Every user is member of more than one user group at a time, including but not limited to the universal “Everyone“-group. These groups each provide a set of permissions that are compiled into single values for each user, where the “most beneficial” value for a permission is taken as the final value.
The Effective Permissions of an User
The simplest option type consists of a “Yes” / “No” selection, where “Yes” is considered to be the best value, making it win over any “No”. The only exception is the “Never” value – introduced with WoltLab Suite 3 – which will overrule “Yes” at all times, causing the permission to evaluate to “No”.
Other permissions are based on actual values, such as the maximum number of conversations that a user can participate in, or how many attachments can be uploaded. For these types, the largest value will be used, that is when a user is in group A (allows for 5 attachments) and group B (allows for 6 attachments), then that user may upload up to 6 attachments.
There are some permissions that work slightly different, such as infinite values, in which case you are highly encouraged to read the permission’s description. Every time there is a special condition attached to a permission, the description will tell you exactly how things will work.
Notice: With the exception to the “Never”-permission, it is not possible to decrease permission values with additional user groups. For example, if a user can already upload 5 attachments, adding that user to another group which can only upload 2 attachments, will not reduce the number. The user can still upload 5 attachments, because this is the most beneficial value.
You can enter the name of a permission into the ACP search, clicking on the result will bring up a special form that lists the values for all groups for that permission only. This allows you to modify the value for each individual group at once.
The “Everyone” group
Any visitor accessing your site will be a member of the “Everyone” group, this includes both regular members and administrators alike. This special group allows you to quickly set the baseline of permissions for your site, e.g. allowing access to sections regardless if someone is a guest or a moderator.
The true power of this user group becomes obvious when restricting access to certain sections of your site, such as internal and/or non-public forums. This is made possible because of another very special property of this group: The permissions for individual sections for the “Everyone” group can be overridden by all other groups.
Example: Setting up an Internal Forum
Forums usually have dedicated sections available to staff members only, giving them a protected space to discuss and coordinate the everyday work. Naturally, these sections should remain hidden from the general public and users. Essentially, you’ll want to exclude every user from being able to access this forum, except for your staff members.
This can be accomplished very quickly by utilizing the previously mentioned “Everyone”-group. If you recall, every visitor and user alike are members of this group, and setting permissions based on this group will apply to everyone. By denying access to the “Everyone”-group, nobody (including you) can access this forum anymore.
The next and final step is too add the user groups that should be able to access the forum, such as “Moderator” and “Administrator”, and grant them the required permissions.
Your internal forum is now ready and fully set up, neither visitors nor regular users can access or see any content that is posted in that internal forum. Granting new staff members access to that forum is as easy as adding them to the respective group.
Permissions and Inheritance
This is a bit of a complicated topic, but it is probably the most important aspect of the whole permission system. Individual sections, such as single forums, can be given separate permissions that differ from the global permissions set for users.
The “internal forum” above is a perfect example of this feature. While this works great for a single forum, things can get a bit more complicated when you want an entire section of your forum to be accessible by a small group of users only. Imagine having a category with over 10 forums, which are meant to be staff exclusive, going through the same process as above every time is quite some work and a maintenance-heavy process in the long run.
This is where the true power of inheritance comes into play. But what is “inheritance”? In short, “inheritance” means that you set the permissions at a “top level” and have everything below it being protected too.
Think of the forum section as a house. You could remove the front door, but add a lock in front of every room’s door. Only the owners can access the rooms using the same key, but they would need the key to get into every single room. This does work, but is rather unpleasant, considering that you’re constantly in the need to open and close doors using a key. Instead, you could have a single lock in the front door. If you have the key to open that door, you can access all other rooms without worrying, because you have the permission to go through the front door.
That said, you can set the permissions to the category only and all forums below it will be protected too, without the need to set any permissions to the individual forums.
Default User Groups
There are a total of 3 built-in groups that cannot be deleted or copied:
These groups are automatically assigned by the system and follow this rule:
- Guests (includes search engines) and users awaiting approval are members of these user groups: “Everyone” and “Guests”
- Regular users (includes moderators and administrators) are members of these user groups: “Everyone” and “Users”