Defining content authority groups

Creating content authority groups help control who has access to edit specific areas of content within iMIS. Content authority groups contain several group roles that allow for different content permissions. To learn more about what each specific group role can do, see Understanding the edit permissions.

Although you can add anyone in your iMIS database, including members, to a content authority group, you will want to be cautious when specifying members of the group. Adding the wrong person or designating the wrong role to someone can grant an user edit permissions that you generally wouldn’t want them to have.

You can create unlimited amounts of content authority groups, but ASI suggests that you only create two groups:

  • Master admin group - Members of this group can have access to all navigation within iMIS, but their group role determines if they can edit the content. Adding members to this group should be rare. Although members within this group have access and can view content in all sites, including the Staff site, they do not have as much authority as SysAdmins.
  • Other content authority group - The second group you create is where you should do the majority member adding and permission setting. This is where you will ensure that certain members are never limited in any way by the Access Control settings of RiSE definition objects.

Do the following to define content authority groups:

  1. From the Staff site, go to RiSE > Maintenance > Content authority groups.
  2. Select an existing content authority group to modify its properties. You can also add or copy a content authority group.
  3. Click the X icon to delete an existing content authority group.
  4.  Select Add to add a new or copy an existing content authority group:
    •  Create a new content authority group:
      1. Enter a Group name.
      2. Select Master admin group if you are creating the master admin group.
      3. Click Save.
    • Copy an existing iMIS group:
      1. Select an existing Group to copy.
      2. Select Master admin group if you are creating the master admin group.
      3. Click Save.
  5. Expand the Group Membership section to add new group members. Once members have been added, you can edit content authority group permissions for each member.

From the Staff site, go to RiSE > Maintenance > Content authority groups. Select Add to add a new content authority group, or select an existing content authority group.

These fields control the properties of content authority groups that are defined in the system:

Assigns all members of this content authority group to the Content Administrator Document system security role, which gives the members full Document system permissions to all iMIS RiSE definition objects in the system. This is useful when you want to ensure that members of this content authority group are never limited in any way by the Access Control settings of iMIS RiSE definition objects.

(displayed only when you click Add from the main list of defined content authority groups)

Creates a content authority group that is based on an existing iMIS security group that you choose when you click select. This content authority group:

  • Has the same name as the selected iMIS security group, followed by CAG.
  • Has the same members as the selected iMIS security group (copied at the time of creation. If additional members are later added to the security group, they are not automatically added to the content authority group).
  • One of the members has Content Editor and Default Owner content authority group permissions assigned by default. All other members have no content authority group permissions at all. You must edit the permissions for each member.

To enable the people who perform web content authoring to view and define content folders and content records, you must grant Document system Read, Edit, and Delete permissions to these people in the Access Settings section of every content folder definition. It can be too permissive to grant these permissions to the security role Everyone, and it can be too tedious to add every person as an individual user just so you can grant them the appropriate permissions.

A much easier method is to define content authority groups that are based on your preexisting iMIS security groups, with each content authority group having the same members as the corresponding security group. Then, when defining content folders, you can assign the content authority group in the Workflow Management section, and in the Access Settings section you can grant Document system Read, Edit, or Delete permissions as needed to the corresponding security group, or Full Control permissions to confer Read, Edit, and Delete permissions.

Create a content authority group that is based on an iMIS security group:

  1. From the Staff site, go to RiSE > Maintenance > Content authority groups.
  2. Click Add to add a new content authority group.
  3. Select Copy an existing iMIS Group.
  4. Click select.
  5. Find the name of the iMIS security group you want to copy.
  6. Click the name of the iMIS security group.
  7. Click Save.

This creates a content authority group that has the following:

  • The same name as the selected iMIS security group, followed by CAG.
  • The same members as the selected iMIS security group, which are copied at the time of creation. If additional members are later added to the security group, they are not automatically added to the content authority group.
  • One of the members has Content Editor and Default Owner content authority group permissions assigned by default. All other members have no content authority group permissions at all. You must edit the permissions for each member.

Note: After you create a content authority group in this manner, the content authority group and the original iMIS security group do not automatically stay in sync. They are two different groups at this point and each must be updated separately.

  • You must have planned the content authoring workflow that you want for your organization.
  • Optionally, you should have a list, prepared with the assistance of the person who performs iMIS administration, of the standard iMIS security groups for which you want to create corresponding content authority groups.

The following content is only displayed after at least one member has already been added to the content authority group.

Note: The following content authority group permissions are additive with the standard Document System permissions used for all iMIS definition objects. For example, even if you have Content Editor content authority group permissions, you will not be permitted to edit the properties of a specific content record unless you also have Read and Edit Document System permissions on that content record. And even if you have Content Approver content authority group permissions, you are not permitted to delete content records unless you also have Delete Document System permissions on each content record.

  • Content Editor – Grants the ability to create new content records and edit the properties of existing content records. Also enables you to be designated as the content owner of a content folder or content record. The following workflow events appear in the task list (Page Builder > View task list):
    • Content record expiration notices
    • Content record change requests

    • Clear this checkbox to revoke these permissions and prevent these workflow event notifications.

    Note: If you do not also have Content Approver content authority group permissions, you will not be able to publish or delete content records. Instead of a Publish command on the toolbar, you will see only a Submit command, which notifies every person with Content Approver content authority group permissions that you have requested to publish the content record. Likewise, although you'll see a Delete command, the content record is not actually deleted. Instead, all content approvers receive notice that you have requested to delete the content record.

  • Default Owner – Designates a single member of the content authority group as the default content owner to automatically assign to a content folder or content record if the current content owner becomes ineligible for any reason. For example, if you change the content authority group assigned to a content folder and the previous content owner does not have Content Editor content authority group permissions in the newly assigned content authority group (or isn't even a member of the new content authority group), then the Default Owner of the newly assigned content authority group is automatically assigned by the system as the new content owner for the content folder.
    • When you define a new content authority group, the first member that you add to the content authority group is automatically assigned both Default Owner and Content Editor content authority group permissions.
    • You cannot remove Default Owner permissions from a content authority group member. Instead, you must assign Default Owner permissions to a different member (which also automatically assigns Content Editor permissions to that member if they do not already have them).

    • Note: For content folders that have a content authority group (CAG) assigned to them, the Owner of this content value is not copied to new content records that are created inside of it. Instead, content records automatically have this value set to specify the first person who created the content record, which you can subsequently change as needed.

    Warning!  

    A content record does not have a content owner automatically assigned if it was created by a person who is a member of the SysAdmin role, but who does not have Content Editor content authority group permissions in at least one content authority group.

  • Content Upload – Grants the ability to upload images for use in Content Html content items and to upload other types of files for use in ContentFile content items. Clear this checkbox to revoke these permissions.
  • Content Approver – Grants the ability to approve content records that have been submitted for publishing or for deletion. The following workflow events appear in your Page Builder Task List. By default, publishing requests are also emailed to you, but the person who performs iMIS RiSE implementation can disable these emails in Settings > RiSE > Page Builder configuration.
    • Content record publishing requests
    • Content record deletion requests

    • Clear the Send email to content approver when content is requested for approval checkbox to revoke these permissions and prevent these workflow event notifications.

  • Folder Creator – Grants the ability to create new content folders, and edit or delete existing content folders. Clear this checkbox to revoke these permissions.
  • Folder Editor – Grants the ability to edit the properties of existing content folders. Clear this checkbox to revoke these permissions.
  • Navigation Creator – Grants the ability to create new navigation items, and edit or delete existing navigation items. Clear this checkbox to revoke these permissions.
  • Navigation Editor – Grants the ability to edit the properties of existing navigation items. Clear this checkbox to revoke these permissions.
  • Layout Editor – Grants the ability to create new content layouts and edit the properties of existing content layouts. Clear this checkbox to revoke these permissions.

Runtime access to the Content Block content item is controlled using permissions in Content Authority Groups. Only users with administrative access or the Content Editor permission can add content or posts, or a child, if applicable. Authenticated users without the Content Editor permission can reply to posts if replies are enabled, as well as edit or delete their own replies.

  1. Go to RiSE > Maintenance > Content authority groups.
  2. Click select for an existing content authority group to modify its properties. You can also click Add to add a content authority group. In the Select New Group Members area, add the new user to the content authority group if they are not already a member:
    1. Select Last Name in the Select a Query drop-down.
    2. Find the new user based on their last name.
    3. Click Add for the new user you want to add. The user is added to the content authority group.

    3. The Content Editor Permission can be added to a user in any content authority group.

  3. In the Current Group Members area, click edit permissions next to the user’s name.
  4. Select the Content Editor option. No other permissions are required to use Content Block, nor will additional permissions impact the use of Content Block.
  5. Click Update to update the permissions.
  6. Click Save to update the content authority group. The next time the user logs in to iMIS and navigates to a page containing a Content Block, they will see options to Add, Edit, and Delete HTML Posts and Child Posts, if enabled.

Note: This permission also gives the user Easy Edit permissions which can be used to edit the content item configuration in iMIS RiSE. Editing content using Content Block or iMIS RiSE is considered comparable from a security stand point. Also, System Administrators have full access regardless of any content authority group permissions.

Authenticated Users, such as logged-in users, are allowed to create replies to posts if this function is enabled in the content item configuration. These users can also edit and delete their own replies, but not those of other users. System Administrators and Content Editors have full edit access to all replies.

All users are allowed read access to the Content Block content item. However, all other iMIS security still applies. Pages containing a Content Block can still be public or secure just like any other page on your website.

A content authority group (CAG) is a special type of iMIS security group whose members have permissions that are specific only to iMIS RiSE functionality. Content authority groups are also used to enable content authoring workflow.

Content authority group permissions are specified for each member of a content authority group. These permissions determine whether that member can create, edit, publish, and delete navigation items, content records, and content folders. They also determine whether that member can define content layouts, upload graphics for use in Content Html content items, and upload files when defining a ContentFile content item.

Content authority group permissions are globally applied throughout iMIS RiSE. For example, if a specific iMIS user is granted permission to edit content records in any content authority group to which they belong, then that user has global permission to edit content records in any content folder.

Content authority groups can be designated as a Master admin group. Members of a Master admin group are automatically assigned to a special iMIS Content Administrator security role. iMIS users who belong to the Content Administrator role always have full Document System security permissions for all iMIS RiSE definition objects in the system.

Content authoring workflow is enabled for a content folder by assigning a content authority group to the content folder. All content records created in that content folder will subsequently progress through the workflow that is defined by the permissions assigned to each member of the content authority group.

When new sub-folders are created, the content authority group assigned to the parent folder is copied into the definition of the new sub-folder by default (thus inheriting the parent folder's workflow), but any content authority group member with Folder Editor permissions can change or remove the assigned content authority group of the new sub-folder.

Content authoring workflow revolves around messages that appear in the task list (Page Builder > View task list) for every person who is a member of at least one content authority group. Any person with access to RiSE can view the task list. The task list is divided into the following categories:

  • Content you are working on – Content records that you were the last person to define and save, and which are still in a Working state, are listed here. It does not matter whether you are a member of the content authority group assigned to the content record's parent content folder, or whether the parent content folder has a content authority group assigned to it.
  • Content awaiting your approval – People who do not have Content Approver content authority group permissions cannot publish content records. Instead of seeing a Publish command, they see a Submit for Approval command, which submits a content publishing request. These content publishing requests are listed here for all people that have Content Approver content authority group permissions in at least one content authority group to which they belong. It does not matter whether you are a member of the content authority group assigned to the content record's parent content folder, or whether the parent content folder has a content authority group assigned to it.
  • Content deletion requests – People who do not have Content Approver content authority group permissions cannot delete content records. They see the Organize > Request Delete command, but using it does not actually delete the content record from its parent content folder. Instead, this action submits a content deletion request. These content deletion requests are listed here for all people that have Content Approver content authority group permissions in at least one content authority group to which they belong. It does not matter whether you are a member of the content authority group assigned to the content record's parent content folder, or whether the parent content folder has a content authority group assigned to it.
  • Content that has expired or will soon expire – If you are the assigned content owner for a content record that is defined to have an expiration date, expiration notices for that content record are listed here when that date approaches, when the date actually occurs, and at defined intervals after the date has passed.
  • Content change requests assigned to you – When people who do not have Content Editor content authority group permissions use the Easy Edit feature of iMIS RiSE to edit a content item or content record on a rendered web page, they see a content change request form instead of the content record editor or content item editor. Such content change requests on content records for which you are the assigned content owner are listed here.

    • Note: The person who creates a new content record is automatically assigned as the content owner for that content record (this assignment can be manually changed after creation). It does not matter who the content owner assigned to the parent content folder might be.

    Warning!  

    A content record does not have a content owner automatically assigned if it was created by a person who is a member of the SysAdmin role, but who does not have Content Editor content authority group permissions in at least one content authority group.

  • Unassigned content change requests – Similar to the preceding bullet, except that content change requests for content records that have no specified content owner are listed here in the Page Builder Task List of every person who has Content Editor content authority group permissions in at least one content authority group to which they belong.

Note: You must be a Casual or Full user and you must belong to at least one content authority group to see the RiSE tab. Public users who are members of a content authority group cannot see the RiSE tab, but they can interact with content records by using the Easy Edit feature.

Content authority group (CAG) permissions are specified for each member of a content authority group in the definition of each content authority group. Document System security permissions are defined in the Access Settings section in the definition of most iMIS RiSE definition objects.

Both types of permissions affect your ability to view and define iMIS RiSE definition objects. The interaction between these two different sets of permissions enables some sophisticated structuring of security access and content authoring workflow.

  • Document System Read permissions for iMIS RiSE definition objects such as a content record or a navigation item determine not only which iMIS users can view the properties of that definition object within RiSE, but also determine who can see the rendered version of that object on a website.

    • For example, if a content record is assigned to the system role Everyone with Read permissions, then even anonymous visitors to an iMIS RiSE website will be able to view that content record's rendered web page. However, if only a specific security group such as "Board Members" is given Read permissions for that content record, then only members of that security group who have logged on to the iMIS RiSE website will be able to view that content record's rendered page. If they do not log on to the website with their iMIS logon name, they are treated as anonymous users and unable to view the rendered page.

  • Document System Edit permissions are required to edit the properties of iMIS RiSE definition objects and Delete permissions are required to delete iMIS RiSE definition objects. However, these permissions are not sufficient by themselves. You must also have the corresponding content authority group permissions. For example:
    • If you have Document System Read and Edit permissions on a content record but you do not also have the content authority group Content Editor permission, then when you attempt to view the properties of that content record, you will see only a rendered preview of that content record. You might want a mixture of permissions like this, plus the content authority group Content Approver permission, for the staff in your content authoring workflow who you want to give the ability to approve or reject content, but not the ability to create or revise content.
    • If you have Document System Read, Edit, and Delete permissions on a content record and you have the content authority group Content Editor permission, then you will be able to view and edit the properties of that content record, but you will not be able to delete that content record. If you also have the content authority group Content Approver permission, then you will also be able to delete that content record.