User Management

Introduction #

In this and other guides, the following definitions are used, Users are people who have login access to the WordPress Dashboard, with assigned Roles, and are different to Contacts, who typically lead interest groups, organise meetings and other events, and don’t have login rights, but have details entered into the system. The Administrator is appointed by a u3a committee to manage and maintain the website specific to an individual u3a.

The System Administrator is a SiteWorks team member responsible for the complete SiteWorks system including maintenance, handling updates, and hosting. To allow SiteWorks to manage an account, an Administrator called SwDevAdmin is added before the site is released to you. THIS USER MUST NOT BE DELETED.

WordPress technically has no limitations as to the number of Administrators, Editors and Authors that can be added to a Website. While this and other documentation refers to an Administrator, it is strongly recommended that a u3a has more than one Administrator to ensure resilience in case of illness, holiday, etc. However, as the Administrator can change all the site features, it is recommended that the number of Administrators is tightly controlled by a u3a committee.

Any Administrator can allow other members of their u3a, to edit or publish pages and posts, by adding them as either an Editor or Administrator. For example, a group leader can add material to their group pages, without sending it to the administrator for editing and publication. This is achieved by adding individuals as Users with the role of Editor.

It should be noted that, in practice, there will be some overlap between the activities of users and contacts, but they are to be considered separate from the Administrator’s point of view.

This guide discusses the rights available to users, and how the local SiteWorks Administrator can add additional users to the system or remove those who may have stepped down.

It is important to note that a User may be able to view a range of information held by the u3a, including contact details. Hence, any prospective Administrators or Editors should be fully aware of the u3a’s data protection policy and GDPR.

Summary of User Roles and Access Right #

WordPress has five default user roles:

  • Administrator: Create, edit, publish, and delete any content, manage plugins and themes, edit code and delete other user accounts.
  • Editor: Create, edit, delete, and publish pages and posts, including those belonging to other users.
  • Author: Create, edit, delete, and publish their posts (and upload media files), subject to allocation of permission by an Administrator.
  • Contributor: Able to read all posts, as well as deleting and editing their posts. They are not permitted to publish posts or upload media files.
  • Subscriber: They can only read posts and manage their profiles.

In SiteWorks the Contributor and Subscriber roles are not available, while they can be set, the users have no access to any feature other than their profiles. In addition, an Author’s access rights have been tailored to the specific requirements of a specific u3a.

In SiteWorks the access to options and tools is tightly controlled, Table 1 shows the broad allocation of privileges between the three Roles. It can be seen that Editors and Authors only have access to the content provision (posts etc), all site configuration is undertaken solely by Administrators. Table 2 details the restrictions placed on users, particularly those identified as Authors.

It should be noted that an Author can only edit pages, posts etc, relating to content allocated to them by the Administrator. If a group is allocated to a specific Author, that user can only edit and publish material directly related to that Group (e.g. the Group Page(s), or Group Event(s).

Overview of Dashboard Rights #

As discussed in the Dashboard user guide, access to configuration options and tools is dependent on the Role as shown below:

Dashboard OptionSummary of all Available OptionsRole
PostsCreate, edit, publish and delete postsA, E, AU
MediaAllows configuration of the site and several pluginsA, E, AU
PagesCreate, edit, publish and delete pagesA, E
u3a GroupsCreate, edit and delete groupsA, E, AU
u3a EventsCreate, edit, publish and delete eventsA, E, AU
u3a VenuesAdd, edit and delete venuesA, E
u3a ContactsAdd, edit and delete contactsA, E
u3a NoticesCreate, edit, publish and delete noticesA, E
u3a SettingsManaging the options relating to u3a groups, events and venues.A
AppearanceManaging the site appearance under the u3a themeA
PluginsManage pluginsA
UsersAdd, edit, and delete usersA
ToolsTools to manage site dataA
AnalyticsGenerates a wide range of statistics regarding site usage A
SettingsAllows configuration of the site and a number of pluginsA
Loginizer SecurityConfigure the security plugin.A
Table 1: Overview of access rights. Key: A: Administrator, E: Editor, AU: Author. It should be noted that the Author does not have access to all features.

In addition, all users have access to their Profile, to change passwords, and several other options, including contact information, first and last names,

Content Management Rights #

The following table summarises the ability of users to manage content on the website:

FeatureAdministratorEditorAuthor
PostsV, C, D, E, PV, C, D, E, PV, C, d, e, P
Post CategoriesV, C, D, E, PV, C, D, E, PV
MediaV, U, DV, U, dV, d, U
PagesV, C, D, E, PV, C, D, E, PV
u3a GroupsV, C, D, EV, C, D, EV, e, d, P
u3a EventsV, C, D, EV, C, D, EV, c, d, e, P
u3a VenuesV, C, D, EV, C, D, EV
u3a ContactsV, C, D, EV, C, D, EV‡
u3a NoticesV, C, D, E, PV, C, D, E, PV
Table 2: Detailed Summary of Roles and Access to Content Tools.
While WordPress has limited image processing capabilities, it is advised that all image processing is undertaken with a specialist package such as Adobe Photoshop or GIMP (GNU Image Manipulation Program). All other media need to be created and edited outside WordPress.
‡Authors can only view contacts as a pulldown menu when configuring events, this is is maintain adherence to GDPR requirements.
cCreate content of this type, subject to the allocation of the required permission(s) by the Administrator.
CUnrestricted creation of content of this type.
dDeletion of contents of this type, subject to the allocation of the required permission(s) by the Administrator, or ownership.
DUnrestricted deletion of content of this type.
eEdit content of this type, subject to the allocation of the required permission(s) by the Administrator, or ownership.
EUnrestricted editing of content of this type.
PAbility to publish content.
UUpload media of any type.
VView all website content of this type.
Table 3: Key for Table 2.

The Users Menu #

The Users Menu is only visible to those with Administrator access rights and is located on the Dashboard, as shown below.

The first option from this menu will display all current users, allowing the editing of their information, the second item allows new users to be added, and the third option allows the current user’s profile to be changed. Each option will be described below.

Adding a New User #

When this option is selected, the new user’s details can be added as required:

The only required information for a user is a username and an email address, this being the minimum required for a new user to log into the site. It is recommended that the u3a adopt a standard format for user names. It is strongly recommended that:

  • The username should be not less than ten characters in length, and include a mixture of upper and lower case letters and numbers. – and _ can also be used but other characters may not be acceptable to WordPress.
  • No reference is made to (i) the u3a in general, (ii) the u3a’s name, and (iii) the name and position of the post holder.

It is important to note that, once set, the user name can not be changed.

A password for the initial logon needs to be generated for the new user, this should be eight (but preferably twelve) characters or more long, with at least one upper and lower case letter, a number and a punctuation mark. If the password does not meet this criteria, adding a new user will fail, and an error message is displayed

Although there is a tick-box displayed to confirm a weak password, the u3a configuration plugin does not permit the creation of a user with any password that does not meet the requirements defined above.

Further advice on password security can be found in the password management user guide and information provided by the UK National Cyber Security Centre.

Important: remove the tick from the box labelled Send User Notification. Email sent using this option may be rejected by the new user’s email account as spam or phishing emails, are often not delivered successfully, and may impact the reputation of the server, as discussed here. If the u3a uses Beacon or a similar system, this route is preferred, as it will create a record in an audit log.

It should be noted that any new user is assigned the Author role by default unless changed by the Administrator., this being the most restrictive available in SiteWorks.

On completion, select Add New User.

When the Administrator sends a new user their initial login credentials, they MUST be instructed to immediately change their password via their user profile.

Managing Users #

On selecting All Users, a list of all the users, is provided, showing their email address, role and the number of posts they have created.

To undertake a change, the user is selected by checking the box on the left to allow the User’s profile to be viewed, edited or have their role changed.

Any User may be deleted, although one active Administrator must remain for the site to be correctly maintained. When the site is set up, several “administrators ” are included to allow the test and migration team to support the individual web manager during the initial rollout of the website.

There is an additional function available from this screen, in particular, the Administrator may send a Password Reset email to a user who has forgotten their password. However, it is important to note that such emails may be rejected by the user’s email account and result in reputational issues, as these emails can be interpreted as spam or phishing. It is recommended that any new password must be sent using an email. If the u3a uses Beacon or similar, this route is preferred as the email will be recorded in the audit log.

User Profile #

The profile of a user provides a summary of all the information held for that person, i.e., Login Username, First Name, Last Name, Email, Login Password and Role. As with all software of this type, WordPress has several options, some of which do not apply to u3a users. A user can change all the information except the username and role, however, it is recommended to remain with the default settings. In summary, the available sections are:

  • Personal Options. Sets several editing and display options.
  • Name. Gives the username, first and last name and nickname of the user. When a post includes the author’s name, the Display name Publicly as needs to be set, options include:
    • Username
    • First name, Last Name, First and Last name, Last and First Name
    • Nickname – this is always required, the default being the username.
  • Contact info. This records the email that the user provided when they became a user. This can differ from the email recorded in the contact section (if the person is both a user and a contact). If a change is required, for example, a personal email account is changed, any changes should be undertaken in consultation with the site’s Web Manager, to ensure an audit trail is maintained. If a user has a personal website this information can be entered.
  • About the user. This allows individual users to set up a biography and image. It is strongly recommended that this is not undertaken as this information may be visible on external sites. In addition, the profile picture can be added, however, this requires setting up a Gravatar account, which is not recommended.
  • Account Management:
    • Allows the setting of a new password.
    • Provides the capability to logout for a session on another device, e.g. a smartphone or another computer. Once selected, the user will only be logged in to their current session.
  • Application Passwords. Not required for SiteWorks users.

Assigning Pages or Groups to a Specific Author. #

An Author cannot create a new page or group; the Administrator may wish to allocate an existing or newly created page or group to a specific Author, for example to a group leader when a group is created. Once a group is assigned to an Author they can edit the Group Page, and create and publish posts and events related to the group.

Select PagesAll Pages or GroupsAll Groups from the Dashboard, then select Quick Edit when hovering over the name. Then select the Author to be assigned from the pull-down menu, and then Update. The example below is for a Group:

Deleting a User #

It should be noted that WordPress requires all pages and posts to be assigned to a user. When deleting a user, the Web Site Administrator should be aware that any content created by that user is also deleted, unless the administrator assigns that content to another user.

When the Administrator select delete from the options given when hovering over the user’s name, the following options are displayed:

  • Delete all content: this option will delete all the content generated by the user permanently (i.e. there is no recover from bin option). It is advised that this option is not selected.
  • Attribute all contents to: this option will allow the administrator to assign all the content created by the user to be reassigned to any other user in the system. For example, if a group leader changes, all the content created by the outgoing group leader can easily be assigned to the new group leader, as long as that person has been added as a user before the original user is deleted. The user who will be taking over the content can be selected from the pulldown menu.

Once an option is selected, select Confirm Deletion.

What are your feelings
Updated on 15/09/2024