Where can I get some good documentation regarding roles and permissions?  I have a potential client who is concerned about how granular we can make things, e.g. whether we can permit content editors to modify certain pages but not be allowed to add a new page, etc.

I realize this can be a vast topic, and I'm not looking for a technical document about the layers of software involved in permissions.  What I need is an overview of where a site administrator can control permissions and how permissions and roles can be combined to limit/grant access to changing site content.

Thanks in advance to anyone who can point me to a good document on this topic.

Jim

Thanks Chris.  I'll take a look at the book.

On a specifc item, I was just playing around with permissions and trying to grant a user Edit permission for ONLY ONE module within a page.  I am seeing the following problem:

If I add the user to the Permissions grid in the Settings for the module, and check the checkbox for the Edit permission, the user does not gain the ability to Edit the module.  I have to also give the user Edit permission to the page that contains the module.  However, giving the user Edit permission to the page automatically gives the user Edit permission to ALL modules on that page.   I don't see a way to revoke the Edit permission for other modules on that page because the user doesn't even appear in the permissions grid for those modules.

Am I missing something obvious about how to grant Edit permission to only one module, or how to revoke it from other modules?

I've needed to write this somewhere for years now, and here's a good spot.

The security hierarchy in DNN has no granularity. It's really a cascade of only 4 roles (no matter what they're labelled): Host, Admin, Page editor, Module editor.

Some modules, such as forums provide additional roles such as contributors and moderators, but otherwise you're stuck with the status quo. DNN5 finally breaks some modules out of the Admin role, but that's the only change to this structure that I've noted so far.

Even so, the four roles, plus module-specific ones, would normally be plenty. However, many developers don't appreciate the distinction between the module editor and page editor roles, and either ignore them, or don't sufficiently distinguish between them. The roles are reasonably clearly defined in the DNN help on the site here, but to clarify it even more, here's a guideline for module developers:

• Module editors are the content managers, or the publishers, of the website. They must be able to carry out all tasks required in order to create, manage and remove all content within a module. and they must be able to do so with only module edit permissions. This means that all required tools must be made available through action menus and/or buttons.
   
• Page editors have a design, layout and architecture role. They determine what goes where, what it looks like (containers). what is does (configuration), who can manage the content, and how the pages are organised. Page editors have access to the Module Settings, and this is where they should only find options that relate to the functionality mentioned here. This means that there should be no content management tools in the module settings section.

There is some ambiguity about this, partly because DNN can be set up as a single admin-owner website, but also as a multi-portal and multi-owner site, such as a corporate intranet. As well, it's obvious that the Admin role was originally the only role intended to be used for managing all aspects of the website other than hosting it. DNN is evolving towards finer granularity, but it also requires that third party developers understand the need for this and build it into their modules. I personally spend a heck of a lot of time on beta programmes in order to influence this.

Not sure why I added all this here to the thread, but it needed to go somewhere.

Jim - If you're going to grant content managers page edit rights then you're out of luck. I work around this by not making the ability to add text/html modules to a page part of the content management workflow. If a page requires a text module then the person with page edit rights places it there in advance and gives the content manager edit rights on it. Further workarounds are made possible by using article publishing modules. This lets content managers create pages of categorized content without messing with the site structure. It's much more appropriate than giving out page edit rights.

Rulecourt - You might also consider removing page edit rights from one of those roles and instead place their desired module/s on the required pages in advance... and then just give them module edit rights for it.

Regards,
Rob