How do I change the default set of Group permissions for Owners, Managers and Members

How do I have SYSTEM WIDE change the permission schema for Owners, Manager and Member?

I know there is an override to the default possible but it is a tedious operation having to do this for every permission setting

The use case is: I have a community where owners permissions need to be reduced to manager role.

Though your reaction is: Why do you not assign manager role to them? The system also has other hard wires to the owner role that are needed for this owner- role.

I just need to take away on system level owner permissions instead of having to deselect it every time I create one of hundreds of groups.

Parents Reply Children
  • Thanks Steven. What's the script API call to get the default application permissions at the group level? I used $core_v3_permission.List and passed in the GroupId..

    e.g. $core_v3_permission.List(24, "{% GroupId = 12 }")

    (where 24 is the role Id for Members)

    But it only returned group-specific permissions like Group_CreateWiki.

  • You can check the default permissions with an ApplicationId in the List call, after creating an application. Default templates only differ by group type and group role, so once you have recorded the defaults, you should be able to just specify the changes you want to make with the Set calls.

  • Yeah, but if there aren't any applications in the Group just after its creation, there isn't an applicationId to pass in.. unless I'm using the Group's application id? (it's the UK evening, so I'm not on my work PC to check). Sorry for needing so much help here.. the documentation isn't great and I've been really struggling to figure out how it should work.

  • In general, for setting group permissions from a custom-managed "template" (ie, list of desired changes that you manage), you shouldn't need to list existing permissions of a new group. Once you've generated your list from an existing group set up with the out-of-the-box defaults including applications, then you can apply that list going forward to new groups.

  • Sorry, you're losing me. If I don't list the existing permissions of a new group, I won't know the PermissionId I'm adjusting via .Set 

    E.g.

    $core_v3_permission.Set($isAllowed, $roleId, $permissionId, "%{ ApplicationId = $applicationId, GroupId = $groupId }"))

    $roleId is fine.. I've got that for 'Member'
    $permissionId isn't known (I'd need to list permissions for an application to get this, wouldn't I?)
    $applicationId isn't available because no appplications exist in the new group
    $groupId is the ID for the new group

    I think you then talk about setting up a group somewhere with all the defaults we'd want on a new group.. but how do I take that as the input, and apply the permissions to the new group.

    If you've got an example automation or any code it'd be extremely useful. I can post the full solution when we've got this figured out, as I think other people will find this useful too.

  • PermissionIds are static, and exposed via script extensions for each application, e.g.  core_v2_blogPermissions Script API  , calendar_v1_permissions Script API , etc. (Also for groups: core_v2_groupPermissions Script API ) So you can know ahead of time what permissions would be available for each application, and set them at the group level, which would then be applied as the default for any new applications created in the group. (The reason I mentioned first creating a test group with applications would be to compare your desired permission list against the existing/out-of-the-box default list, to know which permissions need to be added or removed by your customization.)

    Drop the ApplicationId portion out of the Set call:

    $core_v3_permission.Set($isAllowed, $roleId, $permissionId, "%{ GroupId = $groupId }"))

    • $roleId would be the specific Group/Site role Id you want to alter this permission for
    • $permissionId would be the static value from one of the provided permissions extensions
    • $groupId would be the specific Group you're making this change for

    Then, you can confirm by viewing Manage Group > Permissions > Group Roles > Members (or whatever role you are setting for) and checking there to confirm the permission is being set as expected.

  • Ohhh, that's got it. It didn't occur to me to pass in the permissionId from another application. Great. That works for me.. I can get on with an automation rule to automatically set default application permissions for a newly created group. Thanks for your help Steven, it's been invaluable. 

  • Hi  me again Smiley Okay, so the automation rule I wrote was looking good.. until I tested it with all the different application types. I'm finding blog doesn't return any permissions using the following script;

    ## #set($appId = $core_v2_utility.ParseGuid('756b21b3-6b08-44b6-b42e-c19fffc7e6f5')) ## Wiki
    #set($appId = $core_v2_utility.ParseGuid('2b8591eb-5285-4281-a7fe-a7eb24d57d88')) ## Blog
    $core_v3_permission.List(2550, "%{ ApplicationId = $appId }")

    This video shows how I'm looking up the Application Guids and checking the role Id, and that permissions exist, etc.

  • Does the empty response for blog permissions have any warnings or errors?

    I noticed you removed all permissions for blogs during the video, does the same issue occur when some permissions are assigned?