Roles are a specialized form of user groups. You can grant permissions to roles or include them in steps within a workflow schema as you can for user groups. However, unlike user groups, the users assigned to roles are not fixed; You can assign users or user groups to a role for individual assets.
Roles are created under the Users folder by a system administrator. Each asset has a roles screen to allow an administrator to assign users or user groups to a role. You can use roles when selecting users or user groups to assign permissions to, or when adding them in a workflow schema. In this case, only the users or users groups assigned to that role for that asset will be given that permission or be able to make the approval in Workflow.
Roles are generally not recommended for a system that only has one site. When you use roles, all permission checks within the system can be slower as they are highly dynamic. If you are considering using roles, make sure you have the hardware to cope with the additional database load. As an alternative, you could try using a dynamic workflow.
Consider a site with the structure shown in the figure. This site has three sets of people who maintain it.
Team A maintains the Home Page and About Us pages.
Team B maintains the Articles section.
Team C maintains the Resources section.
Each team has an administrator who leads the team. This person is responsible for approving all changes made by their team through Workflow. Each team also has a legal expert who must approve all content changes before making it available to the public.
The users are grouped into user groups. Each team requires write permission on the pages they maintain except for the team’s administrator, who requires admin permission.
The desired Workflow for all of the pages in the site is:
The legal expert approves content changes made by other members of the team.
The administrator approves content changes made by other members of the team.
This Workflow is simple, but it does require three Workflow schemas to be created, as each step requires you to assign a different user for each of the three sections.
You could create a new set of user groups, as shown, to avoid this situation. Then we can change the workflow schema to look like this:
A member of the Legal Experts user group approves content changes made by other team members.
A member of the Admins user group approves content changes made by other members of the team.
This schema allows us to add new team members in the future. However, it introduces a situation wherein users in the Workflow receive messages informing them that a piece of content requires reviewing. However, that piece of content may not be within their section of the site.
By using roles, we can avoid this problem. Create two roles: an Administrator role and a Legal expert role. For each asset in the site, we assign the roles and which user performs which role on the Roles screen. The role assignments needed are:
- Home page
The Team A admin user fulfills the Administrator role and the Team A Legal user fulfills the Legal Expert role.
- About Us page
The Team A admin user fulfills the Administrator role, and the Team A Legal user fulfills the Legal Expert role.
- Articles section
The Team B Admin user fulfills the Administrator role, and the Team B Legal user fulfills the Legal Expert role.
- Resources section
The Team C admin user fulfills the Administrator role, and the Team C Legal user fulfills the Legal Expert role.
We can now change the Workflow Schema to look like this:
The Legal Expert role approves content changes made by other members of the team.
The Administrator role approves content changes made by other members of the team.
When a piece of content requires reviewing, only the users assigned the roles for that asset will receive internal messaging to approve that content. For example, if an editor changed the home page, only the Team A Legal user and the Team A Admin user will receive the message to approve the changes.
Once you create your role, you can configure its settings on associated asset screens. Read the Asset screens documentation for more information about the common asset screens in Matrix. This chapter will describe the Details screen, which is different for a role.
The Details screen lets you change the name and status of a role. Read the Asset details screen documentation for more information about the status, future status, and thumbnail sections of the details screen.
The Role Assignments screen on a user account lets you view all of the roles that a user has assigned. It also lets you reassign these roles.
The screen has three sections.
The first section lists the roles assigned directly to this user. The user in the previous example fulfills the Lawyers role on the Home and About Us pages.
The second section lists the roles this user has inherited through a user group.
In the previous example, the Content authors user group is assigned the Lawyers role on the Manuals and News pages. Thus, the example user also has these roles as they are under the Content authors user group.
On this screen, you can reassign the roles directly assigned to this user. To do this, click the Reassign box for the role you want to reassign. In the Reassign selected role assignments to field, select the user or user group to which you want to reassign this role.
To assign a role to an asset, right-click on the asset, and select Roles. Select the role in the Select a role field, and in the Select the users who will perform the role on this asset field, select either the user or user group who will perform this role. If you select a user group, all of the users stored under that group will be assigned this role. You can add additional users or user groups by clicking More….
You can also select to globally assign the role by selecting Allow globally assigned users to perform this role. You can select this option without having to select a user or user group in the field above.
Read the Globally assigning roles section for more information on global assignments.
Red the Asset roles screen for more information about the Roles screen.
You can view the roles assigned to a user on the Role Assignments screen. Right-click on the user account asset in the asset tree and select Role Assignments.
The screen has two sections: The first section lists the roles directly assigned to this user. The second section lists the roles assigned to this user through a user group.
Read the [roles-assignments-screen] for more information about role assignments.
You can reassign the roles assigned to a user on the Role Assignments screen. Right-click on the user account asset in the asset tree and select Role assignments. Click the Reassign box for the role you want to reassign. In the Reassign selected role assignments to field, select the user or user group to which you want to reassign this role.
Once you have created your roles and assigned them to your site’s assets, you can grant permissions to the roles or use them as conditions within a Workflow Schema. Only the users or user groups assigned to a role inherit the permissions given to that role.
If you use a role in Workflow, again, only the users or user groups assigned that role for that asset will be able to review the content.
|Do not use Global role assignments on a large site because you may experience performance impacts. Instead, consider applying roles using the Roles screen of an asset.|
Role assets can have user group assets, user accounts, and other role assets linked beneath them. User or user groups linked under a role are assigned the role globally.
For example, consider the role hierarchy shown. This hierarchy uses roles, user groups, and back-end users under the user folder in the asset tree.
The home page has content editor and page editors roles assigned to it. Instead of selecting a user or user group, however, the Allow globally assigned users to perform this role is selected.
The content editor role is then assigned write permission to the Home page.
Therefore, any user or user group possessing the content editor role, legal writer role, or page editor roles will have write permission on the home page.
Also, the global assignment of the content editor and page editors roles means that joe smith and the global editors user group have write permission on the home page.
To globally assign a role for an asset, select Allow globally assigned users to perform this role on the Roles screen. You can also change this option through the Global field in the Current section of the Roles screen.