User Roles and Permissions in Plone

Plone tutorial about basic user roles in Plone, including sharing option and assigning permissions.

User Roles in Plone

Plone CMS has rich set of features that enable collaborative approach to content management. Site administrators can give roles to users to enable sharing editing rights: administrator can specify which users can add read content, which users can add or publish content and who has more permission on what content.

Combination of permissions that can be assigned to users are called roles in Plone. Plone comes with the following basic roles (each with certain permissions assigned):

  • Contributor - a user with a contributor role can add content and submit it for review. Such user can also view another user's content that is not in the published state, but can not edit it.
  • Editor - a user with an editor role can edit content by self or others. He can't add new content, but can edit existing content. Such user can manage content properties and submit content for publication.
  • Member - this is the most common role for site users. Users with this role can see anything that is published on site, but can not add new content or edit it. This role is assigned to normal users who join the site but will not be doing any changes to the content.
  • Reader - users with a reader role can read content by others, they can view content items that are in a private state, but cannot make any changes.
  • Reviewer - a user with a content reviewer role has the power to edit/publish content that has been submitted for review, but cannot create new content. There is a special portlet for Reviewer that gather content that needs to be reviewed.
  • Site Administrator - a site administrator has super user powers within Plone site. Such user has full access to manage content and configuration in a Plone site, but does not have access to ZMI and other places, where system administration or Plone integrator/developer skills are required.
  • Manager - a user with a manager role can do everything. Such user has access to the control panel, where many site wide settings can be changed and updated. Manager can also manage things via the Zope Management Interface.

Roles can be assigned to users via 'Users and Groups' control panel. Roles assigned here affect user permission on the whole site. In case a user needs to have special roles on certain site section - local sharing options are used (see below).


User Groups

For easier users roles management, users with identical roles can be grouped. Certain roles are assigned to a group, and then, whenever you want to give someone certain permissions, you can add that user to that group. The following are basic user groups in Plone:

  • Administrator - users with a manager role
  • Reviewer - users with a reviewer role
  • Site Administrator - users with a site administrator role

User groups are managed via 'Users and Groups' control panel, in a 'Groups' tab. You can set roles to groups here, create new group(s) and add users to a certain group.


Local Roles (Sharing)

User roles for every site section are inherited from higher levels - assigned on 'Users and Groups' control panel. But it is possible to let users have specific roles on certain context using Sharing tab. It allows Plone Administrator to add user(s) or user group(s) to have rights to add, edit or review content at that specific place.


To give user permission on certain context - go to the 'Sharing' tab, type user name at a search box to see that role he has on this location. To add extra permission - check the box in the necessary column and save changes.

You can get more information on how roles and permissions are used when Plone changes workflow to Intranet in our tutorial on setting up intranet/extranet workflow in Plone.

Connect with our experts Let's talk