User Roles and Permissions
GeoHazardWatch implements a role-based access control (RBAC) system that defines what actions users can perform within the GeoHazardWatch . This system provides fine-grained permission control while maintaining simplicity for Administrator.
Your Current Roles and Permissions
Current User Summary
Your roles and permissionsLogin Status
Not Authenticated We recognize you but you are not currently authenticated. Login to access all features.
User Information
| Username: | Anonymous |
| Display Name: | Anonymous User |
Your Roles
No roles assigned
Your Permissions
No permissions assigned (no roles with permissions)
Available Roles and Permissions
Roles and the Permissions each Role are defined in Configuration System as Access Control Policies
Available Roles
System and user-defined roles| Role Name | Display Name | Description | Type | Icon |
|---|---|---|---|---|
admin |
Administrator | Full system access to all features | System | |
anonymous |
Anonymous | Public access without authentication | System | |
contributor |
Contributor | Can create and edit pages | System | |
editor |
Editor | Can create, edit, delete, and rename pages | System | |
member |
Member | Community member — same read access as reader, placeholder for community-specific permissions | System | |
reader |
Reader | Read-only access to content | System | |
user-admin |
User Administrator | Can manage users — create, edit, deactivate, delete | System |
Permission Categories
Available Actions (Permissions)
All unique actions defined in access control policies| Category | Actions |
|---|---|
* |
*
|
admin-roles |
admin-roles
|
admin-system |
admin-system
|
asset-delete |
asset-delete
|
asset-read |
asset-read
|
asset-upload |
asset-upload
|
page-create |
page-create
|
page-delete |
page-delete
|
page-edit |
page-edit
|
page-export |
page-export
|
page-read |
page-read
|
page-rename |
page-rename
|
search-page |
search-page
|
search-user |
search-user
|
user-create |
user-create
|
user-delete |
user-delete
|
user-edit |
user-edit
|
user-read |
user-read
|
Display All Actions (Permissions)
* *
* admin-roles
* admin-system
* asset-delete
* asset-read
* asset-upload
* page-create
* page-delete
* page-edit
* page-export
* page-read
* page-rename
* search-page
* search-user
* user-create
* user-delete
* user-edit
* user-read
Role Assignment
Current Role Assignments
Current User Assignments are available at Security Policy Management (admin permission required)
Security Policy Summary
Permissions matrix showing which roles have which permissions| Permission | Administrator | User Administrator | Editor | Contributor | Reader | Member | Anonymous |
|---|---|---|---|---|---|---|---|
page-read
View pages |
|||||||
page-edit
Edit pages |
|||||||
page-create
Create new pages |
|||||||
page-delete
Delete pages |
|||||||
page-rename
Rename pages |
|||||||
page-export
Export pages |
|||||||
asset-read
View assets (attachments) |
|||||||
asset-upload
Upload assets |
|||||||
asset-delete
Delete assets |
|||||||
search-page
Search pages |
|||||||
search-user
Search users |
|||||||
user-read
View user list and profiles |
|||||||
user-edit
Edit user accounts |
|||||||
user-create
Create user accounts |
|||||||
user-delete
Delete user accounts |
|||||||
admin-system
System administration |
|||||||
admin-roles
Role management |
Changing User Roles
- Access user management (admin permission required)
- Select target user
- Assign appropriate role from available options
- Changes take effect immediately
Integration with ACLs
Roles work seamlessly with Access Control Lists:
- Role-based ACLs: Use role names in ACL definitions
- Admin Override: Admin users bypass all ACL restrictions
- Hierarchical Access: Higher roles typically include lower role permissions
- Default Behavior: When no ACL exists, role permissions apply
Example ACL with Roles
Built-in Principals
Beyond user roles, the system recognizes these special principals:
- all - Everyone (authenticated and anonymous)
- anonymous - Users without authentication
- asserted - Users with session but not authenticated
- authenticated - Users with valid authentication
Security Model
Design Principles
- Least Privilege: Users receive minimum necessary permissions
- Role Hierarchy: Clear progression from anonymous to admin
- Permission Granularity: Fine-grained control over specific actions
- ACL Override: Page-level security can restrict role permissions
Security Features
- Role-based access control (RBAC)
- Permission inheritance through role hierarchy
- ACL integration for page-level security
- Admin bypass capability for system maintenance
Best Practices
Role Assignment Guidelines
- Start Minimal: Assign the lowest role that meets user needs
- Regular Review: Periodically audit role assignments
- Principle of Least Privilege: Avoid unnecessary elevated permissions
- Document Changes: Track role changes for security auditing
Content Security
- Use ACLs for sensitive pages
- Combine roles with ACLs for layered security
- Regular security reviews of page permissions
- Monitor admin activities
Troubleshooting
Common Issues
- Access Denied: Check user role and page ACLs
- Missing Permissions: Verify role includes required permissions
- ACL Conflicts: Ensure ACL principals match user roles
Debugging
- Check user's assigned role in user management
- Verify role permissions match required actions
- Review page ACLs for conflicts
- Test with admin account to isolate issues
See Page Level Access Control Lists for page-level security, User Management for managing users, and System Configuration for system settings.
No comments yet.