Super user/sys admin role

mcai7gh2 · July 1, 2008, 5:44am

We would find it really useful if there was a way of having a super user/sys admin role in the system.

It would avoid a lot of setup and would allow us to keep some things explicit for just us.

cara-m · July 1, 2008, 6:08am

I thought the Admin role fulfilled that function as, by default, it has rights and permissions across the system, or am I missing something here?

mdmcginn · July 1, 2008, 12:25pm

To put it another way, we need a sub-admin role that doesn’t have super-user powers. If you have hundreds of sites (which I’m afraid we will), the person responsible for administering your entire installation shouldn’t be the same person responsible for requests such as, “I just created a new page. Can you link it to the menu and publish it for me?”

jimbo · July 1, 2008, 3:30pm

Hi

I’d like to be able to add more than one role as the workflow administrator.

Cheers
James

darrell.wells · July 1, 2008, 3:38pm

We use a role called Web_Admin for that job. We’re going to launch the following features mid Q3.

Navigation content types will use a workflow, with “all community visibility,” but only the Admin and Web_Admin roles can create that content and push it through the workflow.

We’re also about to launch a “Delivery ACL” content type that creates an Apache .htaccess to control things such as SSL and authnz on our delivery tier (which runs under Apache 2.2.8).

What else would you want your sub-admin role to do?

darrell.wells · July 1, 2008, 5:50pm

I forgot to mention that our Publish Now is also restricted to the Admin and Web_Admin role, so a user can go bug the Web_Admin in their community rather than sending me (the Admin) an email.

As a side note to that, we haven’t made Publish Now available to all communities. We’re waiting for multi-threaded publishing in v. 6.6 before we open that pandora’s box.

mdmcginn · July 2, 2008, 12:05pm

It’s possible to change permissions and ACLs to separate sub-admin and super-admin responsibilities. I’d just like to see that process made easier.

We’re not yet in production, so I’m still open to suggestions. But I’ve upgraded the privileges of Editor to take on some of the responsibilities of VT’s Web_Admin which belong only to Admin in the FastForward model. For example, currently our Editor can approve content and work with navigation for his or her site. We think that the webmasters of our largest colleges and departments will need Admin rights. They need access to the Workbench because they will each be responsible for many websites. In fact, I may be the only Percussion administrator who plans to let others use the Workbench permanently. Believe me, I’m received no encouragement from Rhythmyx users to do that, only from my management. But I’ve removed some of the privileges of Admin, giving them to a new CMS_Admin role of which I’m a member and which serves as a super-admin. We will have to rely on training our high-powered users not to mess things up.

mcai7gh2 · July 3, 2008, 10:52am

I was meaning it as a role which did not have to change communities to be able to do certain functions.

The role would effectively sit above communities and allow a person who had the role to be able to do pretty much anything.

We have loads of communities, roles and websites and it would save us a lot of time and would prevent us accidentally creating something in the wrong community (which is very frustrating), and having to change to a different community just to get the functions we need.

vimrich · July 3, 2008, 4:45pm

[QUOTE=mcai7gh2;2895]I was meaning it as a role which did not have to change communities to be able to do certain functions.

The role would effectively sit above communities and allow a person who had the role to be able to do pretty much anything.

We have loads of communities, roles and websites and it would save us a lot of time and would prevent us accidentally creating something in the wrong community (which is very frustrating), and having to change to a different community just to get the functions we need.[/QUOTE]

We’re planning a small change in 6.6 that might address part of these side effects at least.

See this new thread to discuss the change, which is more general…

http://forum.percussion.com/showthread.php?t=671

The direction is to make the permission evaluation based on the association of role to community and item community, NOT to the current session community of the user. That will at least help with admins being forced to jump around from login communities.

Clearly, this is only a part of your request, but perhaps relevant to similar issues.

Also, for publishing specifically, a new “Designer” role is coming in 6.6 that allows for creation/definition of publishing design (sites, editions, contentlists and variables, etc.) but NOT of actually running publishing jobs. More on that to come later.

mcai7gh2 · July 4, 2008, 5:55am

Thanks Vern, that sounds like a step in the right direction.

mdmcginn · July 7, 2008, 11:18am

Will the new “Designer” role in 6.6 be able to design templates?