4

How would I know what permissions the following Liferay Roles have:

  1. Site Administrator
  2. Site Owner

I can't see any entry made in the ResourcePermissions table for the system roles like the above two and the Administrator role, hence I think this renders the Permission...Service classes useless in my case.

Use-case

What we need to do is give the Site Administrator role but remove some of the permissions like a particular Site Administrator should not be able to update site-settings or should not be able to access certain screens on Control Panel etc.

We are thinking of creating a separate role (Custom Site Admin) since we can't define permissions for roles created by Liferay and then we will assign all the permissions of Site Administrator to this role and remove some of the permissions as specified in the use-case.

Edit:
Another question is, if I create a new role and assign all the permissions & just remove a few, will it affect Performance?

Version: Liferay 6.1 GA2

If you know some other workaround regarding this problem, I would be really grateful.

Thanks

Community
  • 1
  • 1
Prakash K
  • 11,669
  • 6
  • 51
  • 109

1 Answers1

5

The Difference

Administrators have all privileges for the domain they describe with just one notable exception.

  • They cannot assign or remove other Administrators.

For example, a "Site Administrator" is given all rights to that site except, again, assigning other Site Administrators.

For your use case I would create another role.

Another question is, if I create a new role and assign all the permissions & just remove a few, will it affect Performance?

No. Consider that there are 2 other roles "guest" and "member", that are far more frequent in usage, that would require lookup in the same way your new custom role would.

But can you tell me what exactly are those permissions which differ between site owner and site admin?

All signs point to it being hard coded, as there are methods in PermissionChecker with methods like isSiteAdmin, isSiteOwner, isOmniAdmin etc, these methods check if the User has these roles and allows them to perform that particular action.

Normally the following Actions would allow you to assign a role to a user:

  • A group permission with action "Assign User Roles"
  • A role permission with action "Assign Members"

However, even if you grant these actions to any other role, you are still unable to make people "Site Administrators" or "Site Owners" without being a "Site Owner"

Prakash K
  • 11,669
  • 6
  • 51
  • 109
rp.
  • 3,435
  • 1
  • 21
  • 29
  • Yes we are also thinking of creating another role as mentioned in the question. But can you tell me what exactly are those permissions which differ between `site owner` and `site admin`? Atleast where to look for those permissions in what category? – Prakash K Nov 01 '12 at 05:44
  • I have added another question to the OP. Thanks rp – Prakash K Nov 01 '12 at 05:47
  • As to what the exact permission "action" is? I don't believe the item exists as an assignable "action" and is hard coded. I will have to check tomorrow when I am at my desk. – rp. Nov 01 '12 at 06:21
  • That's cool. Thanks. Will wait for you to be at your desk :-) – Prakash K Nov 01 '12 at 06:26
  • Thanks. Marking this as the answer for now, as it answers most of my queries. – Prakash K Dec 24 '12 at 05:58
  • 1
    Hi Prakash, sorry I forgot to get back to you! It is indeed hard coded. If you look at various permission classes they call some variation of `isAdmin` or `isOwner` which looks up if the user has those system roles. – rp. Dec 26 '12 at 18:26