[Product Post] Assigning Roles and Permissions with Security in Mind

3 minute read

March 31, 2017

[Product Post] Assigning Roles and Permissions with Security in Mind

Vanilla takes security very seriously and do everything we can to make sure bad guys don’t gain any sort of unauthorized access. As a Vanilla administrator, there are some security best practices that you can apply as well.

Vanilla’s role-based permissions give you a high degree of control over what your community members can and cannot do. You might set some permissions to meet a business objective, for example, you could use permissions to prevent non-paying customers from posting under certain categories. Roles should also be used to restrict what users can do and keep you community secure.

A Few Scary Scenarios

Here’s a real and scary scenario that could happen to your company.

A staff member tasked with moderation is given the Admin role. Unfortunately that person has been using his work email and the same password all over the internet. One of those sites, [LinkedIn](https://motherboard.vice.com/en_us/article/another-day-another-hack-117-million-linkedin-emails-and-password) gets hacked and that email/password combo is now in circulation.

The result? A hacker uses the employee’s login to gain admin access to the forum and can now ads spam links, deface the UI or worse.

Another realistic scenario that could happen to your forum. What if a staff member goes rogue or it’s suspected that someone has logged in with stolen credentials? To gain some insight on any unauthorized breaches, Vanilla provides you access to a change log that tracks all moderator edits and deletes.

On certain plans, Vanilla offers detailed application login to get a detail of every user’s interaction with the product.

Assigning Permissions to Prevent Security Holes

Here’s the best practice for assigning permissions to Roles in Vanilla:


  • What it allows: Full permissions
  • What is doesn’t allow: None.
  • Key permissions: Roles & Permissions > Garden > Settings > Manage
  • Who should get it: The fewest people possible.

Community Manager

  • What it allows: Making some admin changes such as editing categories.
  • What is doesn’t allow: creating new roles, modifying the theme HTML, enabling plugins
  • Key permissions: Roles & Permissions > Garden > Community > Manage
  • Who should get it: Community Managers or Social Media Managers

Note: This is not a default Role in Vanilla, you must create it. Use the moderator role as a template and add the Moderation and Staff permissions.


  • What it allows: Use of moderation functionality and access to the moderation queue.
  • What it doesn’t allow: Making modifications to the account.
  • Key permission: Roles & Permissions > Garden > Moderation > Manage
  • Who should get it: Use this for junior members of the community management team or volunteer moderators.

Be aware that using unpaid moderators requires a high degree of trust. In many forums, these arrangements develop over time and are informal. Volunteers are not bound by employment agreements and so there are fewer legal protections to backup the protections obtained from software permissions.

Here are more tips on moderation and also a post on how to recruit volunteer moderators. to be cognizant of. If you’d like to read more on our security protocols read our doc below:

Vanilla’s security doc:

News product

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Luc Vezina

Written by Luc Vezina

Have an Article for Vanilla's Blog?

Send us an email to [email protected] with your topic idea and we'll circle back with our publishing guidelines.

Subscribe to the Community Corner Newsletter and get expert insight and analysis on how to get the most out of your online community every Friday.
[contact-form-7 id="5700" title="Newsletter Form"]

Request a Demo

Schedule a product demo now.

Contact Us