In this article, we'll examine the various ways you can manage Roles in Higher Logic Vanilla (Vanilla).
Scenario 1: The IdP controls the Roles
- The identity provider (IdP) has data on what Roles users should have, and will pass that over SSO to Vanilla.
- If a Role needs to be changed, it should be done via the IdP (outside of Vanilla).
- Your side (or the IdP side) is considered the "record of truth"; if any changes are made in Vanilla, upon next login the SSO will override anything done in Vanilla and set the Role(s) as indicated in the SSO handshake.
- This is ideal if your IdP is set up to identify all Roles that will be used in Vanilla (including staff, Admin, Moderator, and any specialty Roles such as beta access or MVP/superuser access).
Scenario 2: Vanilla controls the Roles
- In this scenario, Roles are entirely set within Vanilla, while SSO simply authenticates the user and places them in whatever Role has ‘default type’ set to member. Any users who are not basic members are identified and set in Vanilla (not within the IdP).
- If a Role needs to be updated, it should be done in Vanilla.
- Vanilla is considered the "record of truth" regarding Roles; if any changes are made in Vanilla, upon next login the SSO will not override anything done in Vanilla.
- This is ideal if your IdP does not use Roles, or if a great deal of users will have a Role in Vanilla that does not exist within your IdP.
Scenario 3: The IdP controls the Roles but a handful are identified in Vanilla
- Like Scenario 1:
- The IdP has data on what Roles users should have, and will pass that over SSO to Vanilla.
- If a Role needs to be updated, it should be done within the IdP (outside of Vanilla).
- Your side (or the IdP side) is considered the "record of truth"; if any changes are made in Vanilla, upon next login the SSO will override anything done in Vanilla and set the Role(s) as indicated in the SSO handshake.
- However, if your Vanilla community requires a handful of users to have a special Role within Vanilla that does not exist and cannot be set up over SSO (such as community admins), we can identify those users within Vanilla and side-step the Roles being overwritten by the SSO Connection.
- This is a manual process. Keeping scalability in mind, it will only be appropriate if there are a handful of users to be identified (typically, a few Admins, Moderators, and/or community managers).
Apply a manual Rank to give Role-like permissions
To give a user the privileges of a specific Role that cannot be passed over SSO, we cannot simply give them the Role in Vanilla, as upon their next login, the SSO handshake will update the Roles to match the IdP’s "record of truth." This means removing any Roles that are not passed over SSO.
- To get around this issue, we can apply a manual Rank. Unlike Roles, Ranks are not usually passed as part of the SSO handshake, and therefore are not updated/overwritten by the SSO handshake.
- This means applying a manual Rank is a good solution when users need to be given Role-like privileges without giving them a Role.
Steps
1. Create the Role and set its permissions (for help, see Roles & Permissions or contact your CSM).
2. Create a corresponding Rank (for help, see Ranks or contact your CSM).
IMPORTANT NOTES ABOUT CREATING THE MANUALLY APPLIED ADMIN RANK:
- A user is given the highest possible Rank they qualify for, so ensure that the level of the manual Rank is higher than any points-based Ranks.
- Ensure the criteria is ONLY enable applying manually.
- Ensure the ability Role Permissions: Users with this rank will gain the permissions of this Role is set to the desired Role.
When complete, it should look something like this:
3. Lastly, give the user this Rank either via their profile or the Dashboard. Let's walk through both.
From profile
- Access the user's profile.
- If not there already, click Edit Profile from the right panel.
- Select the Rank from the Rank dropdown.
- Click Save to apply the change.
From Dashboard
- Access the Dashboard.
- Navigate to Moderation > Site > Users.
- Locate the user in the list, and click the pencil icon (edit).
- Select the Rank from the Rank dropdown.
- Click Save to apply the change.
For more information about Ranks, check out the article below: