Role
Digest
In Cascade Server, the abilities of a user are defined by the Role(s) to which that user is assigned. Either these roles may be assigned explicitly through the user management system, or they may be inherited from the groups to which that user currently belongs. Roles outline the access rights for individual users.
Roles also determine the order in which the workflow process occurs according to the customization of the workflow process. An Administrator assigns roles. Roles are not inherited according to the workflow process; rather, a user must be given specific roles to contribute to the workflow process (i.e. if an Approver needs the ability to edit content then he/she must be given a Contributor role in addition to the Approver role).
There are five basic roles in Cascade. Starting with the most basic user level, they are:
FAQs
- What is the function of roles in Cascade Server?
- Roles outline the access rights for individual users. Roles also determine the order in which the workflow process occurs, according to the customization of the workflow process. The default roles include Contributor, Approver, Publisher, Manager, and Administrator. An Administrator assigns roles. Roles are not inherited according to the workflow process; rather, a user must be given specific roles to contribute to the workflow process (i.e. if an Approver needs the ability to edit content then (s)he must be given a Contributor role in addition to the Approver role.)
Concept
An Introduction to Roles in Cascade
Roles must be assigned to each user or group in the system in order to determine which tasks that user or group may perform.
Roles are managed from the Administration area. Typically, assignations are made when a new user or group is created. To view users and groups according to role, go to the Users, Groups, Roles section and click on the Roles tab. Select a role, and all of the users and groups will appear. To switch a user or group's role, click on the name and select Edit. Under the Roles tab, you may then select the new desired role.
Please Note - Because roles are cumulative (they inherit the functions of the roles beneath them), there is no need to assign more than one role per user or group.
Five Role Types
Contributor
Contributor is a role in the system and can be assigned to a User or a Group. The Contributor role is the most basic role and allows only the simplest actions within the CMS. Contributors may be given read or write access to areas in the system. These access permissions are set by an Administrator at the folder level and are set for an individual User, Group or for All Users.
A Contributor-level user may:
-Navigate through the site structure (read or write access).
-View content (read or write access).
-Edit content (write access only)
-Create new content using Asset Factories (determined by the listing under the New menu)(write access only).
-Copy items (write access only).
-Delete items (write access only.
Approver
Approver is a role in the system and can be assigned to a User or a Group. The Approver role allows the same actions as the Contributor, as well as allows the user to take part in the workflow process and review and approve (or reject) content that belongs to an active workflow.
Approvers may be given read or write access to areas in the system. These access permissions are set by an Administrator at the folder level and are set for an individual User, Group or for All Users. Actions taken by an Approver-level user within Cascade Server will go through a pre-determined workflow process similar to that of a Contributor-level user in order for the action to be completed, which may include approvals by other Approver-level users.
An Approver level user may:
-Navigate through the site structure (read or write access).
-View content (read or write access).
-Edit content (write access only)
-Create new content using Asset Factories (determined by the listing under the New menu)(write access only).
-Copy items (write access only).
-Delete items (write access only).
-Approve or reject content in a workflow he/she is assigned to.
A Group can also be assigned an Approver-level role with Cascade Server. When a Group has an Approver role assigned to it, any Users within that Group may approve or reject workflow steps assigned to the Group.
Publisher
Publisher is a role in the system and can be assigned to a User or a Group. The Publisher role allows the same actions as the Contributor and Approver, as well as allows the user to push content out to a live site, either by completing workflow that contains a publish trigger upon completion or by selecting assets he/she has access to and selecting to publish them.
Publishers may be given read or write access to areas in the system. These access permissions are set by an Administrator at the folder level and are set for an individual User, Group or for All Users.
A Publisher level user may:
-Navigate through the site structure (read or write access).
-View content (read or write access).
-Edit content (write access only)
-Create new content using Asset Factories (determined by the listing under the New menu) (write access only).
-Copy items (write access only).
-Delete items (write access only).
-Approve, Publish, or reject content in a workflow he/she is assigned to.
-Bypass workflows to publish content directly upon editing.
-Cancel publishing jobs he/she has initiated (4.0 and higher).
Manager
The Manager role is the second highest role. It has many of the powers of the highest role, administrator, but those powers are more limited in scope. Generally, the manager role is used to assign administrator-level privileges to a site or sub-site. Since roles are cumulative, managers have all of the powers of the roles beneath them (publisher, approver, contributor) as well as the power to bypass workflow.
Another key difference between the manager role and the roles beneath them is that they have access to the Administration area to control items like configuration sets, metadata sets, publish sets, data definitions, and workflow definitions. Putting a user in the manager role and setting up the appropriate access rights provides for a user that is fully autonomous in the CMS across assets, sites (targets), and administration components.
For Cascade Server versions 4.0 and higher, Managers may also create users with the role of Manager or lower, and assign access rights within the manager's own area. In addition, Managers can cancel any publish job where the manager user has read access permissions to the asset associated with the publish job be it a Folder, Page, File, Target, or Destination.
Key aspects of the manager role:
-Limited by system access rights
-Access to the Administration area
-Ability to bypass workflow
Administrator
Administrator is a role in the system that permits full, uninhibited access to any asset and/or area of the system. A user assigned the administrator role has access to both the standard " Home" area where web page assets are managed and the " Administration" area where advanced system entities and publishing can be configured. Folder access rights do not apply to the administrator role; therefore, a user with administrator rights can view, edit, copy, delete, or move an asset without restriction. Additionally, administrators have the ability to break asset locks anywhere in the " Home" area.
Because an administrator has access to the everything within the system, the role should be assigned sparingly to only authorized users who require such access. In most cases, providing users with a manager role, which is more restricted and one level down from the administrator position will allow them to handle and perform most of the administrator operations. Managers have all of the same access and capabilities as administrators, except that access rights apply to them. Therefore, a user with manager access can be appropriately permitted and/or locked out from areas in both the "Home" and "Administration" sections of the CMS as applicable.
Note that each role inherits capabilities from the role beneath it. For example, the Manager may do anything that the Publisher, Approver, and Contributor role may do, but not everything that the Administrator is capable of doing. When considering if an action by a particular user is permissible, Cascade Server will examine the highest role that user has been given.
Workflows and Roles
The role each Cascade Server user plays in the workflow process is proscribed by the system role each user is given. All users, from Contributor on up, may initiate a workflow when he or she creates or edits an asset. A higher-level user, such as an Approver, will then review the asset and choose whether it will move onto the next step in the workflow process. A Publisher may then publish the asset to the live site. Managers and Administrators may also have these capabilities in addition to the ability to bypass and edit workflows in progress.
Audit Trail - Monitoring Users and Roles
The Audit Trail is a tool for Administrators to see a summary of activities performed in the system by a particular user, group, role, or for the entire system. Selecting the audit trail for a group or roles will display the actions performed by all users belonging to that group or role. A date/time filter is provided as part of the Audit Trail view and is useful for filtering the results into a more specific timeframe.
The record for each event includes:
- the username of the user who performed the activity
- the time of the activity
- the type of action performed (login, edit, publish etc.)
- the information about that action (whether the asset was edited or published)
- the IP address of the computer from which the user logged in
- the asset type
- a link to the location of the particular asset
Default Abilities Matrix
Within Cascade, different users/roles are granted certain permissions by default. These permissions are documented in a matrix below.
| Administration Area Abilities | Manager | Publisher | Approver | Contributor |
|---|---|---|---|---|
| Access the Administration area |  |
 |
|
|
| Access Asset Factories | |
|
|
|
| Access Configuration Sets | |
|
|
|
| Access Data Definitions | |
|
|
|
| Access Metadata Sets | |
|
|
|
| Access Publish Sets | |
|
|
|
| Access Targets & Destinations | |
|
|
|
| Access Transports | |
|
|
|
| Access Workflow Definitions | |
|
|
|
| Access Content Types | |
|
|
|
| View Information and Logs in Administration area | |
|
|
|
| Force logout of users | |
|
|
|
| Run Transports and Destination diagnostic tests | |
|
|
|
| Access the security area | |
|
|
|
| Bypass all ability checks | |
|
|
|
| Home Area Abilities | Manager | Publisher | Approver | Contributor |
|---|---|---|---|---|
| Upload images from the wysiwyg image upload popup | |
|
|
|
| Multi-select Copy | |
|
|
|
| Multi-select Publish | |
|
|
|
| Multi-select Move | |
|
|
|
| Multi-select Delete | |
|
|
|
| Modify Page Configurations on Pages | |
|
|
|
| Modify the Content Type of Pages | |
|
|
|
| Publish readable Files, Folders, Pages | |
|
|
|
| Publish writable Files, Folders, Pages | |
|
|
|
| View the publish queue | |
|
|
|
| Reorder the publish queue | |
|
|
|
| Cancel publish jobs | |
|
|
|
| Publish Publish Sets, Targets, and Destinations | |
|
|
|
| Edit access rights | |
|
|
|
| View the Versions tab | |
|
|
|
| Activate or Delete a previous asset version | |
|
|
|
| View the Audits tab | |
|
|
|
| Bypass Workflow | |
|
|
|
| Assign and approve steps in a workflow | |
|
|
|
| Delete Workflows | |
|
|
|
| Break locks on assets | |
|
|
|
| Assign Workflows to folders | |
|
|
|
| Bypass groups checks when viewing Asset Factories in New menu | |
|
|
|
| Bypass groups checks when choosing Destinations to publish to | |
|
|
|
| Bypass groups checks when assigning/using Workflow Definitions | |
|
|
|
| Bypass all permissions checks | |
|
|
|
| Toggle Accessibility, Spelling, and Link Checks and HTML tidy options when editing | |
|
|
|
| Tools Abilities | Manager | Publisher | Approver | Contributor |
|---|---|---|---|---|
| Access Tool : Import : New Site Wizard | |
|
|
|
| Access Tool : Import: Integrate Folder | |
|
|
|
| Access Tool : Import : Zip Archive | |
|
|
|
| Access Tool : System : Optimize Database | |
|
|
|
| Access Tool : System : Sync LDAP | |
|
|
|
| Access Tool : System : Bulk Change | |
|
|
|
| Access Tool : System : Modify Logging Configuration | |
|
|
|
| Access Tool : System : Search and Indexing | |
|
|
|
| Access Tool : System : Modify Configuration Files | |
|
|
|
| Edit system preferences | |
|
|
|
| Security Area Abilities | Manager | Publisher | Approver | Contributor |
|---|---|---|---|---|
| View Users that share groups with current user | |
|
|
|
| View all Users | |
|
|
|
| Create Users | |
|
|
|
| Delete Users that share groups with current user | |
|
|
|
| Delete all Users | |
|
|
|
| View Groups to which current user belongs | |
|
|
|
| View all Groups | |
|
|
|
| Create Groups | |
|
|
|
| Delete Groups to which current user belongs | |
|
|
|
| View Roles | |
|
|
|
| Edit Roles | |
|
|
|
| Delete all groups | |
|
|
|
| Edit all Users | |
|
|
|
| Edit Users that share groups with current user | |
|
|
|
| Edit all Groups | |
|
|
|
| Edit Groups to which the current user belongs | |
|
|
|
FAQs
- How are Access Rights assigned in Cascade Server?
Permissions are granular in nature and can be customized as needed. Access to content can be granted at the site, folder, content type, page, or block level, and can be given to an entire group, or an individual user, as desired. Access controls can even be implemented on individual fields within a page data structure.
Access can be granted to view, edit, or publish various assets or areas of the site. Other permissions including create, copy, move, and delete can be controlled via custom workflows outlining additional rules.
Technical
Setting Up System Users
Users and Groups must be set up by an administrator or manager. Each user or group must have a Role that defines which system tasks are allowed. Each folder, in the Home area, has individual permissions that determine which users and groups have access.
To create a new user, and assign he or she the appropriate role:
- Go to Administration in the top navigation Menu.
- On the left, the first container is “Users, Groups, & Roles.”
- Select whether you’d like to great a new User or a new Group from the choices presented.
- For this example, since we’re discussing users, once you choose “New User,” you will be directed to the “Create New User” page.
- Enter the desired Username, Full Name, email address, select your Authentication choice (either normal or custom), define a user Password, and assign he or she to all relevant Groups. You will also be able to assign a Default Group. Finally, the last option, is to select the desired Role from the drop-down menu of choices: Contributor, Approver, Publisher, Manager, or Administrator.
Customizing Role Default Abilities
With the release of Cascade Server 5.5, Administrators are now able to fully customize the capabilities associated with each role.
To customize (or edit abilities of) one of the 5 roles in Cascade:
- Navigate to the Administration Area and click "Users, Groups, & Roles"
- Click the "Edit" tab for any role which you'd like to modify.
- On the edit screen, you are presented with a list of "abilities" which will each have a check box (or yes/no radio button) next to it.
- Toggle any of these abilities on and off as you see fit.
The following abilities will be available on the edit screen to be modified:
Global Abilities
| Ability name | Default Roles | Required Abilities | Description |
|---|---|---|---|
| Bypass all ability checks | Administrators | Gives all the possible abilities to the user automatically | |
| Bypass all permissions checks | Administrators | Gives read and write access to all the assets in the system |
Administration Components
| Ability name | Default Roles | Required Abilities | Description |
|---|---|---|---|
| Access the Administration area | Managers,Administrators | Controls who can navigate to the Administration Area and see any of the components within. | |
| Access Users, Groups and Roles | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Users, Groups and Roles |
| Access Asset Factories | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Asset Factories and their Containers |
| Access Configuration Sets | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Configuration Sets and their Containers |
| Access Content Types | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Content Types and their Containers |
| Access Data Definitions | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Data Definitions and their Containers |
| Access Metadata Sets | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Metadata Sets and their Containers |
| Access Publish Sets | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Publish Sets and their Containers |
| Access Targets & Destinations | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Targets and Destinations |
| Access Transports | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Transports |
| Access Workflow Definitions | Managers,Administrators | Access the Administration area | Gives the ability to view or edit accessible Workflow Definitions and their Containers |
| View Information and Logs in Administration area | Administrators | Access the Administration area | Gives the ability to view the Cascade Server/System Information and ability to download the logs |
| Force logout of users | Administrators | Access the Administration area | Gives the ability to log out other users from the system |
| Run Transports and Destination diagnostic tests | Managers,Administrators | Access the Administration area, Access to at least one of these: Transports, Destinations | Gives the ability to test transports and destinations |
| Publish readable Administration area assets | Managers,Administrators | Access the Administration area, Access to at least one of these: Publish Sets, Targets & Destinations | Ability to publish Administration Area assets (Publish Sets, Targets and Destinations) that the user has read permissions to |
| Publish writable Administration area assets | Access the Administration area, Access to at least one of these: Publish Sets, Targets & Destinations | Ability to publish Administration Area assets (Publish Sets, Targets and Destinations) that the user has write permissions t |
Security Area
| Ability name | Default Roles | Required Abilities | Description |
|---|---|---|---|
| View users that share groups with current user | Managers,Administrators | Access Users, Groups and Roles | Ability to view the users of the same group as the current user |
| View all users | Administrators | Access Users, Groups and Roles | Ability to view all the users |
| Create users | Managers,Administrators | Access Users, Groups and Roles, either View all users or View users that share groups with current user | Ability to create new users |
| Delete users that share groups with current user | Managers,Administrators | Access Users, Groups and Roles, either Edit all users or Edit users that share groups with current user |
Ability to delete the users of the same group as the current user and at the same time the current user must be able to edit the user |
| Delete all users | Administrators | Access Users, Groups and Roles, either Edit all users or Edit users that share groups with current user | Ability to delete any users that the current user is able to edit |
| Edit all users | Administrators | Access Users, Groups and Roles, either View all users or View users that share groups with current user | Ability to edit any users |
| Edit users that share groups with current user | Managers,Administrators | Access Users, Groups and Roles, either View all users or View users that share groups with current user | Ability to edit users of the same group as the current user |
| View groups to which current user belongs | Managers,Administrators | Access Users, Groups and Roles | Ability to view the current user's groups |
| View all groups | Administrators | Access Users, Groups and Roles | Ability to view all the groups |
| Create groups | Managers,Administrators | Access Users, Groups and Roles, either View all groups or View groups to which current user belongs | Ability to create new groups |
| Delete groups to which current user belongs | Managers,Administrators | Access Users, Groups and Roles, either Edit all groups or Edit groups to which the current user belongs | Ability to delete the current user's groups that the current user can edit |
| Delete all groups | Administrators | Access Users, Groups and Roles, either Edit all groups or Edit groups to which the current user belongs | Ability to delete any groups that the current user can edit |
| Edit all groups | Administrators | Access Users, Groups and Roles, either View all groups or View groups to which current user belongs | Ability to edit any groups |
| Edit groups to which the current user belongs | Managers,Administrators | Access Users, Groups and Roles, either View all groups or View groups to which current user belongs | Ability to edit the current user's groups |
| View roles | Managers,Administrators | Access Users, Groups and Roles | Ability to view all the roles |
| Edit roles | Administrators | Access Users, Groups and Roles | Ability to edit any roles |
Home Area Abilities
| Ability name | Default Roles | Required Abilities | Description |
|---|---|---|---|
| Bypass workflow | Publishers,Managers,Administrators | Ability to bypass workflow when creating, editing, copying and deleting assets |
|
| Assign to self and approve steps in a workflow | Approvers,Publishers,Managers,Administrators | Ability to assign workflow steps to the current user and to be assigned to transition steps in a workflow |
|
| Delete workflows | Publishers,Managers,Administrators | Ability to delete workflow |
|
| Assign workflows to folders | Publishers,Managers,Administrators | When user has edit access to a folder, he can also assign workflows to that folder in the Workflows tab |
|
| Upload images from the wysiwyg image upload popup | Managers,Administrators | Bypass workflow | When editing an XHTML block or a page with a WYSIWYG editor, ability to upload images through that editor |
| Multi-select copy (requires the ability to bypass workflow) | Managers,Administrators | Bypass workflow | Ability to copy several assets at the same time |
| Multi-select publish | Managers,Administrators | Publish either readable or writable Home area assets | Ability to publish several assets at the same time |
| Multi-select move (requires the ability to bypass workflow) | Managers,Administrators | Bypass workflow | Ability to move several assets at the same time |
| Multi-select delete (requires the ability to bypass workflow) | Administrators | Bypass workflow | Ability to delete several assets at the same time |
| Modify Page Configurations on pages | Contributors,Approvers,Publishers,Managers,Administrators | Ability to assign different blocks and stylesheets at the page level when editing a page |
|
| Modify the Content Type of pages | Managers,Administrators | Ability to assign a different Content Type to a page when editing it |
|
| Toggle Accessibility, Spelling, Link Checks and HTML tidy checkboxes when editing | Managers,Administrators | Without this ability, the checkboxes Accessibility, Spelling, Links and Tidy HTML will be disabled |
|
| Publish readable Home area assets | Publishers,Managers,Administrators | Ability to publish Home area assets that the user has read or write permissions to |
|
| Publish writable Home area assets | Ability to publish Home area assets that the user has write permissions to | ||
| View the publish queue | Publishers,Managers,Administrators | Ability to view the publish queue |
|
| Reorder the publish queue | Administrators | View the publish queue | Ability to reorder the publish jobs |
| Cancel publish jobs | Administrators | View the publish queue | Ability to cancel the publish jobs |
| Edit access rights | Managers,Administrators | Ability to change access rights to the assets that the user has write permissions to by assigning the groups and users that the user has abilities to view |
|
| View the Versions tab | Contributors,Approvers,Publishers,Managers,Administrators | Ability to view the previous versions of assets that the user has read permissions to |
|
| Activate or delete previous asset versions | Publishers,Managers,Administrators | Ability to activate or delete previous versions of assets that the user has write permissions to |
|
| View the Audits tab | Managers,Administrators | Ability to view the audits of assets that the user has read permissions to |
|
| Break locks on assets | Managers,Administrators | Ability to break a lock on assets so that the users who were editing the asset previously won't be able to submit their edits and the asset will become available for another user to edit it |
|
| View Asset Factories in New menu even if user does not belong to any of their applicable groups | Administrators | Ability to see all the system's Asset Factories in the new menu |
|
| Choose Destinations to publish to even if user does not belong to any of their applicable groups | Administrators | Publish either readable or writable Home area assets | Ability to choose any system's destination that are applicable for publishing |
| Be assigned to and use Workflow Definitions even if user does not belong to any of their applicable groups | Administrators | Ability to start any system's workflows that are applicable for the asset |
Tools Menu Access
| Ability name | Default Roles | Required Abilities | Description |
|---|---|---|---|
| New Site Wizard (requires the ability to bypass workflow) | Administrators | Bypass workflow | Ability to use the New Site Wizard |
| Integrate Folder (requires the ability to bypass workflow) | Managers,Administrators | Bypass workflow | Ability to use the Integrate Folder tool |
| Zip Archive | Managers,Administrators | Ability to upload a zip archive and automatically unzip it in Cascade Server |
|
| Optimize Database | Administrators | Ability to use the Database Optimizer tool |
|
| Sync LDAP | Administrators | Ability to trigger an LDAP synchronization |
|
| Bulk Change (requires the ability to bypass workflow) | Administrators | Bypass workflow | Ability to use the Bulk Change tool |
| Modify Logging Configuration | Administrators | Ability to choose different classes/packages that should be outputting logging information |
|
| Search and Indexing | Administrators | Ability to access the Searching and Indexing tool |
|
| Modify Configuration Files | Administrators | Ability to access Custom Authentication Configuration, Image Editor Configuration, Image Editor Licence, LDAP Configuration, Product License and Publish Trigger Configuration |
|
| Edit system preferences | Administrators | Ability to access and change General, Email and Content Preferences |
Audits - Roles (Administrators or Managers)
The Audit Trail is accessible from the Administration area and gives a detailed account of all activity that has taken place within the system.
The Audit Trail can be accessed for an individual user, a group, or a role. Simply click on the user, group, or role name in the Users, Groups, Roles section, and select the Audit Trail tab.
At the top of the Audit Trail are Start and End Dates with which you may filter results. Simply select a date range and click Filter. You may also filter results according to action type.
The results of the audit trail offer the following values:
- User - Clicking on the user will show statistics for that user.
- Time - This shows the time that the action was completed.
- Action - Actions include: Login, Failed Login, Logout, Started Workflow, Advanced Workflow, Edit, Start Edit, Copy, Create, Reference, Delete, Delete and Unpublish, Check-in, Check-out, Version Activation, Publish, Unpublish.
- Information - This offers additional information including the Asset modified or the IP address of login. It will also provide an Asset Link which will take you to the view for the relevant asset.
Audit trail records can be selected by clicking the checkbox next to each record. Selected records can be deleted by selecting Delete from the Action dropdown.