MODX Cloud

The Most Productive MODX Learning Playground Ever

Claim Free Lab Account

Roles

Skip to end of metadata
Go to start of metadata


What is a Role?

A role is a position or status held within a certain situation. In MODx, it can be used to group Users into a position or status within a User Group, e.g. "Editor" or "Front-end Read Only".

Roles in MODx use an integer value called "Authority". Lower numbers represent a stronger authority. E.g. a Role with Authority 10 will inherit any and all Group Policies assigned to itself and to any roles defined with Authority 11, but a user Role with Authority 11 does NOT inherit any of the Group Policies from Role 10.

Be sure you clarify your language when talking about Authority because this inverse relationship can lead to some confusing sentences.

It helps to think of "Authority" as ordinal numbers: first, second, third, etc. Authority=1 is the first authority and trumps Authority=2 (i.e. the second authority).

You should generally avoid duplicate authority numbers.

Usage

One common example is to create Roles that mimic a basic employee position structure. Let's say we create the following Roles and Authority levels:

  • Administrator - 0
  • Director - 1
  • Coordinator - 2
  • Supervisor - 3
  • Employee - 9999

We can then create a User Group called "HR Department". Within that User Group, we'll assign Users to those Roles (you can have multiple Users per Role, as well).

Now, let's say John has a Role of Coordinator. Mark has a Role of Supervisor. We're going to give Mark's "HR Deparment" User Group an Access Policy (which is a set of Permissions) called "AccountPolicy" that has the following Access Permissions in it:

  • view_accounts
  • save_accounts

We've assigned this Policy to the "web" context for our User Group "HR Department". We then set its Minimum Role value to "Supervisor":

This means that Mark has these Permissions, since he's in the User Group, and has at least the Role of "Supervisor" (which is the Role he has, specifically).

But this also means that John has these Permissions as well, since he is a "Coordinator" which has a stronger Authority level than "Supervisor". So, John as Coordinator has "inherited" the Permissions than Mark had as Supervisor.

See Also

Resource Groups Security Policies

Labels

security security Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.