Public
Respected Contributor

Permission Question

Our Community is set up with the following structure:

  • Category Product Support
    • Category: Public Products
      • Category: Product 1
      • Category: Product 2
      •  
    • Category: Product Admin
      • Category Product 3
      • Category Product 4
      • Category Product 5

 

Anyone that navigates to our Community should see Category: Public Products.  

We also have some Community members that will access to one or more of the categories within Category: Product Admin (Product 3, 4, and 5), but not all of them.

Right now, I have found that I can do one of the following: 

  • First Method
    • Members that have access to Product Admin categories can see Product Admin but can also see a list of all categories under Product Admin (Product 3, 4, and 5) but will show 0 posts for the categories in which they do not have access.
    • Community members that do not have access to see any of the categories under Product Admin will not see this category listed under the category titled Product Support.
  • Second Method
    • All Community Members can see both Category: Public Products and Category: Product Admin under Category: Product Support.  If you do not have a role for that provides access to one of the Product Admin categories, you'll see Product Admin but will see 0 posts.   
    • If you have a role that should have access to Product Admin, you'll see Product Admin and only the Categories within Product Admin that you have permission to view (PRoduct 3, 4, or 5) in the Product Admin

My Goal:

  • Users that do not have access to any of the categories under Product Admin do not see the category PRoduct Admin in the category menu.
  • Users that do have access to one or more of the categories within Product Admin will see Product Admin and only the categories to which they have access. 

Has anyone figured out how to do this?  I'm happy to answer questions to help understand my goal or current setup.

9 Replies 9
Honored Contributor

Hi @jamiemccardle :

 

1. Public Products catgeory since it is global you can set the all default permissions and will be access to every one.

 

2. Product Admin Category in default permission make See categories and See Discussions style permission to Default Deny at th community level and create a separate role under the same Product admin category and make the above permission as Grant . So the users will that role will able to see Product Admin category and all other products under this category

 

3.Users who want particular sub Category under the main category follow the same permission as above and if they want to access to sub categories we need to add both roles to the users.

 

Let me know if you need any more information.

If my post is helpful and answers your question, please give "Kudos" and "Accept it as a Solution."

Thanks & Regards,
Abhishek Illindra

Respected Contributor

Thank you for your reply.  Our goal is for members with access to Categoryies Product 3, Product 4, or Product 5, will only see the categories in which they have access under Category: Product Admin.


If I'm not mistaken, I think your suggestion would allow members with access to one of the Product categories under Product Admin to see all of the categories under Product Admin even if they don't have access to those categories.  

To help understand the why, we have forty+ product categories under Product Admin.  That becomes too many in a menu and we get complaints that they only want to see what they have access to.

 

On the flip side, if we set it up so they only see the categories in which they have access in Product Admin, then the public users see Product Admin but see 0 posts and want to know why they can't see this.

 

With 300,000+ users, it becomes difficult.

I agree with AbhishekIlindra's suggestion. The main idea is to hide the "Product Admin" category itself via permissions.

One refinement you can make is that you can avoid needing an overall admin category role by putting that permission into the more specific admin roles. So to summarize:

  • Default permissions
    • GRANT seeing "Public Products" category
    • DENY seeing "Product Admin" category
    • DENY seeing "Product 3", "Product 4", "Product 5", etc.
    • Important: When adding a new product category for admins, you need to make sure the default permissions explicitly set DENY on it. Otherwise, all the admin roles will automatically see the new product category, since they can see the parent "Product Admin".
  • Example role: Product 3
    • GRANT seeing "Product Admin" category
    • GRANT seeing "Product 3" category
  • Example role: Products 4 and 5
    • GRANT seeing "Product Admin" category
    • GRANT seeing "Product 4" category
    • GRANT seeing "Product 5" category

Like Abhishek said, you can be as granular as you like with the roles and put many roles on the same user to open up certain sets of nodes.

 

 

Respected Contributor

The problem we have with this is that we have users who may have more than one role.

 

For example: 

 

user 1: Has roles for Product 4 and Product 3.

user 2: Has roles for Product 4

User 3: Has roles for Product 3 and Product 5.

 

Therefore, if we set the roles for Product 3 with the following structure and set deny Product 3 role for Product 4 and Product 5 then user 3 with roles Product 3 and Product 5 won't see Product 5 category.

 

Product Resources (category)(All Users should see this category)

  • Product Family (category) (only users with Product 3, 4, or 5, role should see this category)
    • Product 3 (category)(users with Product 3 role should see)
    • Product 4 (category)(users with Product 4 role should see)
    • Product 5 (category)(users with Product 5 role should see)

If I grant see categories as a default for Product Family then everyone on the site can see the Product Family category.  

 

If I set the Product Family see categories permission to Deny then no one can see it.

 

If I set Product Family to Grant for see categories for roles Product 3, 4, and 5 then those roles can see everything under it.

 

Our goal: 

 

Product Resources (Everyone sees this category)

  • Product Family (only roles Product 3, 4, and 5 see this category)
    • Product 3 (only users with Product 3 can see this)
    • Product 4 (only users with Product 4 can see this)
    • Product 5 (only users with Product 5 can see this)

 

Example: 

User: Product Role 4

 

Product Resources

  • Product Family
    • Product 4


Example 2: 

User: Product Role 3 and 4

Product Resources

  • Product Family
    • Product 3
    • Product 4
Respected Contributor

If we allow grant see categories for the Product Family then Deny for each subcategory they'll see the subcategories for each product, they just see 0 posts within the sub categories which leaves us in the same situation. 


@jamiemccardle wrote:

user 1: Has roles for Product 4 and Product 3.

user 2: Has roles for Product 4

User 3: Has roles for Product 3 and Product 5.

 

Therefore, if we set the roles for Product 3 with the following structure and set deny Product 3 role for Product 4 and Product 5 then user 3 with roles Product 3 and Product 5 won't see Product 5 category.

By "you can be as granular as you like," what I meant is that in the proposal, roles should grant permissions additively. The only "deny" would be to deny access to restricted areas as a default; no roles would be set up to explicitly "deny" anything. In the example above, user 1 and 3 will have two roles, and user 2 will have one role.

It can be complicated to discuss structure & permissions using words alone, so I built out a configuration to show how it can be set up.

I didn't add content to the boards, and as you can see I'm not using the same layout/customizations, so I'm not sure if this approach will be able to solve your issues around seeing categories with zero posts. But hopefully it explains the approach to selective permissions.

Respected Contributor

We confirmed it isn't possible as an out-of-the-box Admin setting.  Our amazing developer, @akshays, figured out a code that can be applied to categories to hide child and parent categories only if you have the role for one of the child categories.  I'm not sure what he created, but I can ask if he'll share if anyone is interested.

New Commentator

Thanks @jamiemccardle ,

I directly used the constraint of content being available or not under a category. For example, if the user has a role under one category : There would be some content(Categories/Boards). Else, it would be blank/null.

Code: 

<#assign query= "SELECT title, view_href, id FROM categories WHERE parent_category.id='categoryId' AND hidden=false ORDER BY position ASC" />
                                
<#assign categoryContent= liql(query) />

<#if !(categoryContent?has_content)>
<script>
    $("#categoryId").css("display","none");
//Can be different depending on your code
</script>
</#if>


Here I used just a simple if else block to hide/unhide the category.
So, if the category has no content - Do not display.

Note: You would also require to assign the category id to the element in order to use the DOM.


@jamiemccardle wrote:

If we allow grant see categories for the Product Family then Deny for each subcategory


The proposal shown in the screenshots is that

  • the topmost category should be denied to all users by default
  • the inner categories should be selectively opened to specific roles.

The screenshots do a good job of showing what I mean and how the settings manifest, but here is a "massaged" internal data dump, in case it is clearer:

 

Nodes

Node ID Path Node Type
9 /1/2/ pub Category
10 /1/2/ priv Category
11 /1/2/9/ pub1 Category
12 /1/2/9/ pub2 Category
13 /1/2/9/ pub3 Category
14 /1/2/9/11/ pub1a Board
15 /1/2/9/11/ pub1b Board
16 /1/2/9/12/ pub2a Board
17 /1/2/9/12/ pub2b Board
18 /1/2/9/13/ pub3a Board
19 /1/2/9/13/ pub3b Board
20 /1/2/10/ priv1 Category
21 /1/2/10/ priv2 Category
22 /1/2/10/ priv3 Category
23 /1/2/10/20/ priv1a Board
24 /1/2/10/21/ priv2a Board
25 /1/2/10/22/ priv3a Board

 

Default permissions for nodes

Node ID Path Node Permission Permissions
10 /1/2/ priv Deny read_board, read_category, read_message

 

Role permissions for nodes

Node ID Path Node Role Name Permission Permissions
20 /1/2/10/ priv1 Private #1 Grant read_board, read_category, read_message
21 /1/2/10/ priv2 Private #2 Grant read_board, read_category, read_message
22 /1/2/10/ priv3 Private #3 Grant read_board, read_category, read_message

 

I do not recommend using JavaScript to hide anything that is secret. Such hidden things will still be present in the page markup (not secret), and when the page is loaded, some users will see the content render and then flicker away, which can be jarring.

If you do wish to use JavaScript in your FreeMarker customizations, especially using jQuery as mentioned by @akshays, I recommend that you use the liaAddScript directive to ensure that the script runs properly and can be supported over time as the platform receives UI updates.

Welcome to the Technology board!

Curious about our platform? Looking to connect on social technology? You've come to the right place!

Are you a Khoros customer? For direct assistance from our Support team, please visit the Support Forum.