As you add more and more users to a Plone site, it can become harder and harder to keep track of which users have which permissions in different areas of the site. Many of these users will need similar sets of permissions, so by identifying common patterns, you can add users to groups and then manage many of these permissions for a handful of groups rather than dozens or hundreds of users.

For this site, we have created a few basic groups:

• Core Team - Our staff and key volunteers, who have permission to see and edit everything on the site
• Research Team - Our volunteer researchers, who can read and comment on everything in the research folders, but can only folders in places where they are individually given permissions
  
• Reviewers - all users who can approve content for publishin (this group is actually created by Plone during setup)
  

Note: We also use GroupSpaces, which are like folders with special access permission features built in.  On this page, I'm using Plone Groups to describe the groups created as described below. These 'Plone groups' can be assigned to roles in GroupSpaces.

Creating Groups

• Log in to your Plone site using a manager account.
• Click on the 'Preferences' link.
  
• In the 'Site Setup' section, click on 'Users and Groups Administration'.
• Click on the 'Groups' tab.
• Click the 'Add New Group' button.
• The 'name' of the group should be short, lowercase and without spaces or punctuation other than hyphens or underscores.  For example, we use 'coreteam' for our Core Team group. 
  
• The title is not required, but you can use it enter a more readable name with spaces and punctuation.
  
• Description can be used to explain the access permissions that should be assigned to the group.
• We usually leave email blank.
  

Assigning Users to Groups

Any users you want to add to groups must first have accounts for your site. Go back to 'Users and Groups Administration', or click the 'Users' tab if you are on the 'Groups' tab.  Click the 'Add New User' button, and add the information.  (Entering an accurate mail address is important so that users can retrieve and reset their passwords automatically.) I create all the user accounts first, and then assign them to groups, but you can go back and forth if you like.

For each group, I also create a few test user accounts, to verify that group assignments and the workflows are working properly in all the different workflow states.

To add users to groups:

• Return to the 'Groups' tab, and click on a Group Name from the list.
• Current group members, if any, will be displayed at the top of the 'Group Members' page, and the search box at the bottom of the page can be used to find other users.
• If you don't have many members, you could use the 'Show All' button to see a full list of members.  Otherwise, use the 'quick search' to narrow the selection.
• Note that the search results will include both individual users and other groups.  Users ar displayed with a single person icon, while groups are displayed with a two-person icon.  While it sometimes makes sense to have add a group to a group, be careful to think through all the ramifications of this, especially with groups that will have access to any sensitive areas or permissions.
• Check the box next to any users or groups you would like to add, and click the 'Add selected groups and users to this group' button.
  

CAUTION: Be careful when assigning Roles to groups, especially from the Groups Overview page.  Giving the wrong group  Manager or Reviewer permission, for example, would open a huge security hole.

Testing Group Access

For each group, I create a dummy user that I can use to test whether the permissions are working the way that I would like them to.  For example, I created a user with the id 'sitereadtest' that is a member of our research team.

It's easiest to test permissions using two browsers on the same computer. When testing user/group settings, here are a few things to try:

• Do the navigation, news or events portlets show any items the user shouldn't be able to see?
• Search for an item that should be hidden from a particular user's view.  Does it appear in live search?  Try an advanced search for the same item.
• Check the Preferences tab. Does the user have access to any control panels (such as User and Group Configuration) that should be off-limits?