change it.
  • Anonymous visitors (and all groups that inherit the Anonymous group’s permissions) can still view the pages.
Object Permissions
Assigning object-specific permissions to the PublicDisclosure page.


Object Permissions can be tricky.

For example using version 10, if you wanted to hide one wiki page made by admin from the Anonymous group you would select the page’s permissions (from the admin menu : Wiki/List Pages/then click the Key icon for your page in the list).

Using the object permission page of the wiki page, you turn off the “Can view page/pages (tiki_p_view)” attribute and save.
However, after loging off, and connecting as Anonymous you can still see the page.

It turns out that you have to turn off the “Can view page/pages (tiki_p_view)” AND “Can admin the wiki (tiki_p_admin_wiki)” attributes to hide the wiki page from the Anonymous group.


Managing permissions

Warning
While entering a filter, JQuery will rebuild the list. Do not press enter or you’ll start all over.
Starting in Tiki4, a new interface has been designed to manage object and category permissions.

In this new interface there are three tabs. The first one to allow assigning permissions.



the second tab is to select which groups should be included in the table for assigning permissions, since when the list of groups is too big, assigning permissions could be too slow.

File is not an image.


The third tab is also to filter the number of features that should be shown in the interface. This is specially needed when managing category permissions, to avoid having a list far bigger than needed for our purposes in specific cases.

File is not an image.


In addition, this new interface to manage permissions includes several features:
  1. You can assign or remove all object permissions on all child categories if this box is checked.
  2. You can filter the whole list of permissions dynamically to list only those containing some text
  3. You can expand or collapse at will any of the sections of permissions
  4. You can select one by one the permissions to be assigned or checking the box at the column title (group name) level, and that selection will propagate to all the checkbox shown in that column.


Permissions by section

NameDescriptionPermissionsCan override global permissions?LastModif
ArticlesArticles can be used for date-specific news and announcements. You can configure articles to automatically publish and expire at specific times or to require that submissions be approved before becoming “live.” In addition to categories and tags, articles include their own unique classification system of Topics and Types.
tiki_p_edit_article
tiki_p_remove_article
tiki_p_read_article
tiki_p_submit_article
tiki_p_edit_submission
tiki_p_remove_submission
tiki_p_approve_submission
tiki_p_admin_cms
tiki_p_autoapprove_submission
tiki_p_topic_read
via topic_read
Directory (links)User-submitted Web links
tiki_p_admin_directory
tiki_p_view_directory
tiki_p_admin_directory_cats
tiki_p_admin_directory_sites
tiki_p_submit_link
tiki_p_autosubmit_link
tiki_p_validate_links
yes
ForumForums are online discussions organized by topic (or thread). Tiki forums feature threaded or flat views, file attachments, moderation and queuing, monitoring (subscription) of particular forums or topics, and full usage of wiki syntax.
tiki_p_admin_forum
tiki_p_forum_post
tiki_p_forum_post_topic
tiki_p_forum_read
tiki_p_forum_vote
tiki_p_forums_report
tiki_p_forum_attach
tiki_p_forum_autoapp
yes
File GalleryStorage and sharing via download or display in pages, of images, videos, and other file types . Supports check-in and check-out (lock), versions, etc.
tiki_p_admin_file_galleries
tiki_p_create_file_galleries
tiki_p_upload_files
tiki_p_download_files
NOTE: If you store images in the file gallery, you must include tiki_p_download_files in order for groups to view the images.

tiki_p_view_file_gallery
tiki_p_batch_upload_files
yes
CalendarEvents calendar with public, private and group channels
tiki_p_view_calendar
tiki_p_change_events
tiki_p_add_events
tiki_p_admin_calendar
tiki_p_view_tiki_calendar
yes
Image GalleryCollections of graphic images for viewing or downloading (photo album)
Note: The Image Gallery is deprecated in favor of the File Gallery.
tiki_p_admin_galleries
tiki_p_create_galleries
tiki_p_upload_images
tiki_p_view_image_gallery
tiki_p_batch_upload_images
tiki_p_batch_upload_image_dir
yes
TrackersFacts and figures storage and retrieval. A forms and database generator, with reporting. Can be used for a bug tracker, item database, issue tracker, etc
tiki_p_modify_tracker_items
tiki_p_comment_tracker_items
tiki_p_create_tracker_items
tiki_p_admin_trackers
tiki_p_view_trackers
tiki_p_attach_trackers
tiki_p_view_trackers_pending
tiki_p_view_trackers_closed
tiki_p_tracker_view_ratings
tiki_p_tracker_vote_ratings
yes
WikiCollaboratively authored documents with history of changes. Tiki’s wiki has all the features you could want from a first-rate wiki. Ex.: attach files, comments, history, images, warn on edit, page locking, powerful wiki syntax, alternative WYSIWYG editor, etc.
tiki_p_edit
tiki_p_view
tiki_p_remove
tiki_p_rollback
tiki_p_admin_wiki
tiki_p_wiki_attach_files
tiki_p_wiki_admin_attachments
tiki_p_wiki_view_attachments
tiki_p_upload_picture
tiki_p_minor
tiki_p_rename
tiki_p_lock
tiki_p_edit_structures
tiki_p_edit_copyrights
tiki_p_wiki_view_comments
tiki_p_wiki_view_ratings
tiki_p_wiki_vote_ratings
tiki_p_wiki_admin_ratings
tiki_p_wiki_view_history
tiki_p_use_HTML
yes
MapsMaps can be created and displayed using OpenLayers and OpenStreetMap.
tiki_p_map_edit
tiki_p_map_create
tiki_p_map_delete
tiki_p_map_view
tiki_p_map_view_mapfiles
Kaltura VideoVideo management
My AccountProvide content organization and communication tools for registered users
Bookmark, User Preferences, Watch, User Menu, Task, Inter-User Messages, User Files, Notepad and Mini Calendar

tiki_p_configure_modules
tiki_p_minical

N/A
FAQCreate pages of frequently asked questions and answers.
tiki_p_admin_faqs
tiki_p_view_faqs
tiki_p_suggest_faq
no
SurveyCreate questionnaires with multiple-choice or open-ended questions.
tiki_p_admin_surveys
tiki_p_take_survey
tiki_p_view_survey_stats
yes
QuizCreate timed quizzes with recorded scores.
tiki_p_admin_quizzes
tiki_p_take_quiz
tiki_p_view_quiz_stats
tiki_p_view_user_results
yes
BlogMultiple blogs can be created with various author and display configurations, etc.
tiki_p_create_blogs
tiki_p_blog_post
tiki_p_blog_admin
tiki_p_read_blog
yes
Featured linksSimple menu system which can optionally add an external web page in an iframe
TaskA site user’s to-do list. Tasks can be sent to other users. Also, there can be shared group tasks.
tiki_p_tasks
tiki_p_tasks_send
tiki_p_tasks_receive
tiki_p_tasks_admin
N/A
SlideshowTurn a wiki page into slideshow (each slide is the wiki content only, without “chrome”) by using more than one title bar in the page, or make a multi-page slideshow from a structure.
BigBlueButton Audio/Video/Chat/ScreensharingOpen source instruction-focused real-time collaboration tool. (Audio/Video/Screensharing/Chat)
ScreencastThis permits capturing the device screen and uploading to Tiki. An image is produced (that you can then draw on), or short video with sound. The jCapture applet is used.
MessagesInternal (within the site) messages from one site user to another.
ChatReal-time group text chatting
tiki_p_admin_chat
tiki_p_chat
My Account Inter-User MessagesEnable users to send internal messages to each other (like email but internal to the Tiki site). A message can be broadcast to multiple users in a Tiki group or to all site users if the appropriate permissions are granted.
tiki_p_messages
tiki_p_broadcast
tiki_p_broadcast_all
N/A
SpreadsheetsSpreadsheets supporting calculations and charts, import/export, etc.
tiki_p_admin_sheet
tiki_p_edit_sheet
tiki_p_view_sheet
tiki_p_view_sheet_history
no
NewslettersCreate and send email newsletters (plain text and HTML) to subscribed site users and other individuals.
tiki_p_admin_newsletters
tiki_p_subscribe_newsletters
tiki_p_subscribe_email
tiki_p_send_newsletters
yes
Live supportOne-on-one chat with customer or other individual
tiki_p_live_support_admin
tiki_p_live_support
HTML pageStatic and dynamic HTML content. Note: HTML can be used in wiki pages. This is a separate feature.
tiki_p_view_html_pages
tiki_p_edit_html_pages
User FilesUsers upload files and store them in their Tiki personal space; they can then download the files.
tiki_p_userfiles
User notepadUsers can write, upload, download and read notes. Notes can be read as raw text files or as wiki pages interpreting the wiki markup syntax. The user-quota that admin can control is used to set the maximum size that user notes can take.
tiki_p_notepad
N/A
User PageThis provides each user with a personal wiki page that only he/she can edit. All User Pages have a similar, configurable name that includes the user name.
ShoutboxQuick comment (graffiti) box. Like a group chat, but not in real time.
tiki_p_view_shoutbox
tiki_p_admin_shoutbox
tiki_p_post_shoutbox
no
ContactBasic form for site visitors to send a message to the site admin.
N/A
Friendship networkUsers can designate other users as “friends” using either the “follow” or “like” method.
Shopping CartA simple shopping cart feature - Information on products or services can be maintained in wiki pages or trackers with display via Pretty Tracker ) and purchases added to Module Cart through the PluginAddToCart and sent to the payment page.
WebHelpThe generated webhelp is a static representation of a structure with a tree menu that can be used to navigate the structure. A search function, print function, history and some other details are also provided.
WebmailProvides a webmail interface for site users’ own IMAP or POP accounts.


Demo site for testing


Category permissions

There is also a new feature in Tiki 1.9.x to restrict permissions via the category feature. Basically, you can already assign all the permissions you need as described above. However, permissions via the category feature is just to make it faster to assign permissions. This feature is little tricky to understand. We are working to improve it. There are only two levels (“view” & “admin”) in Tiki 1.9.4, and the third level (“edit” category contents) has been introduced in starting from 1.10.

Starting in 3.0, category permissions are in addition to Groups permissions. So if tiki_p_read_categorized allows reading items which are in a category, the user must also be in a group which allows reading the specific kind of object. The category can not grant access to an object which the user’s groups do not give him access to.

In Tiki4, the full granularity of permissions can be assigned to categories (and thus inherited when objects belong to a given category). The permissions granted to objects are the sum of all the permissions granted to categories in which they belong.

Because adding a category to an object can provide additional rights, it is important to protect who can assign categories to prevent undesired escalation. For example, if the site contains public and private information, someone with access to edit private information should not be able to make it available publicly by changing the categories. To resolve this issue, multiple permissions can be assigned to the categories.

To begin with, tiki_p_modify_object_categories allows to determine if the user is allowed to modify the categories of the object at all. Without this permission, it will be impossible to modify the categories. Typically, it is safe to grant this permission widely.

Then, there is higher granularity available for each category. tiki_p_add_object and tiki_p_remove_object determine if the user can add or remove elements from the category. Categories on which permissions are specified should also specify who can assign or remove those categories. When the operation is not available, the checkbox will be marked as disabled.

Additionally, some category changes may be allowed in certain contexts by defining Category Transitions, which would allow to change a category only from a certain state. A group of transitions create a workflow. Note that until Tiki6, category transitions are only available through Profiles.

Workspaces

Workspaces are coming to Tiki4 to further facilitate management of large & complex Tiki sites.

Admin permissions and special permissions

When a group has an admin permission on a feature such as tiki_p_admin_sheet, the group will lost his admin permission for an object with local perms or categories permissions.

Note

Some information on this page is from Tiki for Dummies Smarties, copyright (C) by Rick Sapir, published by KeyContent.org, and available under a Creative Commons Attribution-Share Alike License.

Alias



Source History

doc.tiki.org


Bootstrap

AdminGuide

UserGuide

Keywords

Keywords serve as “hubs” for navigation within the Tiki documentation. They correspond to development keywords (bug reports and feature requests):

Accessibility (WAI and 508)
Accounting (7.x)
Articles and Submissions
Backlinks
Banners
Batch (6.x)
BigBlueButton audio/video/chat/screensharing (5.x)
Blog
Bookmark
Browser Compatibility
Link Cache
Calendar
Category
Chat
Clean URLs
Comments
Communication Center
Compression (gzip)
Contacts (Address Book)
Contact us
Content Templates
Contribution (2.x)
Cookie
Copyright
Credit (6.x)
Custom Home and Group Home Page
Date and Time
Debugger Console
Directory of hyperlinks
Documentation link from Tiki to doc.tiki.org (Help System)
Docs 8.x
Draw 7.x
Dynamic Content
Dynamic Variable
External Authentication
FAQ
Featured links
File Gallery
Forum
Friendship Network (Community)
Gmap Google maps
Groups
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
Kaltura video management (4.x)
Karma
Live Support
Login
Logs (system & action)
Look and Feel
Lost edit protection
Mail-in
Map with Mapserver
Menu
Meta Tags
Mobile Tiki and Voice Tiki
Mods
Module
MultiTiki
MyTiki
Newsletter
Notepad
Payment
Performance Speed / Load
Permissions
Platform independence (Linux-Apache, Windows/IIS, Mac, BSD)
Polls
Profiles
Profile Manager
Report
Toolbar
Quiz
Rating
Feeds
Score
Search engine optimization
Search
Search and Replace
Security
Semantic links (3.x)
Shadowbox
Shadow Layers
Share
Shopping cart
Shoutbox
Slideshow
Smiley
Social Networks
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Stats
Surveys
Tags (2.x)
Task
Tell a Friend, alert + Social Bookmarking
TikiTests (2.x)
Theme CSS & Smarty
Trackers
Transitions (5.x)
TRIM
User Administration including registration and banning
User Files
User Menu
Watch
WebHelp
WebDAV (5.x)
Webmail
Web Services
Wiki 3D
Wiki History, page rename, etc
Wiki Page Staging and Approval (2.x)
Wiki Plugin extends basic syntax
Wiki Syntax
Wiki structure (book and table of content)
Workspace
WSOD
WYSIWYCA
WYSIWYG (2.x)
XMLRPC


Tiki Newsletter

Delivered fresh to your email inbox!
Newsletter subscribe icon
Don't miss major announcements and other news!
Contribute to Tiki
Show php error messages