Expressionengine User Management: Roles and Permissions

This section covers user management, roles, and permissions for ExpressionEngine and associated analytics tools.

Overview

ExpressionEngine (EE) is a flexible and powerful content management system that features a comprehensive user management system built around member groups and granular permission controls. The platform distinguishes between control panel users (who manage the system) and members (frontend users), with extensive customization options for both.

ExpressionEngine's permission system is known for its granularity, allowing administrators to control access at the module level, channel level, and even individual entry level. This fine-grained control makes it suitable for complex organizational structures and multi-site installations.

Platform User Management

• Roles & Permissions - Understanding user roles
• Adding & Removing Users - User administration

User Roles and Member Groups

ExpressionEngine uses member groups to define user roles and permissions:

Super Admin

• Complete access to all ExpressionEngine features and settings
• Can create, modify, and delete all users and member groups
• Access to system configuration and utilities
• Can manage add-ons, templates, and channels
• Access to database operations
• Bypass all permission restrictions
• Cannot be deleted or have permissions modified

Administrator Group

• Access to most control panel features
• Can manage content across all channels
• User management capabilities (non-Super Admin users)
• Template and design management
• Add-on configuration
• Cannot access certain system-level settings
• Cannot modify Super Admin accounts

Editor/Publisher Group

• Can create, edit, and publish content
• Access to assigned channels
• Upload and manage files
• Edit own and others' entries (configurable)
• May have approval workflow requirements
• Limited or no access to system settings

Author/Contributor Group

• Can create and edit own content
• Content may require approval before publishing
• Limited channel access
• Restricted file upload capabilities
• Cannot edit others' entries
• No access to system configuration

Member Group (Frontend)

• Frontend website access only
• Cannot access control panel
• Used for membership sites and protected content
• Can have custom fields and permissions
• Supports private messaging and forums

Custom Member Groups

ExpressionEngine allows unlimited custom member groups with specific permission combinations tailored to organizational needs.

Accessing User Management

Control Panel Access

1. Log in to the ExpressionEngine control panel
2. Navigate to Members in the main menu
3. Access different sections:
   • Members: View and manage individual member accounts
   • Member Groups: Configure groups and permissions
   • Member Fields: Customize member profile fields
   • Pending Activations: Approve new member registrations

Alternative navigation:

• Click Settings then Members for global member settings
• Use Developer > Channels to configure channel-specific permissions

Member Management Interface

The interface provides:

• Member Search: Filter by username, email, group, join date
• Bulk Operations: Ban, delete, or change groups for multiple users
• Quick Stats: View total members, recent registrations, banned users
• Group Overview: See member distribution across groups
• Activity Logs: Track member actions and logins

Adding and Inviting Users

Creating Control Panel Users

1. Navigate to Members in the control panel
2. Click New or Create New Member
3. Fill in required fields:
   • Username (unique, alphanumeric with limited special characters)
   • Screen name (display name)
   • Email address (unique)
   • Password (must meet complexity requirements)
4. Select Member Group:
   • Choose appropriate group for user's role
   • User inherits all group permissions
5. Configure additional settings:
   • CP homepage preference
   • Quick links
   • Language preference
   • Timezone
6. Set Member Profile fields if applicable
7. Check Include in multi author lists if needed
8. Click Save Member to create the account

Member Registration Settings

Configure registration options in Settings > Members:

• Allow Member Registration: Enable/disable public signups
• Require Email Activation: Users must verify email
• Require Admin Activation: Admin approval required
• Moderate New Members: Manual activation by admin
• Default Member Group: Group for new registrations
• Member Profile Fields: Required fields for registration

Frontend Member Registration

For public member registration:

1. Enable registration in member settings
2. Configure default member group (typically limited permissions)
3. Set up registration form using member module tags
4. Configure email templates for activation
5. Set up approval workflow if required
6. Test registration process thoroughly

User Invitation Workflow

While EE doesn't have built-in invitation system:

1. Create member account with temporary password
2. Set account to require password change on login
3. Send credentials through secure communication
4. User receives login details and must change password
5. Consider using add-ons for automated invitation emails

Role Assignment and Management

Assigning Member Groups

1. Navigate to Members in control panel
2. Find and click on the user to edit
3. In the member edit screen, locate Member Group
4. Select the appropriate group from dropdown
5. Note: Users can only belong to one primary group
6. For multiple group functionality, use add-ons like "User" by EEHarbor
7. Save changes

Managing Member Group Permissions

1. Navigate to Members > Member Groups
2. Select the group to configure
3. Review and configure permissions across categories:

Control Panel Access

• Access control panel: Yes/No
• CP homepage selection
• Control panel theme preference

Channel Permissions For each channel, configure:

• Create entries
• Edit own entries
• Edit others' entries
• Delete own entries
• Delete others' entries
• Assign entry authors
• View others' entries

Module Access Permissions

• Design & Content: Templates, channels, categories
• Members: View and manage members
• Add-Ons: Access to installed add-ons
• Utilities: System utilities access
• Logs: View system logs

Upload Directories For each upload directory:

• Upload files
• Edit files
• Delete files
• Upload file size limits

Template Group Access

• View and edit template groups
• Delete templates
• Upload design files

Additional Permissions

• Access administrative functions
• Access utilities
• Access data
• Access members
• Delete self
• Change primary address

4. Configure Publishing Settings:

   • Maximum entries allowed
   • Entry flood control (time between posts)
   • Comment posting permissions
   • Search and profile access

5. Save group configuration

Channel-Specific Permissions

For granular channel control:

1. Go to Developer > Channels
2. Select the channel to configure
3. Navigate to Settings tab
4. Configure Channel Permissions for each member group
5. Set specific create, edit, and delete permissions
6. Define entry statuses available to each group
7. Configure category access permissions

Security Recommendations

Authentication Security

1. Password Policy

   • Enforce minimum password length (12+ characters recommended)
   • Require password complexity
   • Configure password expiration settings
   • Prevent password reuse using password history
   • Use secure password hashing (default in modern EE versions)

2. Session Security

   • Enable secure session cookies (HTTPS only)
   • Configure appropriate session timeout
   • Use session fingerprinting
   • Enable IP and user agent checking for sessions
   • Configure in Settings > Security & Privacy

3. Multi-Factor Authentication

   • Install MFA add-on for ExpressionEngine
   • Require MFA for Super Admin and Administrator groups
   • Provide backup authentication methods
   • Document MFA recovery procedures

4. Login Protection

   • Enable account lockout after failed attempts
   • Configure lockout duration
   • Set lockout threshold (3-5 attempts recommended)
   • Monitor failed login attempts
   • Use CAPTCHA for login forms

Access Control Best Practices

1. Super Admin Management

   • Limit Super Admin accounts to 1-2 trusted individuals
   • Use separate admin accounts for daily tasks
   • Never share Super Admin credentials
   • Regularly audit Super Admin access logs
   • Document Super Admin account owners

2. Control Panel Security

   • Use custom control panel URL (not /admin or /system)
   • Implement IP whitelisting for sensitive accounts
   • Configure .htaccess password protection as additional layer
   • Enable SSL/HTTPS for all control panel access
   • Use VPN for remote administration

3. Member Account Security

   • Require email verification for new accounts
   • Implement admin approval for sensitive sites
   • Use CAPTCHA to prevent bot registrations
   • Monitor for suspicious registration patterns
   • Regularly clean up inactive accounts

4. File Upload Security

   • Restrict upload directories by member group
   • Enforce file type restrictions
   • Set maximum file size limits
   • Store uploads outside web root when possible
   • Scan uploads for malware if handling user files

Monitoring and Auditing

1. Activity Logging

   • Enable control panel access logging
   • Monitor member actions in Tools > Logs > CP Access
   • Review developer logs regularly
   • Track content changes and deletions
   • Set up alerts for suspicious activity

2. Regular Audits

   • Review member accounts quarterly
   • Verify member group assignments
   • Check for unused or orphaned accounts
   • Audit Super Admin access
   • Document audit findings

Common Issues and Solutions

Users Cannot Access Control Panel

Symptoms: Valid credentials rejected or blank page after login

Solutions:

• Verify member group has "Can access control panel" enabled
• Check member account is not banned or pending activation
• Confirm password hasn't expired (if using expiration)
• Clear browser cookies and cache
• Check .htaccess for blocking rules
• Verify database connection is functioning
• Review error logs in Tools > Logs > Developer
• Ensure CP URL is correct
• Check for conflicting add-ons

Missing Permissions or Channels

Symptoms: Users cannot see or edit expected content

Solutions:

• Verify member group permissions for specific channels
• Check channel assignment settings
• Confirm user is in correct member group
• Review module access permissions
• Check template group access settings
• Clear ExpressionEngine cache
• Verify upload directory permissions
• Check for custom field access restrictions

Password Reset Not Working

Symptoms: Password reset emails not received or links don't work

Solutions:

• Verify email configuration in Settings > Outgoing Email
• Check spam/junk folders
• Test email sending with "Test Email Settings"
• Verify member email address is correct
• Check email template hasn't been customized incorrectly
• Review server mail logs
• Manually reset password from control panel
• Check for email delivery issues on server

Group Permission Conflicts

Symptoms: Users have unexpected permissions or restrictions

Solutions:

• Remember: users can only be in one primary group (without add-ons)
• Review the specific member group permissions
• Check channel-level permission overrides
• Verify no conflicting add-on permissions
• Test with a new test user in same group
• Check for inherited permissions from custom code
• Review member profile for any special overrides

Session Timeout Issues

Symptoms: Users frequently logged out or session expired errors

Solutions:

• Increase session timeout in Settings > Security & Privacy
• Verify session cookies are being accepted
• Check for clock synchronization issues
• Ensure consistent HTTPS usage (not mixing HTTP/HTTPS)
• Review cookie domain settings
• Check for aggressive caching plugins
• Verify server session storage is functioning

Analytics Tool Access

Google Analytics 4

Manage GA4 access in Admin > Account/Property Access Management:

• Administrator: Full control over account and all properties
• Editor: Can modify configurations and create/edit reports
• Analyst: Can create reports and configure shared assets, no config changes
• Viewer: Read-only access to reports and data

Best practices for GA4 access:

• Assign Viewer role by default for content editors
• Grant Editor access to marketing team members
• Limit Administrator access to 2-3 trusted individuals
• Use Google Groups for team-based access management
• Regularly review and audit user access quarterly
• Link GA4 properly with ExpressionEngine using GTM or direct integration

Google Tag Manager

Manage GTM access in Admin > User Management:

• Administrator: Full control over container and user management
• Publish: Can publish container changes to production
• Approve: Can approve changes but not publish
• Edit: Can edit tags, triggers, and variables but not approve/publish
• Read: View-only access to container configuration

GTM access workflow:

• Use Read access for stakeholders and content editors
• Grant Edit access to developers and marketers
• Limit Approve access to team leads or senior marketers
• Restrict Publish to 2-3 senior team members
• Implement container versioning and testing procedures
• Integrate GTM in EE templates in header/footer

Meta Business Manager

Manage access in Business Settings > People:

• Admin: Full control over Business Manager and all assets
• Employee: Limited access based on assigned assets and roles

Additional Meta pixel and conversion API considerations:

• Assign asset-specific roles rather than full admin access
• Use partner access for agency relationships
• Regularly audit connected accounts and integrations
• Remove access for former employees immediately
• Document all third-party access grants
• Implement Meta pixel through GTM or template includes

Best Practices

User Management Strategy

1. Principle of Least Privilege: Grant minimum required access

   • Start new users with minimal permissions
   • Add permissions incrementally based on need
   • Use member groups rather than individual customization
   • Regularly review and reduce unnecessary permissions
   • Document reasons for elevated access

2. Regular Access Audits: Review access quarterly

   • Identify and disable inactive accounts (90+ days)
   • Verify member group assignments are current
   • Confirm permission levels match job roles
   • Document audit findings and actions taken
   • Check for orphaned or duplicate accounts
   • Review Super Admin access specifically

3. Separate Accounts: Don't share login credentials

   • Create individual accounts for each team member
   • Avoid generic "admin" or "webmaster" accounts
   • Use service accounts for automated processes
   • Maintain clear accountability for actions
   • Track who made what changes via logs
   • Enforce individual password requirements

4. Document Access: Maintain a record of who has access

   • Keep spreadsheet of all member accounts and groups
   • Document purpose for elevated permissions
   • Track when access was granted and by whom
   • Include contact information for each user
   • Note access expiration dates where applicable
   • Maintain offboarding checklist

Member Group Design

1. Standard Group Structure: Create consistent groups

   • Define groups by job function, not individuals
   • Limit total groups to manageable number (5-10 typical)
   • Document purpose and permissions of each group
   • Use clear, descriptive group names
   • Maintain a permission matrix spreadsheet

2. Permission Planning

   • Map organizational roles to member groups
   • Plan channel access based on content responsibility
   • Design approval workflows for sensitive content
   • Test permissions before deploying
   • Document permission rationale

Onboarding New Team Members

1. Identify appropriate member group for their role
2. Create account with standard group assignment
3. Provide ExpressionEngine training materials
4. Configure CP homepage and quick links for efficiency
5. Grant temporary elevated access for training if needed
6. Set up their profile with correct contact information
7. Schedule 30-day review to assess permission needs
8. Adjust permissions based on actual usage patterns

Offboarding Departing Team Members

1. Disable account immediately upon departure notification
2. Transfer entry ownership to appropriate team member
3. Review and reassign scheduled entries
4. Change any shared passwords or API keys
5. Remove from all external tool access (GA4, GTM, Meta)
6. Document the access removal in audit logs
7. Keep account disabled for 30-90 days before deletion
8. Archive their work and content as needed
9. Update documentation with new responsibilities

Multi-Site Management

For ExpressionEngine MSM (Multiple Site Manager):

1. Plan site-specific permissions carefully
2. Create site-specific member groups when needed
3. Use member group assignment strategically across sites
4. Test cross-site permissions thoroughly
5. Document which groups have access to which sites
6. Monitor cross-site activity

Content Workflow Management

1. Approval Workflows

   • Use status groups for content approval
   • Assign "can edit others' entries" carefully
   • Implement review processes for high-visibility content
   • Use entry statuses to manage workflow stages
   • Document workflow procedures

2. Version Control

   • Use entry versioning add-ons where needed
   • Implement regular backup schedules
   • Test restoration procedures
   • Document rollback processes
   • Train users on reverting changes

3. Training and Documentation

   • Create role-specific training materials
   • Document common workflows and procedures
   • Provide quick reference guides for each group
   • Maintain updated documentation as system evolves
   • Create video tutorials for complex tasks

By implementing these user management practices, you can maintain a secure, efficient, and well-organized ExpressionEngine installation while ensuring appropriate access control for your team and analytics tools.