Overview of the permission system in eZ is best presented using an example:
Let us assume you are managing a newspaper website. Your crew consists of an editor-in-chief and several editors responsible for particular sections of the paper: general news, local news, sports etc. You also have contributors who occasionally add new articles.
You want to give the editor-in-chief access to most parts of your website, but the individual editors will only work with their own sections. To the contributors you want to give the permissions to create new Content, but not to modify or delete existing Content.
In order to have this setup you need to create a number of different Roles: Editor-in-Chief, different Editor(s) and Contributor.
Even if you plan on having only one editor-in-chief, it is good practice to create a User group to contain this user, and assign a Role to it instead of assigning permissions directly to the user.
To each of these Roles you need to assign proper Policies, giving them the right to perform certain actions.
The Editor-in-Chief Role would have the most Policies (although you may want to reserve some more advanced permissions only for system administrators). Regular Editors need Policies allowing them to create, modify and delete Content. Contributors can be given Policies permitting them to only create Content.
If you want to prohibit Editors from accessing Content from newspaper sections other than their own, you can add limitations to their Policies. This means that instead of one Editor you need to have separate Roles for each editor profile: Local Editor, Sports Editor etc. All of these Roles will have the same Policies, but to each Policy you need to assign a limitation which would mean that the permission covers only one Section (sports section, local news section etc.) that the editor works in.
Aside from Policies that define access to Content items, there are also many other Policy types concerned with administrating the system. They cover actions such as activating new Users, creating Sections, modifying Content Types etc.
A Role consists of a number of Policies, each of which defines access to one functionality of one module (for example modifying articles).
Creating new Roles
Assigning Roles to Users
A User (or User group) can be assigned more than one Role.
A Policy can be understood as a permission for a single action in a specified part of the website system. Each Role can be assigned any number of Policies.
A Policy consists of:
- module - the part of the website or system it concerns, for example: Content, User, Role, Section
- function - the action on the module it allows, for example: Create, Edit, Assign
- (optional) limitations
By default a User or User group has no permissions. Roles and Policies are used to grant permissions to do something, not to prohibit doing it.
Limitations further specify permissions granted by a Policy by narrowing their scope. For example, a limitation may state that a given Policy covers only a selected Content Type or Section.
To change the name of an existing Role, click its name in the list to view its details and then click Edit role name. In this screen you can also remove a Role by clicking Delete.