[Product Post] Assigning Roles and Permissions with Security in Mind
Vanilla takes security very seriously and do everything we can to make sure bad guys don’t gain any sort of unauthorized access. As a Vanilla administrator, there are some security best practices that you can apply as well.
Vanilla’s role-based permissions give you a high degree of control over what your community members can and cannot do. You might set some permissions to meet a business objective, for example, you could use permissions to prevent non-paying customers from posting under certain categories. Roles should also be used to restrict what users can do and keep you community secure.
A Few Scary Scenarios
Here’s a real and scary scenario that could happen to your company.
A staff member tasked with moderation is given the Admin role. Unfortunately that person has been using his work email and the same password all over the internet. One of those sites, [LinkedIn](https://motherboard.vice.com/en_us/article/another-day-another-hack-117-million-linkedin-emails-and-password) gets hacked and that email/password combo is now in circulation.
The result? A hacker uses the employee’s login to gain admin access to the forum and can now ads spam links, deface the UI or worse.
Another realistic scenario that could happen to your forum. What if a staff member goes rogue or it’s suspected that someone has logged in with stolen credentials? To gain some insight on any unauthorized breaches, Vanilla provides you access to a change log that tracks all moderator edits and deletes.
On certain plans, Vanilla offers detailed application login to get a detail of every user’s interaction with the product.
Assigning Permissions to Prevent Security Holes
Here’s the best practice for assigning permissions to Roles in Vanilla:
- What it allows: Full permissions
- What is doesn’t allow: None.
- Key permissions: Roles & Permissions > Garden > Settings > Manage
- Who should get it: The fewest people possible.
- What it allows: Making some admin changes such as editing categories.
- What is doesn’t allow: creating new roles, modifying the theme HTML, enabling plugins
- Key permissions: Roles & Permissions > Garden > Community > Manage
- Who should get it: Community Managers or Social Media Managers
Note: This is not a default Role in Vanilla, you must create it. Use the moderator role as a template and add the Moderation and Staff permissions.
- What it allows: Use of moderation functionality and access to the moderation queue.
- What it doesn’t allow: Making modifications to the account.
- Key permission: Roles & Permissions > Garden > Moderation > Manage
- Who should get it: Use this for junior members of the community management team or volunteer moderators.
Be aware that using unpaid moderators requires a high degree of trust. In many forums, these arrangements develop over time and are informal. Volunteers are not bound by employment agreements and so there are fewer legal protections to backup the protections obtained from software permissions.
Vanilla’s security doc: