Roles and Permission Sets


Back to Socialtext Documentation.




Up: Authentication, Authorization, and Access Control in Socialtext

Introduction

Socialtext has fine-grained authorization and access control, organized by user roles and permissions for each workspace. Socialtext predefines seven different types of workspace configurations that meet common needs. If you need different configurations, contact your appliance system administrator or, for the Socialtext hosted service, support@socialtext.com

Roles

Socialtext implements authorization by user roles. Each user role has a set of activities they are permitted to do (permissions). There are four user roles:

Guest

Anyone in the world who has web access to your appliance or the Socialtext hosted service. A guest user is anonymous and unidentified.

Authenticated user

Anyone who has registered and obtained a user account on your appliance or, for the Socialtext hosted service, with Socialtext. A user can register by setting a password, setting an optional full name, and replying to a confirmation email. The user only needs to register once for all login-to-edit public workspaces on the appliance or Socialtext hosted service.

Member

A registered user who is an invited member of a workspace. A member must be invited by a workspace administrator.

Workspace administrator (admin)

A member of a workspace who has been granted additional administrator privileges. An admin can delegate to or revoke administrative privileges from other users.

Workspaces and Roles

Each workspace has a set of permissions for each user role. A given user may play a different role in different workspaces. For example, a user can be an admin in one workspace and a guest in another. There are several standard workspace types that have permission sets and configurations to fit different needs. If needed, you can change the permissions of any user role to create custom permissions for a workspace.

Standard Workspace Types

Socialtext provides several different types of workspaces to fit different needs. Private workspaces are common for business use. Private workspaces are accessible only by members of that workspace. Alternatively, you can use public workspaces to share a workspace with others. The predefined workspace types are named by a permission set name. The predefined workspace types are:

Private workspace

By default, all workspaces are private. The workspace can only be accessed by members. By default, anyone can email into the workspace. You can ask your appliance administrator to change the configuration so the workspace accepts emails from authenticated users only, members only, or so that the workspace cannot receive any email. The permission set name for this workspace type is: member-only

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest             X    
authenticated user             X    
member   X X X X   X X X
workspace admin X X X X X   X X X

Private Login-to-Edit workspace

Any authenticated user on your appliance or, for the Socialtext hosted service, an authenticated user of Socialtext can modify the workspace. However, the workspace remains inaccesible to guest users. The permission set name for this workspace type is: authenticated-user-only

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest                  
authenticated user   X X X X   X X X
member   X X X X   X X X
workspace admin X X X X X   X X X

Public Login-to-Edit workspace

The workspace is open to anyone to read. In order to modify the workspace, the user must be registered as an authenticated user. The permission set name for this workspace type is: public-authenticate-to-edit

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest           X     X
authenticated user   X X X X   X X X
member   X X X X   X X X
workspace admin X X X X X   X X X

Public Read-Only workspace

The workspace allows anyone to read the workspace. Only members can modify it. The permission set name for this workspace type is: public-read-only

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest                 X
authenticated user                 X
member   X X X X   X X X
workspace admin X X X X X   X X X

Public Read-and-Comment-Only workspace

The workspace allows anyone to read the workspace and submit comments on pages. Only members can modify it. The permission set name for this workspace type is: public-comment-only

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest     X           X
authenticated user     X           X
member   X X X X   X X X
workspace admin X X X X X   X X X

Fully Public workspace

The workspace is open to anyone to read, comment, or edit. However, guests and authenticated users are not able to do some potentially risky actions such as sending email, uploading files, and deleting pages. The permission set name for this workspace type is: public

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest     X   X   X   X
authenticated user     X   X   X   X
member   X X X X   X X X
workspace admin X X X X X   X X X

Intranet

The intranet configuration is used most commonly on appliances. The workspace is open to anyone to read, comment, or edit. Guest users have all permissions available to members, including sending email, uploading files, and deleting pages. The permission set name for this workspace type is: intranet

roles/permissions admin_workspace attachments comment delete edit edit_controls email_in email_out read
guest   X X X X   X X X
authenticated user   X X X X   X X X
member   X X X X   X X X
workspace admin X X X X X   X X X

Differences from Socialtext 1.9.4 and earlier

The authenticated user role enables a user to "sign their work" with their name and set personal preferences in public workspaces without needing to be an invited member of a workspace.

It solves a problem in previous versions, where guest users could set preferences which were recorded in a cookie. When the cookie expired, the users were not able to change those preferences.

Back to Socialtext Documentation.