How to setup & use Tiki
![[Show/Hide Right Column]](http://cdn.doc.tikiwiki.org/pics/icons/orightcol.png "[Show/Hide Right Column]"){kind=icon}
NoteThis page is to document what Tiki does. For feature requests and bug reports, please see corresponding page on dev site
Tags:
permissions
Permissions Settings
Table of contents
Understanding Tiki Permissions
After setting the features, setting permissions is the most important part of Tiki administration. This page describes the basic concepts in Tiki's permission system and how they interact. A complete list of permissions can be found on the Permissions List page.How Permissions Work
- Administrators can create and edit a Groups.
- Each Group can have a fully customized access to all site features.
- Users can be assigned to one or several groups.
- Groups can have subgroups.
- Permissions are assigned to Groups, NOT users.
- Administrators can create and edit a Category.
- Objects (after 1.9) can be added to categories.
- a category can then be assigned to a group.
- category based permissions give members of the Groups the right to view, the right to edit category contents (introduced in Tiki >1.10) or the right to manage the category (or any combination of them).
- Individual objects can have permissions applied to them directly
- If no permissions are specified for a Groups or category universal permissions apply.
When Tiki is installed, there are at least two pre-defined groups:
- Anonymous: Users that are not logged automatically belong to the anonymous group.
- Registered group: Users logged in automatically belong to this group.
What order are permissions settings applied?
It is important to understand that Tiki uses several types of permissions:
- Global permissions: Each site visitor belongs to a Group (such as Anonymous or Registered). The permissions you assign to the group define the global permissions for that user.
- Category permissions: These permissions define the actions that users can take for objects in a specific category.
- Object permissions: These permissions define the actions that user can take for an individual object.
Permissions are inherited from from the top-down, but override from the bottom-up.
This image illustrates the relationship among Group, Category, and Object permissions.
Tiki's permissions model may be very complex... but it is also very customizable.
Starting with Release 4.x, Tiki has a dramatically different (and friendlier) method of assigning permissions than earlier versions.
!!! Permissions Example
Consider the following example for a company using Tiki:
You have the groups:
Notice that some groups include other groups. For example, members of the Board of Directors group will include, in addition to their own permissions, the permissions from the Employees, Registered, and Anonymous groups.
You have the categories:
You want to give:
Consider the following example for a company using Tiki:
You have the groups:
- Anonymous
- Employees
- Board of Directors
The Groups for ABC Company
Notice that some groups include other groups. For example, members of the Board of Directors group will include, in addition to their own permissions, the permissions from the Employees, Registered, and Anonymous groups.
You have the categories:
- Financial Information
- Press Releases
You want to give:
- Everyone permission to read most pages
- Employees permission to edit most wiki pages
- Board Members only, access to the company's financial information.
Global (Group) Permissions
First, you need to define the global permissions for each group.
Defining the Global permissions for each group.
Anonymous
- To let the general public (that is, anonymous visitors) view wiki pages, assign tiki_p_view to Anonymous.
Employees
- The Employee group includes the Anonymous group (that is, everyone) and Registered group (that is, users who are logged in). Therefore, the Employee group inherits the tiki_p_view permission from these groups.
- To let employees edit pages, assign tiki_p_edit to Employees.
Board of Directors
- The Board of Directors group includes the Anonymous, Registered, and Employees groups. Therefore, the Board of Directors group inherits the tiki_p_view and tiki_p_edit permission from these groups.
This group does not require any additional permissions.
Category Permissions
Now that the Global permissions are set, you need to adjust the permissions for each category. These settings will override the Global permissions.Press Releases
Currently, Anonymous can view press releases, and Employees can edit them (as defined by the Global permissions). To allow only the Board of Directors to edit press releases, you must assign permissions to the category. This will override the default group (global) permissions:- For the Press Releases category, remove tiki_p_edit from Employee. Now only the Board of Directors group can edit wiki pages in the category.
- Anonymous visitors (and all groups that inherit the Anonymous group's permissions) can still view the pages.
Defining the Category permissions for the Press Releases category.
Financial Information
Currently, Anonymous can view Financial Information, and Employees can edit them. But we want only the Board of Directors to have access (both view and edit) to these pages. You'll need to make the same adjustments to the Financial Information category's permissions:- Remove tiki_p_edit from Employee. Now only the Board of Directors group can edit wiki pages in the category.
- Remove tiki_p_view from Employee, Registered, and Anonymous. Now only the Board of Directors can see the pages.
Object Permissions
But what if you want one item in the Financial Information category, to be visible to the public? You can override all other permissions, by assigning specific permissions to the object itself. For example, the ABC Company may have a public disclosure form, issued by the government, that it needs to make public (but that only the government can change or update):- For the individual item, remove tiki_p_edit from the Employee and Board of Directors group. Since this form is issued by the government, no one should be able to change it.
- Anonymous visitors (and all groups that inherit the Anonymous group's permissions) can still view the pages.
Assigning object-specific permissions to the PublicDisclosure page.
Managing permissions
Warning
While entering a filter, JQuery will rebuild the list. Do not press enter or you'll start all over.
In this new interface there are three tabs. The first one to allow assigning permissions.
the second tab is to select which groups should be included in the table for assigning permissions, since when the list of groups is too big, assigning permissions could be too slow.
File is not an image.
The third tab is also to filter the number of features that should be shown in the interface. This is specially needed when managing category permissions, to avoid having a list far bigger than needed for our purposes in specific cases.
File is not an image.
In addition, this new interface to manage permissions includes several features:
|
|
|
Permissions by section
| Name | Description | Permissions | Can override global permissions? |
|---|---|---|---|
| Articles | Articles can be used for date-specific news and announcements. You can configure articles to automatically publish and expire at specific times or to require that submissions be approved before becoming "live." In addition to categories and tags, articles include their own unique classification system of Topics and Types. | tiki_p_edit_article tiki_p_remove_article tiki_p_read_article tiki_p_submit_article tiki_p_edit_submission tiki_p_remove_submission tiki_p_approve_submission tiki_p_admin_cms tiki_p_autoapprove_submission tiki_p_topic_read | via topic_read |
| Forum | Online discussions on a variety of topics. Threaded or flat. File attachments, etc | tiki_p_admin_forum tiki_p_forum_post tiki_p_forum_post_topic tiki_p_forum_read tiki_p_forum_vote tiki_p_forums_report tiki_p_forum_attach tiki_p_forum_autoapp | yes |
| File Gallery | Computer files, videos or software for downloading. With check-in & check-out (lock) | tiki_p_admin_file_galleries tiki_p_create_file_galleries tiki_p_upload_files tiki_p_download_files tiki_p_view_file_gallery tiki_p_batch_upload_files | yes |
| Calendar | Events calendar with public, private and group channels | tiki_p_view_calendar tiki_p_change_events tiki_p_add_events tiki_p_admin_calendar tiki_p_view_tiki_calendar | yes |
| Image Gallery | Collections of graphic images for viewing or downloading (photo album) | tiki_p_admin_galleries tiki_p_create_galleries tiki_p_upload_images tiki_p_view_image_gallery tiki_p_batch_upload_images tiki_p_batch_upload_image_dir | yes |
| Tracker | Facts and figures storage & retrieval. A forms & database generator, with reporting. Can be used for a bug tracker, item database, issue tracker, etc | tiki_p_modify_tracker_items tiki_p_comment_tracker_items tiki_p_create_tracker_items tiki_p_admin_trackers tiki_p_view_trackers tiki_p_attach_trackers tiki_p_view_trackers_pending tiki_p_view_trackers_closed tiki_p_tracker_view_ratings tiki_p_tracker_vote_ratings | yes |
| Wiki | Collaboratively authored documents with history of changes. Tiki's Wiki has all the features you could want from a first-rate wiki. Ex.: attach files, comments, history, images, warn on edit, page locking, powerful wiki syntax, etc | tiki_p_edit tiki_p_view tiki_p_remove tiki_p_rollback tiki_p_admin_wiki tiki_p_wiki_attach_files tiki_p_wiki_admin_attachments tiki_p_wiki_view_attachments tiki_p_upload_picture tiki_p_minor tiki_p_rename tiki_p_lock tiki_p_edit_structures tiki_p_edit_copyrights tiki_p_wiki_view_comments tiki_p_wiki_view_ratings tiki_p_wiki_vote_ratings tiki_p_wiki_admin_ratings tiki_p_wiki_view_history tiki_p_use_HTML | yes |
| Map | Navigable, interactive maps with user-selectable layers (requires mapserver) | tiki_p_map_edit tiki_p_map_create tiki_p_map_delete tiki_p_map_view tiki_p_map_view_mapfiles | |
| Kaltura Video | Collaborative video editing | ||
| MyTiki | Provide content organization and communication tools for registered users Bookmark, User Preferences, Watch, User Menu, Task, Inter-User Messages, User Files, Notepad and Mini Calendar | tiki_p_configure_modules tiki_p_minical | N/A |
| Survey | Questionnaire with multiple choice or open ended question | tiki_p_admin_surveys tiki_p_take_survey tiki_p_view_survey_stats | yes |
| Quiz | Timed questionnaire with recorded scores | tiki_p_admin_quizzes tiki_p_take_quiz tiki_p_view_quiz_stats tiki_p_view_user_results | yes |
| Directory (links) | User-submitted Web links | tiki_p_admin_directory tiki_p_view_directory tiki_p_admin_directory_cats tiki_p_admin_directory_sites tiki_p_submit_link tiki_p_autosubmit_link tiki_p_validate_links | yes |
| Featured links | Simple menu system which can optionally add an external web page in an iframe | ||
| Task | To do list. Can send tasks to other users. Also shared group tasks. | tiki_p_tasks tiki_p_tasks_send tiki_p_tasks_receive tiki_p_tasks_admin | N/A |
| Slideshow | Turn a wiki page into slideshow by using more than one title bar in the page. You can also make slideshows from a structure. Here is a nice example of a slideshow about Using a Wiki as an Organizational Portal | ||
| BigBlueButton Audio/Video/Chat/Screensharing | Open source real-time collaboration tool. (Audio/Video/Screensharing/Chat) | ||
| Chat | Real-time group text chatting | tiki_p_admin_chat tiki_p_chat | |
| MyTiki Inter-User Messages | Enable users to send internal messages to each other. (like email but internal to your tiki site). A broadcast is a message sent to many users, the message can be sent to a Tiki group or to all users (if permissions are ok). | tiki_p_messages tiki_p_broadcast tiki_p_broadcast_all | N/A |
| Spreadsheet | Datasheets with calculations and charts | tiki_p_admin_sheet tiki_p_edit_sheet tiki_p_view_sheet tiki_p_view_sheet_history | no |
| FAQ | Frequently asked questions and answers | tiki_p_admin_faqs tiki_p_view_faqs tiki_p_suggest_faq | no |
| Newsletters | Content mailed to registered users | tiki_p_admin_newsletters tiki_p_subscribe_newsletters tiki_p_subscribe_email tiki_p_send_newsletters | yes |
| Blog | Online diaries or journals | tiki_p_create_blogs tiki_p_blog_post tiki_p_blog_admin tiki_p_read_blog | yes |
| Live support | One-on-one chatting with customer | tiki_p_live_support_admin tiki_p_live_support | |
| HTML page | Static and dynamic HTML content. Note: HTML can be used in wiki pages. This is a separate feature. | tiki_p_view_html_pages tiki_p_edit_html_pages | |
| Gmap | Use of Google Maps interactively inside Tiki. | ||
| User Files | Users upload files and store them in their tiki personal space, they can then download the files. | tiki_p_userfiles | |
| User notepad | Users can write, upload, download and read notes. Notes can be read as raw text files or as Wiki pages interpreting the Wiki markup syntax. The user-quota that admin can control is used to set the maximum size that user notes can take. | tiki_p_notepad | N/A |
| User Page | Permits each user to have a personal wiki page. | ||
| Shoutbox | Quick comment (graffiti) box. Like a group chat, but not in real time. | tiki_p_view_shoutbox tiki_p_admin_shoutbox tiki_p_post_shoutbox | no |
| Contact | Basic form from visitor to admin | N/A | |
| MyTiki Webmail | Give users Web-based access to their POP3 or IMAP e-mail accounts | tiki_p_use_webmail | N/A |
| Shopping Cart | Products or services can be maintained in wiki pages or Pretty Tracker and added to Module Cart through the PluginAddToCart and sent to payment. | ||
| Friendship network | Users can identify other users as their friends. | ||
| WebHelp | The generated webhelp is a static representation of the structure with a js tree that can be used to navigate the structure and a search function, print function, history and some other gizmos. |
Demo site for testing
Login here: (user: admin / password: demo) to test giving permissions:http://demo.opensourcecms.com/tiki/tiki-assignpermission.php?group=Registered
Category permissions
There is also a new feature in Tiki 1.9.x to restrict permissions via the category feature. Basically, you can already assign all the permissions you need as described above. However, permissions via the category feature is just to make it faster to assign permissions. This feature is little tricky to understand. We are working to improve it. There are only two levels ("view" & "admin") in Tiki 1.9.4, and the third level ("edit" category contents) has been introduced in starting from 1.10.Starting in 3.0, category permissions are in addition to Groups permissions. So if tiki_p_read_categorized allows reading items which are in a category, the user must also be in a group which allows reading the specific kind of object. The category can not grant access to an object which the user's groups do not give him access to.
In Tiki4, the full granularity of permissions can be assigned to categories (and thus inherited when objects belong to a given category). The permissions granted to objects are the sum of all the permissions granted to categories in which they belong.
Because adding a category to an object can provide additional rights, it is important to protect who can assign categories to prevent undesired escalation. For example, if the site contains public and private information, someone with access to edit private information should not be able to make it available publicly by changing the categories. To resolve this issue, multiple permissions can be assigned to the categories.
To begin with, tiki_p_modify_object_categories allows to determine if the user is allowed to modify the categories of the object at all. Without this permission, it will be impossible to modify the categories. Typically, it is safe to grant this permission widely.
Then, there is higher granularity available for each category. tiki_p_add_object and tiki_p_remove_object determine if the user can add or remove elements from the category. Categories on which permissions are specified should also specify who can assign or remove those categories. When the operation is not available, the checkbox will be marked as disabled.
Additionally, some category changes may be allowed in certain contexts by defining Category Transitions, which would allow to change a category only from a certain state. A group of transitions create a workflow. Note that until Tiki6, category transitions are only available through Profiles.
Workspaces
Workspaces are coming to Tiki4 to further facilitate management of large & complex Tiki sites.Note
Some information on this page is from TikiWiki forAlias
Contributors to this page: Rick
,
xavidp
,
xavi
,
system
,
Scot Wilcoxon
,
Mose
,
mlpvolt
,
Marc Laporte
,
lphuberdeau
,
lindon
,
jasondiceman
,
dthacker
,
campbe13
,
Bruce L. Van Buren
,
Branko Majic
and
.
Page last modified on Thursday 03 June, 2010 17:36:10 UTC by Rick .
Sidebar
Doc Menu
![[toggle]](http://cdn.doc.tikiwiki.org/pics/icons/module.png "[toggle]")
![[toggle]](javascript:icntoggle('mod-DocUserMenul2','module.png'); "[toggle]"){kind=small}
New in version...Featured links
Sidebar
Find by Page Name
Powered by Tiki Wiki CMS Groupware
Last update from SVN (5.0): Monday 26 July, 2010 06:51:11 UTC
- REV 28130
Theme: Fivealive - Kiwi
[ Execution time: 1.14 secs ] [ Memory usage: 12.63MB ] [ 271 database queries used in 0.0 secs ] [ Server load: 1.96 ]