Section Segmentation and User Permissions Part 2 of 2

The permission system controls access to your site's content and functionality. It includes a set of user accounts and access permissions. Here, we focus on the relevant concepts and how to manage the permission system in the Administration Interface. This article is the second in a mini-series based on concepts presented in the new book eZ Publish Advanced Content Management. It includes an example at the end that builds upon what was discussed in the first article in this series in order to create a protected area on a site.

Note that this article assumes that you have administrator-like permissions in order to access the Setup tab in the Administration Interface. For information about the general layout of the Administration Interface, see this article or the eZ Publish Content Management Basics book. You should also have general knowledge on how to create and edit content in the Administration Interface.

This article was written to be compatible with eZ Publish 4.0, although the concepts and procedures should be similar for other versions.

Permission system overview

Without permissions, access to everything on a site is completely denied; it is only by the cumulative assignment of permissions that users are permitted to view content and use site functionality.

The permission system can be split into four components, as illustrated in the following figure:

Permission system components

As shown, the four components are:

• Policy: a rule granting access to a part of a site or site functionality.
• Role: a named collection of policies.
• User: a definition of a valid user account on the system. User accounts can be created via three methods: through the Administration Interface by an existing Administrator user (by default, Editor users do not have access to the User accounts tab); through self-registration on the front-end of the site; and imported from external systems.
• User group: a named collection of users. User groups can contain sub-groups.

eZ Publish comes with a set of built-in user groups, and at least an Administrator user and an Anonymous user. This ensures that there is a way to log in to perform site management tasks (and add more users and groups to the system), and that unregistered site visitors are permitted to view unrestricted content.

Similar to how a user group consists of users and possibly other groups, a role consists of policies. Roles can be assigned to user groups or individual users. Note that policies cannot be assigned directly to users or groups.