There are several ways that roles can be managed in Vanilla:
Scenario 1: The mainsite or IDP controls the roles
- The mainsite or IDP has data on what roles that users should have, and will pass that over SSO to Vanilla.
- If a role needs to be changed, it should be done on the mainsite or within the IDP (outside of Vanilla)
- Your side (or the IDP side) is considered the record of truth, if any changes are made in Vanilla, upon next login the SSO will override anything done in Vanilla and set the role(s) as indicated in the SSO handshake
- This is ideal if your IDP is set up to identify all roles that will be used in Vanilla (including staff, admin, moderator, any specialty roles such as beta access or MVP/superuser access)
Scenario 2: Vanilla controls the roles
- In this scenario, roles are entirely set within Vanilla, SSO simply authenticates the user and places them in whatever role has ‘default type’ set to member, any users who are not basic members are identified and set in Vanilla (not on the mainsite/ within the IDP)
- If a role needs to be changed, it should be done in Vanilla,
- Vanilla) is considered the record of truth when it comes to roles , if any changes are made in Vanilla, upon next login the SSO will not override anything done in Vanilla
- This is ideal if your IDP does not use roles, or if a great deal of users will have a role in Vanilla that does not exist on your mainsite/IDP
Scenario 3: the Mainsite controls the roles, but a handful are identified in Vanilla
- Like Scenario 1:
- The mainsite or IDP has data on what roles that users should have, and will pass that over SSO to Vanilla.
- If a role needs to be changed, it should be done on the mainsite or within the IDP (outside of Vanilla)
- Your side (or the IDP side) is considered the record of truth, if any changes are made in Vanilla, upon next login the SSO will override anything done in Vanilla and set the role(s) as indicated in the SSO handshake
- However, if your community requires a handful of users to have a special role within Vanilla that does not exist and cannot be set up over SSO (such as community admins), we can identify those users within Vanilla and side step the roles being overwritten by the SSO Connection
- This is a manual process and keeping scalability in mind, it will only be appropriate if there is a handful of users to be identified (typically, a couple admins/mods/community managers)
Applying a Manual Rank to give Role-like Permissions
In order to allow a user to have the privileges of a specific role that cannot be passed over SSO, we cannot simply give them the role in Vanilla, as upon their next login, the SSO handshake will update the roles to match the mainsite or IDP’s record of truth, essentially removing any roles that are not passed over SSO.
In order to side step this issue, we can apply a manual rank.
Unlike roles, ranks are not usually passed as part of the SSO handshake, and thus are not updated/overwritten by the SSO handshake.
Therefore applying a manual rank is a good solution when users need to be given role-like privileges without giving them a role (which would just be overwritten anyway).
In order to do this:
1- Create the role and ensure the permissions are as desired (for more info on roles and permissions see our docs) if you are unsure about any permissions, contact support or our CSM)
2- Create a corresponding rank:
IMPORTANT NOTES ON CREATING THE MANUALLY APPLIED ADMIN RANK:
- Remember, a user will always get the highest possible rank that they qualify for, so ensure that the level of the desired rank is higher than any points-based ranks.
- Ensure the criteria is ONLY ‘enable applying manually’
- Ensure the ability “Role Permissions: Users with this rank will gain the permissions of this role.” is set to the desired role
When complete, it should look something like this:
Finally, you can apply this role by going to the user’s profile or accessing the user in the dashboard and applying the rank:
From profile:
Go to ‘edit profile’ on the user in question’s profile, and choose the rank from the rank drop down:
From dashboard:
Navigate to dashboard, then moderation, then users, then locate the user in question and select the crayon icon edit:
For more info on ranks see the main ranks doc
