Planning Access and Workflow
When setting up your website within OU Campus, it is recommended to have a plan before setting up your access and workflow. Establishing an organized system at the start will identify necessary groups and users as well as ensuring those who need access to specific sections of the site, have it.
When it comes to planning access, here are some key points to keep in mind:
- Access is given to groups, not individuals
- Only one group can be given access to an item at any given time, but users can be in multiple groups
- A user cannot access items within a directory if they can't access the directory itself, unless it's via DirectEdit
Therefore, the best approach to take towards configuring access settings is a "top-down" one. Start with more generalized permissions, and then get more specific as you get closer to the content. For example, a site might allow access to a group of twenty users, a directory within the site might allow access to a group of ten, a page within the directory a group of five, and so forth.
Remember that only Level 10 administrators can create users and groups, and that all Level 9 and Level 10 users ignore group access settings, giving these users access to everything on the site.
The simplest and most efficient way to plan your groups is to have them mimic your file structure. Custom Reports can be very useful for this. Run the reports for "Directories" and "Pages," export to CSV, and then conflate the results to get an overview of your site structure. Once you have your pages, you can then plan who needs to go where.
From here, you can then make groups that match up with the file structure (an "English" group, a "Science" group, etc.). You can then decide who should be in which group based on which folders they need to access.
After defining which users should have access to the pages and directories, sort by the Access column in order to see how many groupings of users there are. This helps determine how many groups are needed and which users need to be in those groups. Following the same steps for publishers helps identify any additional groups that may be needed.
After Setting Access
Run the reports again after the groups have been created and assigned. Be sure to select the checkboxes for Access, Publishers, and Approvers to make certain the output includes the appropriate data. This allows comparison and confirmation of proper group and individual assignment to the directories and pages so that the appropriate users can navigate to the pages they need to access and edit. This is also helpful in identifying areas to which users should not be allowed access.
In addition, either a Groups report or a Users report can be run in order to ensure that users are assigned to the proper groups, after confirming that directory and page assignments are as desired.
Planning Access to Directories and Files
Two important values for access settings are Everyone and (Administrators Only). The Everyone group is a system group that cannot be edited but includes everyone within the account. The (Administrators Only) group includes only only Level 9 and Level 10 administrators. There is also the (Inherit from Parent) group, which is the default for most of the settings if no other group has been selected.
This can be capitalized upon in an organizational sense by assigning access from the top down. Find a directory tree structure and assign it the broadest possible access in a recursive manner, using the checkbox that assigns permission to "This folder and all existing items within." Continue moving deeper through the directory tree, modifying access settings to narrow and refine access using this same manner. Note that several access values can be modified simultaneously (while leaving some values untouched) by using the checkboxes next to each property.
Reassigning Access at the File Level
As needed, override access at the file level to ensure that only the smallest possible group has access to that file.
Planning Editable Regions
Finally, editable regions of a page should be tagged with the appropriate group name. There are two best practice strategies to keep in mind at this level of access.
- Regions of a page that should be editable by everyone who has access to the file should be assigned to the special group "Everyone." Since only those who have access to the file can access the page in the first place, it is redundant to restrict access for those specific regions to the same group.
- Regions of a page that need to be restricted to specific users should be set to specific functional groups such as "header," "footer," "left_navigation," etc., rather than the specific users themselves, and the appropriate users placed in each group. This provides the most flexibility over time, while at the same time giving users the correct access to the correct pages.
In order to tag editable regions and change their access settings, it is necessary to go into the source code of that page and change it from there.
For more information, visit the Editable Regions page.
Consider the following path to a page:
Following our recommended settings, the /admissions/ directory would be set to the group "admissions," making sure that the change is applied recursively. That assigns all files and folders within the directory to the "admissions" group, including the index.html file.
The page now allows access to the following users who comprise the "admissions" group: Anna, Bob, Christine, Diego, Erika, Fred, and Grace. The editable regions then allow access to specific user groups as follows:
- main body (Anna, Bob, Christine)
- header (Diego, Erika)
- footer (Diego, Erika)
- left_navigation (Anna, Christine, Diego, Erika)
- news (Anna, Fred, Grace)
In this example, the file index.html has five tagged editable regions: main body, header, footer, left_navigation, and news. Each of these regions is tagged in the source code with the group by the same name, with the exception of the main body regions that are tagged with the group "Everyone." With that, and the page tagging as described above, the results are as follows:
- The main body of the page will be editable by Anna, Bob, and Christine (but no one else).
- The header will be editable by Diego and Erika (but no one else).
- The footer will be editable by Diego and Erika (but no one else).
- The left_navigation of the page will be editable by Anna, Christine, Diego, and Erika (but no one else).
- The news will be editable by Anna, Fred, and Grace, but no one else. Furthermore, the only region of the page that Fred and Grace can edit is the news.
This way, if Bob someday leaves the main body group, and Henry takes his place, no changes will have to be made to the access settings themselves. All that will need to be changed is the members of the group, i.e. taking Bob out and putting Henry in.