Current

This document is valid for the current version of Plone.

Roles and Permissions

by Plone Documentation Team last modified Dec 27, 2009 05:45 PM
Contributors: Mikko Ohtamma, Martin Aspeli, Kamon Ayeva, Israel Saeta Pérez
Information about the import and export of roles and permissions.

You can create roles and modify permissions using the rolemap.xml GenericSetup import step. For more information on roles and permissions see the Permissions and roles tutorial.

Here is an example of what you will see when you export the rolemap step.

<?xml version="1.0"?>
<rolemap>

  <roles>
    <role name="Anonymous"/>
    <role name="Authenticated"/>
    <role name="Contributor"/>
    <role name="Editor"/>
    <role name="Manager"/>
    <role name="Member"/>
    <role name="Owner"/>
    <role name="Reader"/>
    <role name="Reviewer"/>
  </roles>

  <permissions>

    <permission name="View" acquire="True">
      <role name="Contributor"/>
      <role name="Editor"/>
      <role name="Reader"/>
    </permission>

    <!-- more permissions here -->

  </permissions>

</rolemap>

The rolemap.xml is split into two sections, roles and permissions. Imagine you want to create a new ProUser role in your site. Here is what the rolemap.xml would look like.

NOTE: The rolemap.xml must include both the <roles> and <permissions> tags, even if they have empty contents - otherwise the step will error out.

<?xml version="1.0"?>
<rolemap>
  <roles>
    <role name="ProUser"/>
  </roles>
  <permissions/>
</rolemap>

You can assign the newly created role to existing permissions in the system. Here we add the ProUser role to the View permission.

<permission name="View" acquire="True">
  <role name="Reader"/>
  <role name="Editor"/>
  <role name="Contributor"/>
  <role name="ProUser"/>
</permission>

Note that if you assign roles to a permission using the <permission> directive, it will overwrite existing assignments, so remember to include all the already assigned roles when doing so. The following would change the View permission to only be applied to the ProUser role.

<permission name="View" acquire="True">
  <role name="ProUser"/>
</permission>

The acquire attribute tells Zope wether or not to inherit the permissions from above. The default is False.

Removing roles and permissions

The rolemap handler does not handle the removal of roles or permissions. You would need to write Python code in order to remove a role from the system via your GenericSetup profile.

Permissions are typically created at startup via the package's __init__.py or being defined in zcml.