Ch. 046 Creating Site Groups

A Site Group is a set of site users that share the same permissions or settings in the site.  Site Groups can be a very powerful tool, affecting what products can be seen, what pricing is seen, who receives email, who approves orders, and a host of other capabilities. The Everyone Group is the default Group for a Site. You can add additional Site Groups as needed, each with different permissions and your site users can belong to as many groups as you need them to. 

Below is a screenshot of the Site Group setting area in admin. To access this page, go to Admin > Sites [select site] > User Management > Site Groups.

 

 

What can these groups do?

  • You can create special Groups of Users for a Site that have limited access to some of the same capabilities that you have as the Pressero Administrator for their Site. Some can be permitted to view, add, or edit Users of the Site, or view all customer orders in this Site, etc.

  • The group settings can determine what a user can do in their own site portal, like view their own orders or change their password, etc.

  • A Site Group can be used to limit access to different Products and/or Pricing (See Products > Groups, Products > Pricing) Example: The Site Group “ABC Headquarters” can see different Products than the Site Group “ABC Production”.

  • Site Groups can also be used to limit access to Pages you have added to the Site (See Pages > Access Control) Example: The Site Group “ABC Headquarters” can see different  Pages than the Site Group “ABC Production”.

  • You can create a group of users that will approve orders in a B2B site. 

 

Add a New Site Group

To add a new site group click on the link at the top of the page "Add New Group"

  • Group Name - Name the group something that will be easy to identify in different areas of the setup. Example of site group names might be Approval Manager, Corporate Users, Frequent Buyer Club, etc. 
  • Description - Add a description to help you understand the difference between your groups. This will not be seen by your customers. 
  • Available to Self-Signup Users - If you would like this group to be available to your customers on the Create Account Form when they sign-up for an account in the store, check this box. When they create an account, all Site Groups that have been selected will be available in a drop-down menu for them to choose from when a user signs up to the site. You will have to go to User Management > Profile Fields and enable the Site Groups profile field before the control will become available on the self-signup page of your site. *Note: although site users can be assigned to an unlimited number of groups, they can only select one group when signing up. 
  • Permissions -  Set the desired permissions. Review the information and rules below. 

Site Group Permission Conflicts

While Groups allow a lot of flexibility with your sites, it can also cause some undesired behavior or lock your users out of the site if you are not careful when creating and assigning the groups to your users. When setting the Permissions of a Site Group, it's usually best to use Allow or Not Set. The Denied setting should be used sparingly and in most situations will not be needed. 
 
Your users can be a member of multiple groups so when there is a conflict between Allowed and Denied, Denied wins. In contrast, Not Set neither Allows nor Denies. Instead, it defers that choice to any other Site Group the person may belong to. Think of Not Set as a softer version of Denied. It does not Allow, but neither is it an absolute “Denied” if the permission is set to Allow in another Site Group the User is a member of. 
 
Example: If a user is part of two groups, one is set to allow them to view order history in their account, another user group they belong to is set to "Denied" for that permission. Regardless of the one group that says they have the permission, denied wins every time... so they are denied of this permission. If we would have set the other group to "not allowed", then the group that gives them permission will be honored. Any other uses in that not allowed group will not be allowed to view the order history (assuming they are not given permission in any other group). 
 

Further Examples Showing the Effect of Site Group Permission Settings


Let's say Peter is a member of the Site Group Everyone and another Site Group you created called Approvers, for approving orders. The correct way to set the Site Group permissions is #2 above because Allowed beats Not Set. In #3, when Peter is requested to approve an order, he can't because there is a conflict. As a member of the Site Group Everyone, he is specifically prevented from seeing the order and Denied always wins. The other examples are for comparison.
 

Permission Principles 

  1. As we mentioned earlier, setting permissions can be tricky and it is very important to change permissions for any group carefully. To review: 

    • A "Not Set" permission means the user is not granted the permission unless Allowed in another group they belong to. When the User is a member of two Groups with one group set to Allow and the other set to Not Set, Allow will override Not Set.

    • A "Denied" permission is ALWAYS denied. When the User is a member of two Groups with one group set to allow and the other set to Deny, Deny will override Allow.

    • A user can be part of multiple groups. If they are denied a particular permission in any group they belong to, even if they are allowed in another, they WILL be DENIED that permission. If you find a user is not being given a permission you want them to have, check all groups they are in to see if this is the cause. 

  2. The permissions are displayed in an important order and hierarchy. Notice how some of the permissions are inset and below others. The more indented a permission is below, the "stronger" (i.e., higher) level it is.  Remember, a permission Allowed at a higher level will grant all permissions underneath it except those set to Denied. A permission Denied at a higher level will deny all permissions underneath it, regardless of whether those permissions are Allowed.

    • Higher (stronger) level permissions when Denied will override lower level permissions that are Allowed. For example, if the higher level "Can manage sites" is Not Set or Denied, and it's lower level "Can manage content pages" is Allowed, the group member will not be able to change content pages.

    • A permission Allowed at a higher (stronger) level will grant all permissions underneath it unless they are set to Denied.

Setting the "Admin Group" permissions within your individual sites (it will also be helpful to review the section again on Admin Groups where there are more examples on how to set this up. Go here)

Admin Group Permissions can be overridden within a Site. This is helpful when you want your different staff/admin users to be assigned to different sites, or you want to allow a salesperson to set up and manage the sites they are responsible for, but not let them have access to any other site. Before you can accomplish this, you need to set up the different Admin Group and assign the employee(s) to the group. See Admin > Preferences > Admin Groups. 

Refer to the image at the top of this page. You will see an option to switch from "Site Groups" to "Admin Groups" that you can manage. Select Admin Groups.

 

In this image, you can see that we are in the "Site Groups" area of the site, but we are managing the "Admin Group" permissions for that particular site. In this situation, we are ok with our CSR viewing the main admin order area, but we do not want them to have access to anything in this particular site. In this situation, we have set them to denied in the all the permissions JUST for this particular site. 
 
 
 
  • The Admin Group permissions you set in Preferences can be overridden within a Site with one exception: Denied. A permission set to Denied in an Admin Group cannot be overridden. 
  • Changing the Admin Group permission at the Site level applies to that Site only.

 

Examples Showing the Effect of Site Overrides on an Admin Group Permission Setting

 

Admin Group Override Scenario

  1. You have two sales reps (or customer service reps) who are Users in the Admin area (Preferences > Users).
  2. Rep #1 services Customer Site A. Rep #2 services Customer Site B. 
  3. You don't want Rep #1 to be able to access Site B's admin area. Likewise, you don't want Rep #2 to be able to access Site A's admin area.
  4. Solution:
  • Create a “Rep #1” Admin Group and assign Rep #1 to it.
  • Create a “Rep #2” Admin Group and assign Rep #2 to it.
  • In Site A > Site Groups > Admin Groups, select “Rep #2” Admin Group and set the desired permissions to Deny.  
  • In Site B > Site Groups > Admin Groups, select “Rep #1” Admin Group and set the desired permissions to Deny.

 

Knowledge Base articles related to Site Groups and Admin Groups within specific sites

How do I limit admin users to only be able to view/edit certain sites?

Is there a way to restrict a group of users on one site to only see Products assigned to a particular category

The Pricing Does Not Display and I have Two Add to Cart Buttons Displaying