Views: 4139 (Data available since 06.02.2017)
Last Modified: 10.10.2012
User group profiles are configured in the User List form:
You can manage user groups in the User Groups form:
Settings -> Manage users -> User groups
- To add a new user group, click Add group on the context bar.
- You can edit the user group settings by double-clicking on the respective table row, or by selecting the Edit menu item in the context menu.
: The system always has two mandatory user groups
- all unregistered users are members of the Everyone
group by default; they can access all pages of the public section (except private sections);
- the Administrators user group's members enjoy full access to the system resources and management, including changing permissions of other users.
Parameters of these groups can be edited in any way (for Everyone
, access settings can be altered); however, they cannot be deleted.
You can add users to a group in the user group editing form:
or in the user profile editing form (the Groups tab).
Note: in the Active period fields, you can specify the period of time during which a user is a member of a respective group. When the active period expires, the user is removed from the group; however, the user profile remains.
Don’t change the parameters you see on the Security tab unless you clearly understand what you are doing. It is even more crucial and may entail undesirable consequences if your website is up and running because it defines a security policy for a current user group.
The most widely used fields are Session maximum life time and Maximum number of computers to store authorization simultaneously.
To obtain the best Session maximum life time value, seek the balance between the necessity of longest uninterrupted sessions of authorized users and system performance. Don’t make session lifetime too long. The size of the PHP session folder will grow rapidly which will make session start-up rather sluggish. It is generally not advised to use values more than one hour.
Maximum number of computers to store authorization simultaneously field is used when your content managers have to work from multiple workstations. In this case, you can either decrease the session lifetime value, or increase the number of machines in this field. From a security standpoint, the former approach is better.
Use the Access tab to define access permissions to the system modules. Assume you have to deny the content manager access to the blog and forum management functions because these are going to be controlled by independent administrators. To do so, disable the management access for the content managers user group while keeping the permission to read and create blogs – just like for other common users.
Example: creating the content managers user group
The following example will show how to set up a user group in a correct way.
- Create a user group.
- Open the Site Explorer module settings page. Set the Edit files and folders permission for this user group;
- Give the Read permission to the /bitrix/admin/ folder (otherwise, the users will not be able to view the Control Panel pages);
- When configuring the information blocks you need to be managed by the content managers, assign the Write permission for this user group. Otherwise, the information blocks will be unavailable to the members of this user group.
- Finally, add users to the group you have created.