Users, Groups & Permissions
Creating users and groups, and managing permissions.
In Cascade we prefer to grant permissions to groups rather than individual content editors. Content editors can belong to any number of groups; and they are granted the sum of permissions received from all groups to which they belong.
Understanding Groups | Managing Groups | Managing Users
Understanding Groups
Cascade Managers can only maintain groups to which they belong, and may manage any user belonging to those groups. It is therefore necessary for all Managers to belong to all groups for their respective Cascade Site. Remember to add yourself and all fellow Managers of your Site to any new group you create.
We classify groups into two basic types:
- Role-based feature groups
- Folder-based access groups
Think of it this way:
Editors can exercise features governed by role-based groups upon portions of your Site granted by folder-based groups.
Role-based Groups
Each of your users (aka content editors) should be assigned at least one role-based group within your Site. These groups grant permission to certain features of Cascade. Role-based groups, which have a double-underscore after the Site prefix in their names, have been provided by University Web & Design. As a Cascade Manager, you will assign users to these groups.
You'll assign the vast majority of your content editors to these two role-based groups:
- [Site]__allusers
- [Site]__publishers
After you provide additional training and consultation, you may add more advanced content editors to these special role-based groups:
- [Site]__specialassets
- activates access to the grid page, slideshow page and portfolio listing assets
- [Site]__rows
- activates access to the row assets (manager-only rows not included)
- activates the row chooser on all page types
You should strictly limit membership in these two additional role-based groups, as they come with great responsibility:
- [Site]__writeanypage
- available for non-managers who require Site-wide access
- activates write access to all pages within the Site
- [Site]__html
- activates access to the source code in WYSIWYGs
- Warning: Editing the underlying HTML within page content may affect accessibility, user privacy or otherwise interfere with the functionality of our templates. Any external content added via the source code should be carefully reviewed by the Site Manager for design, usability and accessibility.
Folder-based Access Groups
In general, you should assign your content editors to at least one folder-based access group within your Site. These access groups are distinguished by a single-underscore after the Site prefix in their names. As a Manager, you are responsible for creating, assigning and maintaining these groups. A folder-based access group is assigned "write" permission to a folder in your Site.
Folder-based access groups are typically named for the folder, department, office or program of the website to which they grant access. Use additional underscore separators to indicate restriction to only a portion of a website. For instance:
- [Site]_admission
- [Site]_about
- [Site]_about_administration
Managing Groups
Create a New Folder-Based Access Group
You will need to create an access group for any website (folder within your Site) for which you need to manage user access. Remember when creating an access group, you and each of your fellow Site Managers must be a member, else you will not be able to manage the group later. Name your access groups consistently, using the following format: [Site]_[identifier]
- From the hamburger menu, go to Administration
- Choose Groups from the list, then click the Add Group button (top-right)
- Fill in the group name
- use the format: [Site]_somefolder
- Be sure to add yourself and your fellow Site Managers as users!
- Select _Contributor as the Role
- Submit
Edit an Existing Group
You can manage all the members (users) of a single group by editing the group, as opposed to editing each individual user. This applies both to role-based groups as well as folder-based access groups.
- From the hamburger menu, go to Administration
- Choose Groups from the list
- Locate (or search for) the group and click the group name
- Edit the group
- Remove a user using the X beside the respective username
- Click the Choose User button to assign additional users to this group
- Be sure to keep yourself and your fellow Site Managers as users!
- Submit
Apply an Access Group to a Folder (and its Sub-folders)
After creating a new access group, you need to grant the group write access to an entire folder and its sub-folders. This is a two-pronged process — and the most common mistake is forgetting steps 4–7.
- In the Cascade folder tree, right-click on a folder name and select "Access"
- In the "Grant access rights for specific users and/or groups" section, select an access level of "Write" and use the chooser to select the appropriate access group
- Click "Update"
- Right-click on the folder name again and select "Access for contents"
- Select "Copy users and group access rights from current folder"
- Leave this checkbox empty (unchecked): "Overwrite existing access rights on contained assets"
- Click "Merge Access Rights"
Apply an Access Group to a Single Page or File
Setting permissions on a single page or file is probably NOT something you are going to do that often, but when needed...
- In the Cascade folder tree, right-click on the page or file name and select "Access"
- In the "Grant access rights for specific users and/or groups" section, select an access level of "Write" and use the chooser to select the appropriate access group
- Click "Update"
Managing Users
Create a New User
- From the hamburger menu, go to Administration
- Choose Users from the list, then click the Add User button
- Fill in their username
- this must be their official W&M Username that they use to log into W&M CAS
- Fill in their name and email address
- these may be their preferred name and address
- Select an authentication method of Custom
- Cascade will use CAS for login
- Click the Membership and Roles tab
- In most cases the user will need to be in the following groups:
- [Site]__allusers
- [Site]__publishers
- [Site]_accessgroupname
- Select a default Site for the user
- users see a link to this Site on their dashboard
- Select Contributor as the role
- Submit
Edit an Existing User
- From the hamburger menu, go to Administration
- Choose Users from the list
- Locate (or search for) the user and click their userid
- Edit the user record, including Full Name and Email address, as needed
- the userid is not editable
- Authentication method should be Custom
- Click the Membership and Roles tab to see current group memberships
- add or remove groups as needed
- Default Site should be set to your Site
- Role should be Contributor
- Submit
Delete/Deprecate a User
As a Site Manager, your visibility into users and groups is limited to one Site. Since a user may have permission to more than one Site, we do not permit Managers to delete users. Instead, we provide a process for you to flag someone as a "deprecated user" of your Site, no longer having any permissions within your Site.
- From the hamburger menu, go to Administration
- Choose Users from the list
- Locate (or search for) the user and click their userid
- Edit the user record
- Click the Membership and Roles tab to see current group memberships
- remove current all groups
- assign to the group [Site]___deprecatedusers
- Submit
Note: Managers must be a member of their deprecated users group
You'd expect members of [Site]___deprecatedusers to be assigned to no other groups in your Site. But... Managers can only see groups to which they belong. Therefore, every Manager must be a member of their respective [Site]___deprecatedusers group. This doesn't remove any permissions — it's just an oddity of our configuration.