To manage permissions, click on the "Page permissions" button in the editor's toolbar.

You are shown the following page containing, on the left, a permission matrix and, on the right, a "Test a user" utility.

Groups and access levels

Permissions are based on user groups. You can assign a different access level to each group.

In the permission matrix, next to the group name, is a selection with six options:

  • Inherited: the group has the same access level as the parent page.
  • None: the group has no access to the page.
  • View: the group can view and use the regular functionality of the page.
  • Edit: the group can configure the page.
  • Develop: the group can edit the Groovy script on-line.
  • Deny: the group is denied any access to the page, overriding any other access.

Notice that the option "Inherited" is always displayed together with the actual value for the parent page, e.g. "Inherited (None)"  or "Inherited (View)".

Composition rules

Since a user can belong to more than one group at a time, we need a set of rules to determine the access level of a user from the access levels of his groups. The rules are the following:

  • Access levels have ascending priorities, None being the lowest and Develop being the highest.
  • The user is assigned the highest access level from the groups he belongs to.
  • As an exception to the previous rule, if a user belongs to a group that has the access level Deny, the user is assigned the access level Deny. Deny prevails in all cases.

Example 1:

User X is a member of group A and group B.
According to the permission matrix, group A has access level None, while group B has access level Edit.
User X is granted the access level Edit.

Example 2:

User Y is a member of group C and group D.
According to the permission matrix, group C has access level Edit, while group D has access level Deny. Deny prevails in all cases, so user Y is given the access level Deny.

Regular groups

Regular groups are user groups defined by the application. They depend on the application's logic. For example in an intranet application they may be "Staff", "Contractor", "Accounting", "Engineering", etc.

Regular groups are usually defined in the application database or retrieved from an LDAP. You have complete flexibility on how to define them. To expose your groups to Portofino, see the security.groovy script.  

Special groups

Portofino manages three special groups:

  • All: all users
  • Anonymous: users who are not authenticated on the system.
  • Registered: users who are authenticated (logged in) on the system.

These groups exist in addition to any regular groups you may have.

Testing the permissions for a particular user

On the right side of the permission page is a handy utility to test the access level of a certain user. Select a user from the list and click on the "Test" button. Portofino will run the permissions rules and present the computed access level.