In my previous two posts I described the reasoning behind privileges and then gave more detail and background on each privilege and how they behave. In this post, I'll share some of our personas how you might assign them certain privileges.
Sam fills the role of a system administrator and is responsible for maintaining technical aspects of the system. He should be able to make any changes within the CMS including system settings, content, and pages.
In previous versions (SDL Web 8 and before) of Tridion, he would have the System Administration checkbox set. Now he and others administrators belong to the System Administrator group which has the System Administration privilege set.
In an upgrade, admins will be automatically migrated to this new arrangement.
Though you could technically create additional system administrator groups, in practice I'd imagine most implementations will have just the default group for admins. You might create a separate group or inherit from this group for those that perform the admin role temporarily (e.g. developers or partners at the start of a project or on the DEV environment).
Oscar is an Application Manager and is responsible for configuring the system but should have select access to the the Publications, content, and pages. For example, he should be able to add a new Multimedia Type or modify the publishing queue, but only read permissions to the company's latest Press Release components.
In this setup he belongs to a new Applicaiton Manager Group that has privilege management, approval status management, multimedia type management, and Publish Transaction Management.
You might choose to give the group read permissions in folders at the top of your BluePrint and adjust scope to select Publications.
As a Chief Content Editor, Elaine works regularly with several authors. She is responsible for making requests to IT to enable new users as well as set their group membership and scope. She would also request new Publications for campaign landing sites or new translated language or localized versions of existing webistes.
By having IT give her group the Group Management privilege, she can now manage groups and their members, including scope across the BluePrint. She cannot grant herself or others administrator access. In addition, through the Child Publication Creation privilege, she can use the Site Wizard to create new translation or campaign Publications .
If technically oriented, she could also Create Child Publications Manually in the Content Manager Explorer, outside of the Site Wizard. The settings are the same, but presented in a friendly step-by-step guide in the Wizard.
Alternatively, Oscar could instead have the Group Management privilege or perhaps Elaine would have Publish Transaction Management.
Finally, Anna belongs to the Author group which has its own scope, rights, and permission settings but no specific privileges as seen below.
You may want to let authors create child publications, but typically they wouldn't need to change privileges, maintain system lists, nor manage groups or privileges.
As with the authorization settings, I would take a gradual implementation based on one of a few approaches:
Note: when we talk about giving privileges and group membership, remember that this is by first having a group with the privileges and then adding that group as a parent to other groups or users. Read about these settings in my post on the difference between Tridion designs and settings.
These are just examples based on my own experience and understanding of Tridion projects and customers. Much thanks to our Cloud, R&D, and QA teams for implementing both the desired functionality as well as an extendable framework we (and our community) could build on. And thanks to the docs team for explaining everything in time for the cloud release (and guidance on the best ways to describe the feature in the UI).
We'd love to hear how implementers and customers are applying this feature in practice as well as what other privileges would make it easier for your teams to go global faster. First get familiar with the latest authorization changes and then consider leaving adding an idea to SDL Web Ideas.
Update (2016-12-19): I made a video demonstrating the Group Management Privilege.