Forum Discussion

keithkelly's avatar
3 years ago

Permissioning for Limited Access Areas - am I about to do it wrong?

I'm about to configure boards for our partners & customers, who will have limited access....and the method I'm about to try seems too extensive to be the right way. 

For most of our community, we have an internal/external parallel structure, like:

  • Product Forums
    • Product A (category)
      • Product A Forum [internal]
      • Product A Forum
      • Product A TKB
    • Product B (category)
      • Product B Forum [internal]
      • Product B Forum
      • Product B TKB
    • etc.

 

Objectives:

  • Employees have access to everything.
  • Partners & Customers don't have access to anything labeled "[internal]"

 

Role Permissions (as of now)

  • All Registered Users (auto-assign on registration): CAN'T view or participate in
  • Employees (passed in by our IdP):  CAN view & participate in all areas

So far so good.  But, we have a test partner (Dave) with the role "Client/Partner" (as passed in by our IdP).

I'd like to open up all boards (except internal) for the Client/Partner role so Dave can hop in and participate.  How should I configure this? 

(without guidance, I'd go into each non-internal forum, and configure the Client/Partner role to be able to view/post/etc.   But that seems excessive - it'll involve making the same configuration like 25 times for *each* role that needs permissions, AND having to keep up with this with each new board we launch.)

 

  • Hi!

    Could you restructure the boards so the internal boards are in all a single internal category? That way you can manage the internal permissions at the category level instead of on each board. The external boards / tkbs can likely stay as they are and be managed through top-level permissions.

    Cheers!

    • keithkelly's avatar
      keithkelly
      Leader

      Yikes.  I see why that would simplify permission config, so I'll keep thinking that through for a while.  The trick is, we have some navigation components that make sense with the current structure, and product oversight can currently navigate to their product's category & have a single list of all topics (internal and external) that relate to that product. 

      I'll chew on that for a while . There would also be a navigational benefit to your recommendation, but the oversight benefits of the current structure may justify a PITA permission config process. 

      How much easier would this be to config via API calls? 

  • LarryI's avatar
    LarryI
    Khoros Expert

    keithkelly The solution recommended by CarolineS is the best practice.  It's so much easier to create an Internal category that only employees have access to.

    I did some research, you can only create roles via the API for each board.  You will need to set individual permissions manually in the admin since it's not supported via API.

    If you need to stay on the same path with your structure, you will need to set the permissions manually and create an "Employee" role (and set permissions for the role) in each [internal] board.

    All you will need to set for the Employee role permissions is to GRANT "See forums" and make sure it is set to DENY in the [internal] board default permissions.

    We will capture this feedback for future consideration when we look at improving roles and permissions in the future.