Users and Roles

Some concepts

  • One user is one logged in user account,
  • Each user has a role, but the frontend unknown visitor has no role,
  • The role the user belongs to will define his permission to do one action or not on one resource,
  • Each role has a level, which define the role position in the roles hierarchy.

Role's ranges & level

The role level is important for the backend. It define which role can potentially edit permissions of other roles.

The role levels go from -10 to 10000.

After fresh install, ionize has one role in each range of levels.

RoleRole codeLevel rangeDescription
Super Admin super-admin 10000 There is no level range for Super Admin, as he has access to everything.
The user created during installation is member of this role.
This role cannot have customs permissions, it has by default access to everything.
It is strongly recommended to not give this role to one client.
The role code "super-admin" must not be changed.
Admin admin 5000 - 9999 In this range, roles are considered as "Admin level".
This role is supposed to have a little less permissions than the "Super Admin" role.
For example, he should not have access to the technical data.
Editor editor 1000 - 4999 In this range, roles are considered as "Editors".
This role is supposed to be used for people who edit the content.
For example, this role should not have access to :
  • Website settings,
  • Users settings,
  • Modules administration
User user 100 - 999 Frontend users.
This role is supposed to have no access to the ionize backend, but can have access to restricted part of the website (page and articles permissions for example.
With properly set level ranges, it is possible to create one hierarchy between users.
Pending pending 50 Internal role.
Contains users waiting for registration acceptance.
Guest guest 10 Internal role
Banned banned -10 Internal role.
Users in this role are supposed to have no access to the website.

Why are level ranges important ?

Level ranges are important for relative permission definition.
One role will be able to define permissions of all roles which have a lower level than his role.

For example, if you create 3 editors roles :

  1. Editor : level 3000
  2. Editor's Assistant : level 2950
  3. Library : level 2000
  4. Marketing : level 1000

As Super Admin, you give to these 4 roles the permission to set the backend permissions on Pages (the right to see, edit, delete, change status, etc, on each Page).

Considering the level of each role :

  • Editor will be able to set the backend permissions of Editor's AssistantLibrary and Marketing,
  • Editor's Assistant will be able to set the backend permissions of Library and Marketing,
  • Library will be able to set the backend permissions of Marketing.
  • Marketing will be able to set the backend permission of nobody.

Roles levels and content permissions

For individual content permissions definition (Permissions on individual pages, articles...) :

  • Roles which have a level under 1000 are considered as "frontend access roles".
  • Roles which have a level upper 1000 are considered as "backend access role".

Super-Admin : The "Very Important Role"

The "Super Admin" role has access to everything.

He is the only role who's code is explicitly checked in the backend.
For this reason, you cannot change the role code : It must stay "super-admin"