OpenCms manages rights in organizational units (OUs). Users can have different rights, group memberships and roles in different OUs. We discuss what OUs are and what is the difference between roles and groups.
You are free to define as many users as you need in OpenCms, assign roles to them and add them to groups. But there are some predefined users in the root OU, that you should not deleted (or deleted only in rare cases).
The Admin user has the role "Root Administrator" assigned. He has all rights inside OpenCms. This user's data can be altered but be sure to always have a root administrator in your system!
The export user is used internally by OpenCms for static export (of JSP-output for example). He is in the Guests group and has not to log in. If you want to get files statically exported, the user needs read permissions on the files. By the separation of Export user and Guest user you can block access to files for visitors of your website that are not logged in, but still have files exported. This may for example be useful in an intranet.
Users not logged in are treated as Guest user.
In OpenCms you can define groups and add users to groups. Furthermore, each user has roles in OpenCms. Both, groups and roles are used to set the permissions of a user. But, the permissions of groups and roles are given with different focus:
The different focus of groups and roles also implies differences in their handling:
/system/
folders.Thus, when you think on designing your permission system in OpenCms:
A default OpenCms installation ships with three predefined groups. They are special compared to user defined groups and used internally by OpenCms.
All members of the administrators group are automatically root administrators.
Whenever you assign a role to a user, he is added to the users group. If you remove the role, he will also loose his group membership (even if you explicitely added him to the group before). Typically, all users should be in the users group. For example, the rights to read view and write content in the default site is granted to members of the Users group. The same holds for the /shared/
folder.
Guest and Export user are in this group. It is in particular used for all users that do not log in.
Organizational units (OUs) are meant to make rights management in complex systems easier. All user management in OpenCms is permformed in OUs. By default, OpenCms has just one OU: The root OU, where all resources of the VFS belong to. Typically, you do not need to add more OUs.
For each sub OU you can specify users and groups and assign roles to users. Furthermore, you can restrict the resources that belong to an OU.
In essence, OUs allow you to:
But how do users choose their OU? If you have more than one OU, the login dialog changes and users have to select the OU on login.
The root OU differs from sub OUs wrt. the available roles. OpenCms system management is always tied to the root OU, thus the respective roles are only available in this OU. In particular, in sub OUs you can not assign the roles: