Roles in dotCMS can be configured to be flat (where all Roles are top-level Roles that are independent from each other) or hierarchical.
Permission Scope
All users assigned a Role receive the permissions assigned to that Role. A user assigned multiple Roles receives the highest (most permissive) rights of all the Roles they have been assigned (plus any rights that may have been assigned to the user individually).
Role Hierarchy
You may setup Roles in a hierarchy, where each Role may have one or more “child” Roles. You may set up any number of levels in the hierarchy, so a Role could have child Roles, grand-child Roles, etc.
“Reverse” Permission Inheritance
When Roles are set up in a hierarchy, all permissions granted to a “child” Role are inherited (upward) by the “parent” Role, so the parent Role automatically receives all permissions granted to the child Role. If a parent Role has multiple child Roles (or grand-child Roles), the parent Role receives all the permissions of all its descendant Roles.
Role inheritance allows you to create a logical hierarchy of roles where users with greater rights (such as administrators or managers) automatically have all the permissions of any Roles lower in the hierarchy, without you having to explicitly assign the same rights to the parent Roles. For example, you might create a top-level “Manager” role, a second-level (child) “Supervisor” Role, and a third-level (grand-child) “Employee” Role. In this example, Supervisors would always have all the rights assigned to Employees plus any additional rights appropriate for Supervisors; and Managers would always have all the rights assigned to both Supervisors and Employees plus any additional rights assigned to Managers. You can thus easily create Role hierarchies which mirror real-world operational or organizational hierarchies, without having to duplicate permissions assignments for multiple different Roles.
Important:
- Role inheritance is the reverse of the way permissions are inherited when working with folders and other dotCMS objects (where an object inherits the permissions applied to its parent object).
- Roles in dotCMS are the only place in dotCMS where permissions use this reverse inheritance scheme.
- If you do not wish to manage hierarchical Roles, or the reverse inheritance scheme is confusing for your administrators, you can create all Roles as top-level Roles so that your system does not use any hierarchical Roles or Role inheritance.
- Since you must create a “parent” Role before you can create a “child” Role, it is important to plan your desired Role hierarchy before creating and configuring Permissions for your Roles.
- For more information on Permission Inheritance, please see the Permission Inheritance documentation.
Viewing and Editing Role Permissions
To view the permissions assigned to a Role:
- Select System -> Roles & Tools from the navigation side bar.
- Select the Role you wish to view.
- If the Role you wish to view is not visible, you may need to expand a top-level Role to display its child and grand-child Roles.
- You may search for a Role by typing in a portion of the Role name into the Filter field at the top of the detail area.
- Click the Permissions tab.
To edit Role Permissions, select the appropriate values for the objects and object types in the Permissions matrix.
For more information on assigning Role permissions, please see the Assigning Permissions documentation.