How do I change the default set of Group permissions for Owners, Managers and Members

How do I have SYSTEM WIDE change the permission schema for Owners, Manager and Member?

I know there is an override to the default possible but it is a tedious operation having to do this for every permission setting

The use case is: I have a community where owners permissions need to be reduced to manager role.

Though your reaction is: Why do you not assign manager role to them? The system also has other hard wires to the owner role that are needed for this owner- role.

I just need to take away on system level owner permissions instead of having to deselect it every time I create one of hundreds of groups.

  • PermissionIds are static, and exposed via script extensions for each application, e.g.  core_v2_blogPermissions Script API  , calendar_v1_permissions Script API , etc. (Also for groups: core_v2_groupPermissions Script API ) So you can know ahead of time what permissions would be available for each application, and set them at the group level, which would then be applied as the default for any new applications created in the group. (The reason I mentioned first creating a test group with applications would be to compare your desired permission list against the existing/out-of-the-box default list, to know which permissions need to be added or removed by your customization.)

    Drop the ApplicationId portion out of the Set call:

    $core_v3_permission.Set($isAllowed, $roleId, $permissionId, "%{ GroupId = $groupId }"))

    • $roleId would be the specific Group/Site role Id you want to alter this permission for
    • $permissionId would be the static value from one of the provided permissions extensions
    • $groupId would be the specific Group you're making this change for

    Then, you can confirm by viewing Manage Group > Permissions > Group Roles > Members (or whatever role you are setting for) and checking there to confirm the permission is being set as expected.

  • Ohhh, that's got it. It didn't occur to me to pass in the permissionId from another application. Great. That works for me.. I can get on with an automation rule to automatically set default application permissions for a newly created group. Thanks for your help Steven, it's been invaluable. 

  • Hi  me again Smiley Okay, so the automation rule I wrote was looking good.. until I tested it with all the different application types. I'm finding blog doesn't return any permissions using the following script;

    ## #set($appId = $core_v2_utility.ParseGuid('756b21b3-6b08-44b6-b42e-c19fffc7e6f5')) ## Wiki
    #set($appId = $core_v2_utility.ParseGuid('2b8591eb-5285-4281-a7fe-a7eb24d57d88')) ## Blog
    $core_v3_permission.List(2550, "%{ ApplicationId = $appId }")

    This video shows how I'm looking up the Application Guids and checking the role Id, and that permissions exist, etc.

  • Does the empty response for blog permissions have any warnings or errors?

    I noticed you removed all permissions for blogs during the video, does the same issue occur when some permissions are assigned?

  • Ah yes.. I should have opened up that part of the response in the video so you could see what it had inside.. but in my head, I already knew (from looking before) that it was empty Wink  e.g.

    I'd been toggling on/off those permissions as I tested.. at the bottom (not on the recording) Read Blog is enabled, so not all of them were disabled/unassigned.

    BTW, this is on v11.1.8.16788.

  • Hmm, I'm unable to replicate this issue - Can you confirm that the permissions are registered in the database?

    SELECT * 
    FROM cs_Security_NodeTypePermissions ntp
    INNER JOIN cs_Security_Permissions p on p.PermissionId = ntp.PermissionId
    WHERE ApplicationTypeId = 'CA0E7C80-8686-4D2F-A5A8-63B9E212E922'

  • Can you confirm the blog is registered in the core Application table?

    EXEC te_Content_Application_Get '2b8591eb-5285-4281-a7fe-a7eb24d57d88'

    If not, can you provide the steps you took when creating this blog? Was it all through API or did you create it in the UI? Any differences from how you created the other apps?

  • That query returned no result.

    I'd created the blog by hand using the admin panel.. Manage Group > Applications > Add Application.

    I've just tried disabling/enabling that blog applications, and edited the permissions, but the SQL still returns no result.