About Aurora roles and permissions
Your community uses permissions to determine the actions that your community members can take and which community areas and features they can access. Instead of setting each of these permissions manually, permission settings are grouped into roles and then you can assign these roles to members. Khoros provides a set of default roles. You can modify these roles (although we don’t recommend it) and create your own roles. You can also create a relationship between your community ranks and roles so that members get new roles and receive additional permissions as they advance through the ranks. Each role has a setting for each permission. When you define a role, you can set some permissions directly and leave the default settings for the rest. After you define your roles, you can set up the ranks in your community to assign (and remove) roles when members change ranks. The higher the rank, the more access it’s likely to grant the member. In addition to controlling member access within a community, you can also use roles to gather metrics on community usage or to establish criteria for gaining a rank. Although it’s more common to use a rank to grant a role, you can also use a role to assign users a rank. Some communities use this technique, for example, to assign a special rank to community moderators by using a role as the criteria for granting a rank. Similarly, you may want to create a role specifically for your employees. They might have the same permission settings as other community members, but you can use a special employee role as the requirement for a corresponding rank to identify them as employees to the rest of the community. Note: Groups use the default community roles as well as a set of roles specific to groups. Learn more in Group roles and permissions. Related topics: Create a role Default Community roles Permission descriptions Add members to roles Best practices: roles and permissions You can also receive self-paced training on roles and permissions in our Build Khoros Communities course.Aurora out-of-the-box community roles
At launch, new communities normally have several default roles. You can add more roles as needed as your community grows. Members who join the community are automatically given the permissions granted in the Community Permission Defaults (see Permission descriptions); the out-of-the-box roles defined here either grant a member permissions additional to (or different from) the default ones or offer a way to designate that a member belongs to a specific group. Note: Roles are still being researched and developed. These may change in future releases as we add more features. Role Permissions Administrator All permissions in the system as well as the ability to grant permissions to other users. Khoros This role is used to indicate that a member is a Khoros employee but does not give any permissions different from the default set. Moderator Permissions that enable moderators to manage members and posts, including updating, moving, and deleting posts in the community. Analytics Permissions to access the Community Analytics area for Aurora. Blog Author and Blog Moderator Permissions that enable the member to do the following: Update boards Start topics Publish, update, or delete posts Upload file attachments BlogAuthor Permissions that enable the member to do the following: Start new posts Manage comments on own posts Comment on posts KBAuthor Permissions that enable the member to do the following: Create, edit, publish, and manage articles Delete one's own articles Although these roles are intended for new communities, you can continue to use them as your community matures. For well-established and active communities, however, even the most restrictive roles have more access than you might want to give beginners. As a result, one of the most common roles that many communities create is one that limits access for brand new users (newbies). This role is typically assigned using a rank (coming in a later release) that new users automatically receive as soon as they join the community. It’s also a rank that users can grow out of quickly, so the requirements for the next higher rank, where users acquire additional permissions and drop the newbie role, are typically lenient. You can create your own roles with permission sets that fit the needs of your community. Related topics: Create a role Assign roles to members Permission descriptionsAbout Content permissions
You can adjust permissions related to content at the community, container (category & group), and board level. Some permissions are set to Deny by default while others are set to Grant by default. At the container level and the board level, permission defaults and role permissions are inherited from the parent level. In those cases, the Inherit button is displayed in green to indicate that the permission was set to Grant at the parent level or red to indicate that the permission was set to Deny at the parent level. As an admin, you can manage these permissions. To manage content-related permission defaults at the community level: Note: To manage this permission at a lower level, go to the [Place] Permissions page and edit the permission defaults for that level. To manage this permission for a particular role, go to the [Place] Permissions page at the desired level of the community and edit the permissions of the individual roles. Go to the Roles and Permissions page for the community. Beside Community Permissions Defaults, select Edit. Review permissions in the following areas: Blogs Content Events Ideas Knowledge Bases Select Deny or Grant as required. Unless you have specified different permissions for certain roles or levels below the community level (a category, group, or board), these selections affect all members of the community. Content permissions While Forum permissions are granted by the Content permissions, Blogs, Event Boards, Ideas boards, and Knowledge Bases have distinct permission sections for content type-specific tasks. The Content permissions are provided for general content access and tasks and relate to all content types. Follow the links in the table below to learn more about the tasks granted by these permissions. Permission Default Related permissions in content type sections Read discussions and content Grant Blogs: Read posts and Read comments Ideas: Read ideas and comments Reply to discussions and content Grant Blogs: Comment on posts Events: Comment on events Ideas: Comment on ideas Knowledge Bases: Comment on articles Start discussions and new content Grant Blogs: Start new posts Events: Post new events Ideas: Post new ideas Knowledge Bases: Create, edit, publish, and manage articles Edit own posts Deny Blogs: Edit own published posts Events: Edit own events Ideas: Manage ideas and comments Knowledge Bases: Edit own published articles Edit any post Deny Blogs: Edit any published post Events: Edit all events Ideas: Manage ideas and comments Knowledge Bases: Edit any published article Move content Deny Blogs: Manage any posts and Manage own posts Delete own post Deny Blogs: Manage own posts Events: Delete own events Knowledge Bases: Delete own articles Delete any post Deny Blogs: Manage any posts Events: Delete all events Ideas: Manage ideas and comments Upload file attachments Deny Embed external content Grant Use simple HTML in posts Grant Use advanced HTML in posts Deny Use full HTML in posts Deny Make content read only Deny Post read-only content Deny Bypass moderation Deny Blogs: Bypass comment moderation Events: Bypass comment moderation Ideas: Bypass moderation Knowledge Bases: Bypass comment moderation Related topics: About Aurora Community site structure About Aurora Content TypesAurora: Create a role
Aurora provides several out-of-the-box roles,but you can also create your own to fit your community's needs. Roles can be added and edited at the community level, the group or category level, and the board level. Create a new role at the community level Create a new role at the category level Create a new role at the board level Create a new role at the community level Sign in to the community as an Admin user and go to Settings > Users > Roles and Permissions. Click Add Role. On the Add Role window, enter an ID. Note: The role ID cannot be changed later. (Recommended) Enter a Description of the role. Click Save. The Add Role window closes, and the newly created role is displayed in the list on the page. Open the Options menu for the role and click Edit to adjust the permissions (Inherit, Deny, Grant, or Assign) for the role as necessary. Note that choosing Inherit leaves the permission set to the community default as indicated on the tooltip for that permission. After creating a role, you can also clone or delete it as necessary. You can also add members to the role. Create a new role at the category level Sign in to the community as an Admin user and go to Settings > Users > Roles and Permissions. Open the desired category from the place picker. On the Category Permissions page, by Category Roles, click Add Role. Alternatively, if you want to create roles for group that will be contained in this category, click Add Group Roles, found by the Group Roles section. On the Add Role window, enter an ID. Note: The role ID cannot be changed later. (Recommended) Enter a Description of the role. Click Save. The Add Role window closes, and the newly created role is displayed in the list on the page. Open the Options menu for the role and click Edit to adjust the permissions (Inherit, Deny, Grant, or Assign) for the role as necessary. Note that choosing Inherit leaves the permission set to the community default as indicated on the tooltip for that permission. After creating a role, you can also clone or delete it as necessary. You can also add members to the role. Create a new role at the board level Sign in to the community as an Admin user and go to Settings > Users > Roles and Permissions. Open the desired knowledge base, blog, ideas, or forum from the place picker. On the Permissions page for the knowledge base, blog, ideas, or forum, click Add Role. On the Add Role window, enter an ID. Note: The role ID cannot be changed later. (Recommended) Enter a Description of the role. Click Save. The Add Role window closes, and the newly created role is displayed in the list on the page. Open the Options menu for the role and click Edit to adjust the permissions (Inherit, Deny, Grant, or Assign) for the role as necessary. Note that choosing Inherit leaves the permission set to the community default as indicated on the tooltip for that permission. After creating a role, you can also clone or delete it as necessary. You can also add members to the role. Related topics: Out-of-the-box community roles Add members to roles Permission descriptionsAurora: Clone a role
If you want to create a role that is nearly identical to a previously created role, you can clone the previously created role and its permissions, then change it as desired. You can perform this task at the community, category, group, or board level. To clone a role: Sign in to the community as an Admin user and go to Settings > Users > Roles and Permissions. On the Roles and Permissions page for the community, a category, a group, or a board, hover your cursor over the role you want to clone, then click the Options icon (ellipsis). In the Options menu, select Clone. On the Clone Role window, enter an ID. Note: The ID cannot be changed later. (Recommended) Enter a Description for the role. To copy the members from the previously created role to the cloned role, turn on the Also copy members option. Click Save. The Clone Role window closes, and the newly cloned role is displayed in the list on the Community Roles page. You now have the ability to clone or delete the role.Aurora: Delete a role
If you no longer need a particular role, you can delete it from your community, a category, a group, or a board. On the Roles and Permissions page for the community, a category, a group, or a board, hover your cursor over the role you want to delete, then click the Options icon (ellipsis). In the Options menu, click Delete. On the Confirm Delete window, click Delete. Click Save. The Confirm Delete window closes, and the role no longer displays in the list on the page. Related topics: Create a role Clone a roleAurora: Add members to roles
You can add community members to any of the default community roles or the roles you've manually created. A member's assigned role determines what they can and cannot do in the community. You can also assign roles to members from the Member Permissions page as described inLook up a member's roles and permissions. To add members to roles: Note: To add members to a role at a lower level, go to the [Place] Permissions page at the desired level of the community and then add members to the role. Sign in to Aurora as an Admin user and go to Settings > Users > Roles and Permissions. On the Community Roles and Permissions page, click Options menu of the role to which you want to add members and click Edit. On the Edit Role page, click Add Members. On the Add Members window, in the Members field, enter the name or the username of the member to whom you want to assign the role. In the drop-down menu, select the member. Repeat steps 4 and 5 to continue adding members. Note: To remove a member, click the X icon next to their username. Click Save. Note: You can managethe roles assigned to individual members from their member profile page. Learn more about managing member roles. Related topics: Import members from a CSV fileAurora: Best practices: roles and permissions
When you first launch a community, permissions and roles are fairly easy to manage because there are a limited number of roles, ranks, and members. As your community grows, you will need to add new ranks and roles to further segment your membership and reward the most active participants. Although you can set individual member permissions one at a time (not recommended), Khoros Communities are designed to help you manage permissions through a hierarchy of roles at the community, category, and board levels. The advantage to this approach, aside from the obvious reduction in the sheer number of moving parts, is a more predictable and manageable permissions structure. The cornerstone of this structure is a link the system creates between roles that have the same name, but that exist at different levels in the community. When you assign roles to members at the community level, they automatically inherit membership in roles that have the same name at the category and board levels. The settings for the new board-level role are stored with those of the higher-level role. Best practices for working with permissions and roles Keep it simple, especially when first launching your community. In the early days of the community, before your active members emerge, you can get by with just a few default roles (Administrator, Moderator, and Khoros or community defaults). At this stage, you want to encourage participation by making it easy for new members to sign in and start posting. You can add roles later as you need them. Set your community-level defaults to the lowest common denominator in terms of access. These defaults apply to all new community members at all levels of the community and are typically the most restrictive settings. As members gain experience in the community and advance up through the ranks, you can give them additional permissions through roles that explicitly grant access. You can always override these defaults with role-based settings at the category or board level. Create roles at the community level, and then create category- or board-level versions of the same roles if you need them. The purpose of a category- or board-level role is to override the community-level settings for a specific category or board. Members who have the community-level role also get the permission settings from the lower-level roles. The names of the roles at all three levels must be exactly the same—including capitalization and spacing—for the connection between roles to work. For example, “Vip” and “VIP” are not the same. The lower-level settings apply only when members are at that level. For example, a category-level permission applies only to members in that category. Elsewhere in the community, community-level permissions are in effect. Always assign roles at the community level rather than at lower levels. This enables you to manage roles and permissions from a single location rather than having to go to each category, for example, and listing the members who have a role assigned to them. Members get the access allowed by the community-wide settings as well as the category-level or board-level override settings for specific categories or boards. The category- or board-level roles typically give members access to areas or features that are off-limits to the rest of the community. Always use roles to assign permissions. The system is designed to track membership in a role, not individual permission settings. As a result, you can easily determine which roles a member has or which members are assigned to the same role. While you cannot assign permissions to individual members, you can look up which roles & permissions are assigned to a particular member (see Look up a member's roles and permissions.) Observe these general tips: Configure permissions and roles to the Principle of Least Privilege. (Apply only the minimum required permissions for a role.) Change permissions within roles only where the default, inherited permission doesn't suffice. For each role, fully document the function of each role, its included permissions, and its purpose and location (for example, if it exists at child levels of community). Provide these details in the role description. Use an informative and consistent naming convention when creating roles. Clear and concise role names make roles much easier to scan and manage and enable new admins to intuit the meaning/purpose of a role.Aurora: Permission descriptions
Each Khoros community permission enables users to perform specific actions. These permissions are assigned (either by default or manually) to different community roles. Permissions are grouped by feature area on the node where you’re assigning them: Accepted Solutions Analytics Badges Blogs Boards Case Portal Categories Community Content Escalations Events Following Groups Ideas Inbox Knowledge Bases Likes Media Member Management Member Profiles Mentions Moderation SEO Tags Widgets A description and a recommendation as to the type of member who should be granted this permission are displayed by each of the permissions so you know exactly what you’re granting and to whom. You can set permissions globally or at the node level (category or board) in the community structure. For each permission, you can keep the out-of-the-box default setting or explicitly Grant or Deny permissions as needed. About permission levels Manage community permission defaults About permission levels Permissions can be set to Inherit, Deny, Grant, or Assign. Inherit – Person has the permission defined in the node or node-level role above the current level. Therefore, this level does not display when you’re managing community permissions defaults but does display for the category, group, and board levels. You can hover your cursor over the Inherit button to see whether the inherited value is Deny or Grant (the button is also displayed as red for Deny and green for Grant). Deny – Person does not have the ability to take action described by the permission. Grant – Person has the ability to take action described by the permission. Assign – Person has the ability to take action described by the permission and has the ability to grant the permission to other members. Typically, this should be given only to Administrator roles. If you look at the Administrator role, you'll notice that all permissions are set to Assign since Admins can grant permissions to other users. As a general rule, only Admins should be able to Assign permissions to others. There are a few use cases where this could change, but typically speaking, Administrators should be the only ones that have the ability to manage permissions in the community. The different permission levels cascade down to any nodes below them, but certain permissions at higher nodes will override lower-node permissions: Assign Overrides any other permissions given at lower-level nodes Explicit Grant Overrides Default Deny, Explicit Deny, and Default Grant at lower-level nodes Explicit Deny Overrides Default Grant and Default Deny but not Explicit Grant at lower-level notes Default Grant Overrides Default Deny but not Explicit Deny at lower-level nodes Default Deny Does not override anything at lower-level nodes Note: If there are conflicts within roles, the explicit exists to override the default. So for example, if you set a permission to Assign at a particular level, all levels below that for that permission will be overridden even if they are set to Deny (including if you manually/explicitly set it to Deny). Note: It is a community management best practice to modify permissions at a role level rather than at a user level to ensure consistency across the community. Manage community permission defaults Setting community permission defaults enables you to grant the base permissions for all members of the community. To manage community permission defaults: Go to Settings > Roles and Permissions. In the Community Permission Defaults section, click Edit. (Optional) To jump to a specific permission to manage, enter it in the Find a permission field. Set Deny or Grant access for the settings in each area. Each permission entry displays a description and recommended deny/grant status, as shown in this example:Aurora: Import members from a CSV file
To import or remove a large number of members at one time, you can use bulk import to add and remove members via a CSV file. Your CSV file needs to include the following for each member: “ADD” or “REMOVE” indicator Username or email address The roles you want added or removed To bulk add or remove members: Go to the Settings > Roles and Permissions page. In the Community Roles area, click Assign Roles in Bulk. On the Assign Roles in Bulk window, browse for the CSV file on your local machine. In the Charset drop-down menu, select the character encoding of the CSV file you’re importing. The default for Microsoft Windows operating systems is windows-1252 for most locales saved through Microsoft Excel. Click Start Assignment. Larger sets of members may take longer to be imported. When the import is complete, you receive an email indicating whether it was a success or if there were any errors that need to be corrected. Related topics: Create a role Add members to roles
