Manage Roles with SSO - Vanilla Success
<main> <article class="userContent"> <p>In this article, we'll examine the various ways you can manage <strong>Roles </strong>in <strong>Higher Logic Vanilla (Vanilla)</strong>.</p><h2 data-id="scenario-1%3A-the-idp-controls-the-roles"><strong>Scenario 1: The IdP controls the Roles</strong></h2><ul><li>The <strong>identity provider (IdP)</strong> has data on what Roles users should have, and will pass that over SSO to Vanilla. </li><li>If a Role needs to be changed, it should be done via the IdP (outside of Vanilla).</li><li>Your side (or the IdP side) is considered the "record of truth"; <strong>if any changes are made in Vanilla, upon next login the SSO will override anything done in Vanilla and set the Role(s) as indicated in the SSO handshake</strong>.</li><li>This is ideal if your IdP is set up to identify all Roles that will be used in Vanilla (including staff, Admin, Moderator, and any specialty Roles such as beta access or MVP/superuser access).</li></ul><h2 data-id="scenario-2%3A-vanilla-controls-the-roles"><strong>Scenario 2: Vanilla controls the Roles</strong></h2><ul><li>In this scenario, Roles are entirely set within Vanilla, while SSO simply authenticates the user and places them in whatever Role has ‘default type’ set to member. Any users who are not basic members are identified and set in Vanilla (not within the IdP).</li><li>If a Role needs to be updated, it should be done in Vanilla.</li><li>Vanilla is considered the "record of truth" regarding Roles; if any changes are made in Vanilla, upon next login the SSO will <strong>not</strong> override anything done in Vanilla.</li><li>This is ideal if your IdP does not use Roles, or if a great deal of users will have a Role in Vanilla that does not exist within your IdP.</li></ul><h2 data-id="scenario-3%3A-the-idp-controls-the-roles-but-a-handful-are-identified-in-vanilla"><strong>Scenario 3: The </strong>IdP <strong>controls the Roles but a handful are identified in Vanilla</strong></h2><ul><li>Like Scenario 1: <ul><li>The IdP has data on what Roles users should have, and will pass that over SSO to Vanilla. </li><li>If a Role needs to be updated, it should be done within the IdP (outside of Vanilla).</li><li>Your side (or the IdP side) is considered the "record of truth"; <strong>if any changes are made in Vanilla, upon next login the SSO will override anything done in Vanilla and set the Role(s) as indicated in the SSO handshake</strong>.</li></ul></li><li>However, if your Vanilla community requires a handful of users to have a special Role within Vanilla that does not exist and cannot be set up over SSO (such as community admins), we can identify those users within Vanilla and side-step the Roles being overwritten by the SSO Connection.</li><li>This is a manual process. Keeping scalability in mind, it will only be appropriate if there are a handful of users to be identified (typically, a few Admins, Moderators, and/or community managers).</li></ul><h2 data-id="apply-a-manual-rank-to-give-role-like-permissions"><strong>Apply a manual Rank to give Role-like permissions</strong></h2><p>To give a user the privileges of a specific Role that <strong>cannot </strong>be passed over SSO, we cannot simply give them the Role in Vanilla, as upon their next login, the SSO handshake will update the Roles to match the IdP’s "record of truth." This means removing any Roles that are not passed over SSO.</p><ul><li>To get around this issue, we can apply a manual <strong>Rank</strong>. Unlike Roles, Ranks are not usually passed as part of the SSO handshake, and therefore are not updated/overwritten by the SSO handshake. </li><li>This means applying a manual Rank is a good solution when users need to be given Role-like privileges without giving them a Role.</li></ul><h3 data-id="steps">Steps</h3><p>1. Create the Role and set its permissions (for help, see <a href="https://success.vanillaforums.com/kb/articles/39-managing-roles-permissions" rel="nofollow noreferrer ugc">Roles & Permissions</a> or contact your CSM).</p><p>2. Create a corresponding Rank (for help, see <a href="https://success.vanillaforums.com/kb/articles/21" rel="nofollow noreferrer ugc">Ranks</a> or contact your CSM).</p><p><strong>IMPORTANT NOTES ABOUT CREATING THE MANUALLY APPLIED ADMIN RANK:</strong></p><ul><li>A user is given the <em>highest possible Rank they qualify for</em>, so ensure that the level of the <em>manual </em>Rank is higher than any <em>points-based</em> Ranks.</li><li>Ensure the criteria is ONLY <strong>enable applying manually</strong>.</li><li>Ensure the ability <strong>Role Permissions: Users with this rank will gain the permissions of this Role</strong> is set to the desired Role.</li></ul><p>When complete, it should look something like this: </p><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/533/AXRN5XHGG0JP.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/533/AXRN5XHGG0JP.png" alt="image.png" height="61" width="927" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>3. Lastly, give the user this Rank either via their profile or the Dashboard. Let's walk through both.</p><p><strong>From profile</strong></p><ol><li>Access the user's profile.</li><li>If not there already, click <strong>Edit Profile</strong> from the right panel. </li><li>Select the Rank from the <strong>Rank </strong>dropdown.</li><li>Click <strong>Save </strong>to apply the change.</li></ol><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/YR88XSY4H1RF/assign-rank-profile.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/YR88XSY4H1RF/assign-rank-profile.png" alt="assign_rank_profile.png" height="528" width="1301" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p><strong>From Dashboard</strong></p><ol><li>Access the Dashboard.</li><li>Navigate to <strong>Moderation > Site > Users</strong>. </li><li>Locate the user in the list, and click the <strong>pencil icon</strong> (edit).</li><li>Select the Rank from the <strong>Rank </strong>dropdown.</li><li>Click <strong>Save </strong>to apply the change.</li></ol><div class="embedExternal embedImage display-large float-none"> <div class="embedExternal-content"> <a class="embedImage-link" href="https://us.v-cdn.net/6030677/uploads/3R74YC4ODTY5/assign-rank-dashboard.png" rel="nofollow noreferrer noopener ugc" target="_blank"> <img class="embedImage-img" src="https://us.v-cdn.net/6030677/uploads/3R74YC4ODTY5/assign-rank-dashboard.png" alt="assign_rank_dashboard.png" height="930" width="988" loading="lazy" data-display-size="large" data-float="none"></img></a> </div> </div> <p>For more information about Ranks, check out the article below:</p><div class="js-embed embedResponsive" data-embedjson="{"body":"What is a Rank? A rank can be assigned to a user to grant or remove certain privileges on your forum. A rank is not the same as Roles & Permissions, which govern content access, moderation abilities, and administrator access. A user can only have one rank at a time. Typically, the user’s rank is displayed on their…","photoUrl":"https:\/\/us.v-cdn.net\/6030677\/uploads\/VWGAXAF5OFCO\/microsoftteams-image.png","url":"https:\/\/success.vanillaforums.com\/kb\/articles\/21","embedType":"link","name":"Ranks - Vanilla Success"}"> <a href="https://success.vanillaforums.com/kb/articles/21" rel="nofollow noreferrer ugc"> https://success.vanillaforums.com/kb/articles/21 </a> </div><p><br></p> </article> </main>