ON THIS PAGE:
There are two types of roles in P2 Security: Application Roles and Global Roles. It's important to know the difference between the two in order to grant users access to advanced functionality (e.g. administrator access) in P2 applications.
Application Roles are roles that are automatically provided by an application, that combine several privileges on objects within that system, into a single role. E.g. The 'Explorer Administrator' role in P2 Explorer allows access to the Settings page in P2 Explorer, as well as viewing audit logs and publishing directly to a workspace.
While Application Roles are specific to a single application, Global Roles are more focused around the business. Global Roles exist across different applications, and map to the types of role that people perform in their business. E.g. You may set up Accounting, Engineering, Management, IT etc.
Users are assigned to Global Roles, and the Global Roles can be mapped to the Application Roles, which transfers those application access privileges to users with that Global Role.
Note: Users belonging to a global role which has had a mapping change will need to log out and then log in again to notice any changes to their privileges.
Application Roles
An Application Role is created by an application such as P2 Explorer. These may vary from version to version as new features are added.
P2 Security
P2 Security provides the following application roles:
| Administration Inspector | Provides the ability to view all items in P2 Security Connect, however users with this role are unable to add, edit, or delete anything in P2 Security Connect. |
| Administrator | Provides the ability to view, add, edit, and delete all items in P2 Security Connect. |
P2 Server
P2 Server provides the following application roles:
| Editor | Allows users to view, add, edit, and delete all items in P2 Server Management. |
| Image Editor | Allows users in P2 Explorer to upload images via the Image Gallery, and store them in P2 Server. This role does not provide access to P2 Server Management. |
| Tag Editor | Allows users in P2 Explorer to save new calculations to P2 Server. This role does not provide access to P2 Server Management. |
P2 Explorer
P2 Explorer provides the following application roles:
| Explorer Administrator |
Allows users to import/export pages and trends, view audit logs, publish directly to a workspace, and access the Settings function in P2 Explorer for administration of home pages.
|
| Explorer Style Administrator | Allows users to create and modify styles in P2 Explorer. |
| Explorer Workspace Administrator | Allows users to create workspaces, approve submitted pages, and publish pages directly to a non-private workspace (i.e. any workspace other than ‘My Workspace’). |
Custom Applications
Consuming applications are able to integrate their own custom configuration files with P2 Security. Custom applications can create their own application roles to enable user access to that system. The Application Roles for a custom application will be specific to that application.
Global Roles
Global Roles are created by Security administrators. The point of a Global Role is to bundle access permissions for users and user groups with that role.
Global Roles can be used to represent specific categories of users in the business (e.g. Engineering, Operations, Management, IT). You can then associate one or more Application Roles with the Global Role. For example, you may want all users in the IT Global Role to have 'Explorer Administrator' (a P2 Explorer application role) privileges as well as 'Editor' (a P2 Server application role) privileges.
'Everyone' Default Global Role
By default, the 'Everyone' Global Role is included in all P2 Explorer installations, and all users are automatically assigned to this role. The role allows all users read and modify access to all of P2 Explorer.
Note: All users are automatically assigned to the 'Everyone' Global Role, even if that role does not exist. If this role is deleted or otherwise does not exist, you can create it manually to enable the ability to secure items and applications against this role.
The 'Everyone' role also allows administrators to specify a different global setting for anyone who accesses an application. For example, the Everyone role can be used to allow all users to view specific pages in P2 Explorer, but not edit them.
If you want to start restricting access to certain workspaces, pages, or trends, then you need to explicitly specify permissions in the roles for the objects you are securing.
Example Role Mapping Exercise
Here is an example of a Super Administrator global role, that has all the application roles mapped. All users with the Super Administrator role will also have all of the mapped application roles. After the role mapping is done, you can go ahead and add users to the global roles.
To map these roles, you will need to first add the global role, and then map the application roles.
Adding a Global Role
1. In P2 Security, click Global Roles (under Administration on the left).
2. In the top right of the blue toolbar, click the Add 
button .
3. In the Add Global Role dialog box, type the name and description for the new global role, and then click OK.
Note that Internal Name is required, and it must be unique and contain no spaces.
The new global role 'Super Administrator' is created.
Mapping an Application Role to a Global Role
1. In P2 Security, click Role Mappings on the left.
2. In the Applications box on the left, click the name of the application containing the application roles you want to map (e.g. P2 Explorer). You may need to wait a few seconds for the rest of the screen to refresh with the roles for the chosen application.
3. In the Application roles box on the right, click the application role you want to map (e.g. Explorer Administrator).
4. In the Other global roles box on the right, click the Global Role you just created (Super Administrator).
5. Click the left arrow 
button to add the selected application role to this global role.
Repeat steps 2-5 to add more application roles to the global role.
6. Once all roles have been mapped, click the Save button.
Now you can go ahead and add users to the Super Administrator Global Role.