Introduction #
This guide discusses the rights available to users, and how the Local SiteWorks Administrator can add additional users to the system or remove those who may have stepped down.
In this and other guides, the following definitions are used, Users are people who have login access to the WordPress Dashboard, with assigned Roles, and are different to Contacts, who typically lead interest groups, organise meetings and other events, and don’t have login rights, but have details entered into the system to populate contact email address.. The u3a committee must appoint a Local SiteWorks Administrator (aka the Administrator) to manage and maintain the website specific to an individual u3a, this individual MUST not be confused with the System Administrator who manages SiteWorks and its infrastructure.
The System Administrator is a SiteWorks team member responsible for the complete SiteWorks system, including maintenance, handling updates, and hosting. Before the site is released, an administrator called SwDevAdmin is added to allow the SiteWorks team to manage an account (e.g. adding an updated plugin). THIS USER MUST NOT BE DELETED.
While this and other documentation refer to a single Administrator, it is strongly recommended that a u3a has more than one Administrator to ensure resilience in case of illness, holiday, etc. As any user with administrator rights can modify all aspects of a site, it is recommended that the number of Administrators be limited by a u3a committee.
WordPress has no practical limitations to the number of website Administrators, Editors and Authors.
Any Administrator can allow other members of their u3a, to edit or publish pages and posts, by adding them as either an Editor or Administrator. For example, a group leader can add material to their group pages, without sending it to the administrator for editing and publication. This is achieved by adding individuals as Users with the role of Editor.
It should be noted that, in practice, there will be some overlap between users and contacts, they are to be considered separate from the Administrator’s point of view.
It is important to note that a User may be able to view a range of information held by the u3a, including contact details. Hence, prospective Administrators or Editors should be fully aware of the u3a’s data protection policy and GDPR.
Summary of User Roles and Access Right #
WordPress has five default user roles:
- Administrator: Create, edit, publish, and delete any content, manage plugins and themes, edit code and delete other user accounts.
- Editor: Create, edit, delete, and publish pages and posts, including those belonging to other users.
- Author: Create, edit, delete, and publish their posts (and upload media files), subject to allocation of permission by an Administrator.
- Contributor: Able to read all posts, as well as deleting and editing their posts. They are not permitted to publish posts or upload media files.
- Subscriber: They can only read posts and manage their profiles.
In SiteWorks the Contributor and Subscriber roles are not available, they can be set, but the users have no access to any feature other than their profiles. In addition, an Author’s access rights have been tailored to the specific requirements of the u3as.
In SiteWorks access to options and tools is tightly controlled, Table 1 shows the broad allocation of privileges between the three Roles. Editors and Authors only have access to content provision (posts etc), site configuration is undertaken solely by Administrators. Table 2 details the restrictions placed on users, particularly those identified as Authors.
It should be noted that an Author can only edit pages, posts etc, relating to content allocated to them by the Administrator. If a group is allocated to a specific Author, that user can only edit and publish material directly related to that Group (e.g. the Group Page(s), or Group Event(s).
Overview of Dashboard Rights #
As discussed in the Dashboard user guide, access to configuration options and tools is dependent on the Role as shown below:
Dashboard Option | Summary of all Available Options | Role |
---|---|---|
Posts | Create, edit, publish and delete posts | A, E, AU† |
Media | Allows configuration of the site and several plugins | A, E, AU† |
Pages | Create, edit, publish and delete pages | A, E |
u3a Groups | Create, edit and delete groups | A, E, AU† |
u3a Events | Create, edit, publish and delete events | A, E, AU† |
u3a Venues | Add, edit and delete venues | A, E |
u3a Contacts | Add, edit and delete contacts | A, E |
u3a Notices | Create, edit, publish and delete notices | A, E |
u3a Settings | Managing the options relating to u3a groups, events and venues. | A |
Appearance | Managing the site appearance under the u3a theme | A |
Plugins | Manage plugins | A |
Users | Add, edit, and delete users | A |
Tools | Tools to manage site data | A |
Analytics | Generates a wide range of statistics regarding site usage | A |
Settings | Allows configuration of the site and a number of plugins | A |
Loginizer Security | Configure the security plugin. | A |
In addition, all users have access to their Profile, to change passwords, and several other options, including contact information, first and last names,
Content Management Rights #
The following table summarises the ability of users to manage content on the website:
Feature | Administrator | Editor | Author |
---|---|---|---|
Posts | V, C, D, E, P | V, C, D, E, P | V, C, d, e, P |
Post Categories | V, C, D, E, P | V, C, D, E, P | V |
Media† | V, U, D | V, U, d | V, d, U |
Pages | V, C, D, E, P | V, C, D, E, P | V |
u3a Groups | V, C, D, E | V, C, D, E | V, e, d, P |
u3a Events | V, C, D, E | V, C, D, E | V, c, d, e, P |
u3a Venues | V, C, D, E | V, C, D, E | V |
u3a Contacts | V, C, D, E | V, C, D, E | V‡ |
u3a Notices | V, C, D, E, P | V, C, D, E, P | V |
† While WordPress has limited image processing capabilities, it is advised that all image processing is undertaken with a specialist package such as Adobe Photoshop or GIMP (GNU Image Manipulation Program). All other media need to be created and edited outside WordPress.
‡Authors can only view contacts as a pulldown menu when configuring events, this is to maintain adherence to GDPR requirements.
c | Create content of this type, subject to the allocation of the required permission(s) by the Administrator. |
C | Unrestricted creation of content of this type. |
d | Deletion of contents of this type, subject to the allocation of the required permission(s) by the Administrator, or ownership. |
D | Unrestricted deletion of content of this type. |
e | Edit content of this type, subject to the allocation of the required permission(s) by the Administrator, or ownership. |
E | Unrestricted editing of content of this type. |
P | Ability to publish content. |
U | Upload media of any type. |
V | View all website content of this type. |
Maintaining Users #
The Users Menu is only visible to those with Administrator access rights and is located on the left-hand sidebar of the Dashboard:
The first option from this menu will display all current users, and permit editing of their information, the second item allows new users to be added, and the third option allows the current user’s profile to be changed. Each option will be described below.
Adding a New User #
When this option is selected, the new user’s details can be added as required:
The only required information for a user is a username and an email address, this is the minimum required for a new user to log in to the site. It is recommended that the u3a adopt a standard format for user names. It is strongly recommended that:
- The username should be ten characters or more, and include a mixture of upper and lower case letters and numbers. Dashes (-), period (.), underscores (_) and ampersat (@) can also be used but other punctuation characters are not acceptable to WordPress.
- No reference is made to (i) the u3a in general, (ii) the u3a’s name, and (iii) the name and position of the post holder.
- The user name is NOT case-sensitive. e.g. NightWatchMan and NIGHTwatchMAN are both accepted.
It is important to note that, once set, the user name can not be changed.
A password for the initial logon needs to be generated for the new user and should be between 8 and 64 characters in length, with at least one of each of the following: an upper case letter, a lower case letter, a number and a punctuation mark. If the password does not meet these criteria, adding a new user will fail, and an error message will be displayed, as discussed here.
Although a tick-box to confirm a weak password is provided, the u3a SiteWorks configuration plugin does not permit a new user with any password that does not meet the above requirements.
Further advice on password security can be found in the password management user guide and information provided by the UK National Cyber Security Centre.
Important: remove the tick from the box labelled Send User Notification. Email sent using this option may be rejected by the new user’s email account as spam or phishing emails, are often not delivered successfully, and may impact the server’s reputation, as discussed here. If the u3a uses Beacon or a similar system, this route is preferred, as it will create a record in an audit log.
It should be noted that any new user is assigned the Author role by default, the most restrictive available, unless changed by the Administrator
On completion, select Add New User.
When the Administrator sends a new user their initial login credentials, the new user MUST be instructed to change their password via their user profile on the initial login.
Managing Users #
By selecting All Users, a list of all the users, is provided, showing their email address, role and the number of posts they have created.
To undertake a change, the user is selected by checking the box on the left to allow the User’s profile to be viewed, edited or have their role changed.
Any User may be deleted, although one active Local Administrator and the external System Administrator must not be deleted for the site to be correctly maintained. When the site is set up, one or more additional “administrators ” are included to allow the test and migration team to support the individual web manager during the initial rollout of the website.
There is an additional function available from this screen, in particular, the Administrator may send a Password Reset email to a user who has forgotten their password. However, it is important to note that such emails may be rejected by the user’s email account and result in reputational issues, as these emails can be interpreted as spam or phishing. It is recommended that any new password must be sent using an email. If the u3a uses Beacon or similar, this route is preferred as the email will be recorded in the audit log.
User Profile #
The profile of a user provides a summary of all the information held for that person, i.e., Login Username, First Name, Last Name, Email, Login Password and Role. As with all software of this type, WordPress has options which do not apply to u3a users. A user can change all the information except the username and role, however, it is recommended to remain with the default settings. In summary, the available sections are:
- Personal Options. Sets several editing and display options.
- Name. Gives the username, first and last name and nickname of the user. When a post includes the author’s name, the Display name Publicly as needs to be set, options include:
- Username
- First name, Last Name, First and Last name, Last and First Name
- Nickname
- Contact info. This records the email that the user provided when they became a user. This can differ from the email recorded in the contact section (if the person is both a user and a contact). If a change is required, for example, a personal email account is changed, changes should be undertaken in consultation with the site Administrator, to ensure an audit trail is maintained. If a user has a personal website this information can be entered.
- About the user. This allows individual users to set up a biography and image. It is strongly recommended that this is not undertaken as this information may be visible on external sites. In addition, the profile picture can be added, however, this requires setting up a Gravatar account, which is not recommended.
- Account Management:
- Allows the setting of a new password.
- Provides the capability to logout a session on another device, e.g. a smartphone or another computer. Once selected, the user will only be logged in to their current session.
- Application Passwords. Not required for SiteWorks users.
Assigning Pages or Groups to a Specific Author. #
An Author cannot create a new page or group; the Administrator may wish to allocate an existing or newly created page or group to a specific Author, for example to a group leader when a group is created. Once a group is assigned to an Author they can edit the Group Page, and create and publish posts and events related to the group.
Select Pages ⇒ All Pages or Groups ⇒ All Groups from the Dashboard, then select Quick Edit when hovering over the name. Then select the Author to be assigned from the pull-down menu, and then Update. The example below is for a Group:
Deleting a User #
It should be noted that WordPress requires all pages and posts to be assigned to a user. When deleting a user, the Web Site Administrator should be aware that any content created by that user is also deleted, unless the administrator assigns that content to another user.
When the Administrator select delete from the options given when hovering over the user’s name, the following options are displayed:
- Delete all content: permanently delete all the content generated by the user (i.e., there is no recovery from the bin option). It is advised that this option is not selected.
- Attribute all contents to: this option will allow the administrator to assign all the content created by the user to be reassigned to any other user in the system. For example, if a group leader changes, all the content created by the outgoing group leader can easily be assigned to the new group leader, as long as that person has been added as a user before the original user is deleted. The user who will be taking over the content can be selected from the pulldown menu.
Once an option is selected, select Confirm Deletion.