The User Group Manager component allows the creation of groups, to manage user permissions.
Select the User Group Manager in the site-tree and open in a new window. You will see a view similar to the following.
Note: Generally when making changes in the User Group Manager the changes are not saved until you click Apply
Normally when sites are created they are provided with two User Groups, the Visitor user group and the Registered Visitor user group. As the Site Owner you are able to see both groups, and will be able to see any other groups that get created.
Depending on who you are logged in as, you may also see sections at the top for the Reseller and Site Owner groups.
There is only one member of the Site Owner user group at a time. Only the Server Owner can change the Site Owner.
It is important to understand that users can only see User Groups below their own in the control hierarchy, and can never see their own User Group. A user cannot access their own User Group control otherwise they would be able to change their own permissions. So, even as Site Owner, you will not see the Site Owner user group displayed on the User Group Manager surface.
Custom User Groups
In addition to any User Groups that are provided with the site on creation, any number of additional User Groups can be created.
Method - to create a new user group:
Right-click on the User Group Manager surface.
Type in the name for the new User group.
Click Apply to save changes
Generally users are managed through the User Manager component, however when configuring the User Group manager it may be useful to directly manage users that are in a particular user group.
Right-click on the user group
The User Picker dialog is opened, with the user group pre-selected.
From here you can Add, Edit or Remove users
Control Rules can be created between user groups, by right-clicking on the controlling-group, selecting 'Create Control Rule' and then drawing a connector to the controlled-group.
In the above example the 'Site Owner' group has control over the 'Registered Visitor' group. This enables delegation of tasks to the managed-group, for example, editorial decisions, order-processing or other work-flow tasks.
An unlimited number of user groups and levels can be created to allow for flexible management within large Enterprises.
The vertical position of a User Group on the User Group Manager surface has significance, and reflects the control hierarchy. In the example above it is not possible to drag the 'Staff' group to a position above the 'Manager' group.
A control rule can be set to apply to 'All users' in the controlled group, or to a subset defined by a Query.
By default, a control rule applies to 'All users' in the controlled group.
The alternative, to apply it to just the 'Users from a query' allows finer-grained control, ideal for enterprise or SaaS scenarios.
In a small organisation you could have a group "Head of department" and a group "Operators". A control rule would then enable the head of department to manage the users in the Operators group.
If you have two departments, each with a head of department and a respective group of operators, you could create four groups - one for each head of department, and one for each department's operators. You would then add two control rules, one from each head of department down to their respective operators group.
However, if you have a large number of departments then this method, while possible, becomes impractical. So, instead, you have just two groups, a generic Heads of department group, and a generic Operators group. You add a control rule between them, and set the rule to 'apply to users from a query'. The query uses criteria to define which of the operators belong to which head. This could be using any information known about the users - for example their email address domain name, or anything else.
This method is highly scalable: the use of a query can replace the need to have hundreds or thousands of individual usergroups, and replaces that with an easily managed configuration.
Types of control
When you create a control rule between two user groups, you can choose what types of control that confers. To do so, right click on a control rule line, and choose Properties.
The options available depend on whether the rule is set to apply to all users or a subset defined by a query.
provides all three types of control
Manage user group permissions
Allow a user in the controlling user group to adjust the permissions set in the Behavior Editor against each page of the site for the controlled user group.
Note: This type of control is only available when the rule applies to 'All users' and not when restricted by a query.
Allow a user in the controlling user group to login to the site and impersonate a user in the controlled user group.
They impersonate by logging in as impersonated user's email address/admin email address, and the admin's normal password.
Admin is firstname.lastname@example.org, password: admin123
User is email@example.com, password is unknown to the admin
admin impersonates by logging in as:
with the password: admin123
As far as the site is now concerned the person logged in is the user, not the admin.
Manage user details
Allow a user in the controlling user group to view and edit the details of users in the controlled user group, including resetting their password.
Automatic membership is a powerful tool that enables a user to be automatically given membership of a custom usergroup depending on some defined categories.
This can be combined with Layout Element controls to provide sophisticated changes in display and delivery of content. Read more in About Layout Elements ...
Domains allow you to automatically assign a user to a particular usergroup depending on which domain they are visiting.
For example - you may have a multilingual site listening on different domains, www.example.com and fr.example.com The domain control allows you to switch Layout Elements depending on domain.
IP Addresses allow you to automatically assign a user to a particular usergroup depending on which IP Address they are coming from.
For example - you may want to construct a website that functions both as public facing and as an 'intranet'. This control allows you to allow local users to gain access to some information that external users cannot, without the internal users needing to login.
User Agents allow you to automatically assign a user to a particular usergroup depending on which browser they are using.
For example - you may have a site that want to provide optimal display for both mobile and desktop users but still contain the core content. This control allows you to switch Layout Elements depending on what browser the visitor is using. See the detailed configuration for detecting mobile devices.
Generally, when a user is made a member of multiple user groups, the permissions that are granted to them are the sum of the various permissions assigned to the set of user groups they are a member of. This is 'additive' - the permissions are added together.
However, it is sometimes useful to be able to subtract permissions instead.
A user is a member of 'Group A'. This has permissions that lets them view a section of the site promoting a premium service.
The user purchases access to this premium service, and is added to the 'Premium' usergroup, that has permission that lets them access a 'premium' area of the site.
There is now no need to show the user the pages promoting the premium service, so it would be useful to hide that section. To do this:
First, create a new usergroup "View Promotion", that has view page permission over the pages promoting the service.
Give all users membership of this usergroup - for example by using the Automatic membership settings.
Next, create a new usergroup "Premium members", that has view page permission over the pages that contain the premium content
Set the Subtractive permissions for the "Premium members" usergroup to discount the permissions of the View Promotion usergroup.
Right-click on the usergroup they are joining, and choose 'Subtractive permissions'
On the Subtractive permissions dialog, select the usergroups which the user should be discounted from.
Users will still be members of the discounted usergroups, but their membership will be disregarded.
Validation is a process where the site sends an email to the user's email address, and the user then takes an action using information in the email. This proves - or 'validates' - that the user's email address is one they have control over.
A user who is granted membership of a user group that is set to require validation will be sent an email by the site, and wil not be regarded as a member of the user group until they have validated.
Right-click on the user group
Click Require validation
Requiring a Two Factor Authentication Session
Two Factor Authentication is a process where in addition to a user logging in with their email address and password, they also enter a number that they obtain from a device they have with them (typically a smartphone). Learn more about Two Factor Authentication.
If the user group is set to require two factor authentication and the user does not login with it, then the user's membership of this user group is disregarded for that session.
Right-click on the user group
Click Require Two Factor Authentication Session