Roles and Permission Discrepancies

  • 5 December 2018
  • 11 replies
  • 449 views

I'm working on a role for chosen employees to be able to moderate community content and I'm having quite a time doing it.



Problem 1 (major)

The Moderator role gives the user access to EVERYTHING in control. Including the ability to escalate their own privileges to administrator, but that doesn't really matter because they already have everything. The community manager role has the same issue. 😒



Problem 2

Creating a custom role and adding access to Forum Moderation sounds like it will work, but then the user doesn't see the control button when browsing - I can overlook that. Once in the control panel though, clicking topics in Forum overview results in "Page not found." This seems like a bug.



Problem 3 (major)

I also want the moderators to be able to access user profile information. Sounds simple - just add the "Users" option to the custom role. That's fine, but then the user can escalate their own privileges to Admin. 😱 So, that's an obvious no-go.



Problem 4 (minor)

The Appearance section shows up in control, no matter what the role is. Fortunately, its options aren't available. Shouldn't it be hidden?



Now the actual question...

How does everyone do this? I obviously can't allow everyone the equivalent of admin access to our community. I need my moderators to actually have moderation options (edit, trash, tags, etc.) and not be able to change settings and configurations.

11 replies

Userlevel 2
Badge +3
Hi Drew,



thanks for sharing your feedback! You actually quite hit the nerve here, as most/all of these items we also discussed today anyways. 🙂 Below you can find some additional information regarding each of your points:



Problem 1 (major)

The Moderator role gives the user access to EVERYTHING in control.


We totally understand what you mean here. We are investigating how & when we can review the Moderator and Community Manager roles in a way that it works better. Including turning off the self-promotion and most likely also custom role management. It's in the making and hopefully it will not take us too long to improve these aspects.



Problem 2

Once in the control panel though, clicking topics in Forum overview results in "Page not found." This seems like a bug.


Yes, I can confirm that this is a bug. 😞 We have moved your communtiy to our newest code base which has many advantages, however this bug is a bigger issue of course. We had a meeting to align on a plan for a fix, we hope to have that implemented asap to make sure that it works as intended!



Problem 3 (major)

(...) the user can escalate their own privileges to Admin. 😱 So, that's an obvious no-go.


See my response to problem 1, discussed it today as well and investigation has started to re-work the way permissions are being handled. We want to make it right, so we first want to map out all options so that we make the right decisions here.



Problem 4 (minor)

The Appearance section shows up in control, no matter what the role is. Fortunately, its options aren't available. Shouldn't it be hidden?


It's a bug and the fix is in our backlog, so hopefully this will be improved rather sooner than later.



Hope that made it a bit clearer!



Cheers,



Julian
Thanks for the insight, Julian.

Fixing "problem 2" buys time to properly resolve the other issues.



I'm curious how long this system has been in place. I wasn't able to find any other comments on it here, and am a little surprised that others haven't mentioned this behavior before, though it wouldn't surprise me if I missed it :)



-Drew
Userlevel 2
Badge +3
Thanks for the insight, Julian.

No problem!



I'm curious how long this system has been in place. I wasn't able to find any other comments on it here, and am a little surprised that others haven't mentioned this behavior before, though it wouldn't surprise me if I missed it :)

Understandable that this wonders you, I had the same. :D



Well basically it is not the case that we designed it that way, it is more that this "grew" over the years to the current state: Back in the days, everybody who had access to control was on the same level. Once we saw that there was a need for special access rights (so e.g. admin-related settings) we introduced more primary roles to offer these. This has grown to a point where we are up to a refinement of these aspects of the community, also as more and more self-service settings are being added constantly.



So the result is basically an accumulation of different smaller improvements which now are up for review to make sure that cracks in the pavement like these are being filled.



As to why this is not being discussed as much on inSpired: An attempt to explain this might be that the majority of users probably do not even notice this, as they set up their roles and that's it. Also many probably do not see it as a big issue (compared to other wishes they might have) as their community team members are trusting each other and do not see it as a risk. At least that's how I would think of as a reason. When I was managing a community (as inSided customer back then), I actually found it an advantage (more or less) as it made it easy for me to perform certain actions without involving someone with the role of an admin. ;)



Cheers,



Julian
Badge
I also want the moderators to be able to access user profile information.



Thanks for this super useful overview of problems you're having @Drew C.. What exactly would you like moderators to be able to achieve in relation to users in Control ?



E.g. does 'Access user profile information' mean that moderators should have read-only access to user info (i.e., they can't ban, erase, edit a user's login details, edit a user's profile fields, change the role of the user)?



For instance, if a moderator is able to edit a user's login details, then technically they could take over an admin's account just by changing the password (which pretty much leaves us with the same problem of a moderator being able to esclate privileges to an admin).



Would love to hear your thoughts!
Hi Daniel,

Thanks for asking!



In my opinion, the moderator role should have read-only access to user information, with the exception of the ability to ban a user. A community manager role would be one that has edit access, but they shouldn't be able to make themselves (or anyone else) an administrator. I'm undecided on who should be able to erase a user, but I'm leaning toward admin only.



Password resets are a separate concern, but isn't one that I feel warrants a solution from inSided at this time. Better logging and a password change notification email would be sufficient there. The administrator user should be able to regain access, unless, of course someone is maliciously changing email addresses first. Again, not "your" problem. Log it, notify, and continue. 😋



I'm always up for more discussion on topics like this. Obviously changes to this arrangement will impact other customers, but enforcing proper permissions is huge.



Thanks,

-Drew
Problem 2

Creating a custom role and adding access to Forum Moderation sounds like it will work, but then the user doesn't see the control button when browsing



Agree with OP on pretty much all the points, but this is the biggest thorn in our side, when it comes to moderation. The inability to navigate through the front end, and pivot to control environment when needed. This would be the ideal approach since search functionality in Control isn't as robust as the updated front-end.
Badge
@Drew C. @ranjan (& @bjoern_schulze , since I know this is an issue for you as well), as well as any other community managers/moderators who are reading! ;)



How would you guys feel about this rough redefinition of permissions for the moderator primary role?



Moderator permissions redefined:


  • Forum moderation - allowed
  • Private messages - allowed
  • User moderation - allowed, but not the ability to grant/revoke permissions, or the ability to erase/ban/edit information of users with a higher role.
  • Analytics - no access (but available w/ custom role)
  • General settings/forum settings/embeddable widgets - no access (but some settings can be granted w/ a custom role)
Badge
@daniel.boon I think your bullet points should cover all the permission a moderator needs. Thank you!
I think that will work great! Thanks!
Badge
Hey all - here's an update containing some more information on progress with this 😁
Badge
Just to confirm in this topic as well: we've reduced the moderator primary role based on your feedback (Problem #1 reported by @Drew C.). See the update topic for full info!

Reply