How to set up Plone intranet/extranet workflow

This tutorial explains the work and maintenance of Plone intranet/extranet workflow

What do people want from Intranet in the first place? Intranet aims at making sharing of content/files/documents simpler and web-based. Such a system must be secure, easy-to-use and with strongly separated rights for large numbers of users (those who can view, add, edit, publish and share content in different areas).

Plone offers a simple Intranet/Extranet workflow that supports such features. It is fairly easy to transform your Plone website into the intranet. In this case, all content managed in Plone will be visible only to members of your organization. Moreover, Plone offers the opportunity to make some of the content publicly accessible, if there is such a necessity. Even if you already have loads of material on your Plone website, everything would be neatly transferred into a new workflow.

In this tutorial, all main features of the Plone intranet will be explained so you would be able to configure the new workflow. By default, Plone is functioning using the Simple Publication Workflow. You can get acquainted with the default workflow in Plone and content management roles and permissions in our tutorials.


To change the workflow parameters please go to Site Setup -> Types. After selecting the Intranet/Extranet Workflow from the New workflow drop-down menu you would be able to see some general information.
Previously there were only three possible states of the content:

  • Private - can only be viewed and edited by the author;
  • Pending review - the content was submitted for publication/review;
  • Published - visible to all visitors of the website.

The first two states don’t change for the intranet, though Published state no longer exists. Instead, Plone offers the following options:

  • Private - only editors, managers, and owners can modify the content, while contributors and readers can access it.
  • Internal draft - only editors, managers, and owners can modify the content, while it can be accessed by any portal member.
  • Pending review - any portal member can access it, but only managers and reviewers can modify it.
  • Internally published - any portal member can access it, but only managers can modify it.
  • Externally visible - visible to people outside the intranet, it can be accessed anonymously and modified only by managers.

If you had content previously to the transition to the intranet workflow, Plone offers to select equivalents to the content state at the moment. You can change the desired state for any of the default states.

Intranet/Extranet workflow settings


Roles indicate a set of content management rights allowed for users of the Intranet. In the table below you can see the roles and actions, they are permitted to do with the content.

Contributor Editor Member Reader Reviewer Site
view private content + + - + - + +
view submitted for
publication content
+ + - + + + +
view Internal Draft /
published content
+ + + + + + +
add content + - - - - + +
edit your content + - - - - + +
edit other users' content - + - - + (only
submitted for
+ +
retract/submit for
your content
+ - - - - + +
retract/submit for
other users content
- + - - - + +
publish internally/externally - - - - + + +
retract your content + - - - - + +
send back other users content - - - - + + +
access to ZMI - - - - - - +

To configure user roles go to Site Setup -> Users and Groups -> Users tab. Depending on the number of users, diversity of their roles, categories, and topicality of content, you can:

  • change user roles,
  • create user groups (Groups tab),
  • add users with certain rights for specific content (Sharing tab),
  • add opportunity for all logged-in users to have their content folders (Site Setup -> Security -> Enable User Folders).


The whole workflow process by default looks in the following way:

Intranet/Extranet workflow in Plone

Let’s take a page content type as an example. The Private page can be manipulated only by the author and members who have been given access to edit, review or view the specific content. Either author, privileged users, editor, site administrator or manager can choose the option to show the page internally to all the intranet members. After this page can be either submitted for review/publication or published.

Contributor (author) can still retract the page from the Internal Draft or Pending review state. Reviewer, site administrator or manager can send the page back from the Pending review or Internally/Externally published state if, for some reason, the page is considered not ready or no longer relevant.
Furthermore, thanks to Plone now there is no need to employ two separate systems for externally and internally maintained content. Plone intranet has two publishing options and reviewers, site managers and administrators can choose whether the content would be accessible only for internal users or it can be viewed and shared publicly by outsiders.

In the latter case, it is important to know that content can be published externally only after it had been published internally or if it is a Pending review. Hierarchy is also very important. Even if the content page is in an Externally visible state, but is situated in an Internally published folder, it will not be accessible for anonymous users.


If you want to dedicate a part of Plone for sharing the environment, you can add folders for specific users/groups of users. For example, we create a group of users called members1 and add users you would like to have access to a certain folder:

  • Go to Site Setup -> Users and Groups -> Groups tab.
  • Add group and search for users you would add there.
  • Create a new folder. Let’s name it a shared folder.
  • Click on the Sharing tab.
  • Put the name of the appropriate group in the search field and add permissions by ticking the boxes in the table.
  • Untick the Inherit permissions from higher levels box if your folder is placed in another folder with specified permissions and you do not want them to overlap.

Sharing folder in intranet workflow

Now each user from the members1 group can view, add, edit, and publish any kind of content inside the shared folder. For instance, if it is an intranet for university, you can create a user group for the faculty/students/staff of these departments, then you can create a folder for each department and add permissions to add/edit content for the appropriate group.

There is also the option to open a folder for all Logged-in users. In this case, the folder will be accessible and editable by all intranet users without the need for assigning a specific role.


Since Plone is an open-source CMS, people are free to add features that solve specific tasks. ploneintranet.workspace is one of such solutions for intranet systems. This Plone product provides a Workspace container that can be used as a project space, team space or community space. It was built based on Dexterity Container to which collective.workspace behavior was applied. The advanced and intuitive user interface gives opportunities to easily manage security/sharing settings.
Personas are similar to Roles in Plone workflow and are divided into:

  • Site Admin: manages users and permissions on the Plone site.
  • Workspace Admin: manages users and the Workspace.
  • Participant: a site user with local permissions in the Workspace.
  • Guest: a site user who is not a Participant in the Workspace.

Ploneintranet.workspace offers the following Workspace states:

  • Secret - cannot be viewed or accessed by Guests. Only Participants and users with higher permissions can view and access a Secret Workspace.
  • Private - can be viewed, but not be accessed by Guests. Participants and users with higher permissions can view and access a Private Workspace.
  • Open - can be viewed, but not responded by Guests. Participants can not only access the Workspace but also interact with its content.

The most important feature of this package is Joining. Joining settings indicate the way users are added to the Workspaces on different levels and can be configured as follows:

  • Admin-managed (only Workspace Admins can change user role).
  • Team-managed (existing Participants can change assign a user role of Participant).
  • Self-managed (any user can self-join the Workspace and become a Participant).

Ploneintranet.workspace allows modifying different policies and permissions depending on the aim of the newly created intranet. Security and interactivity can be combined in different proportions to create a perfect working and sharing environment.

Plone gives wide possibilities for customization of the workflow processes. New roles, content types, integration with third-party software, wiki, multilingual capabilities, etc. Almost everything is possible with Plone. What is most important is to define what features are essential to your intranet.

Connect with our experts Let's talk