The Control Panel Permissions widget allows you to control user permissions to a greater degree than when viewing a Control Panel role. For example, you can keep the pages module (which includes all page management widgets) assigned to the role, but take away privileges such as page deletion.

To manage permissions, open the widget then select the module to manage. You can only update the permissions of a single module at a time.

The permissions available for a module are listed on the left, while the roles are listed along the top. To represent the inheritance of roles a number is displayed beside each role. The following screenshot demonstrates this. In this example, Administrator has no roles inheriting from it, while Editor inherits from Author and Reviewer inherits from Editor.

Figure 10.3. Managing permissions

The very first permission in the list controls whether or not the role has access to the module. Its name is module:moduleName. Changing this permission is the same as selecting or de-selecting the module when viewing the role.

Every permission has a default setting, as well as a setting for each role. The role setting can be set to "inherit" (indicated by a blue funnel), "allow" (indicated by a green tick), "deny" (indicated by a red cross).

If the permission is set to inherit, whether or not a role has access to the permission is determined by the parent role. If the parent role is also inherited, then the grandparent is looked at (and so on).

If the role does not have a parent role, the default permission is used (this is the reason the default setting does not have an inherit option).

To change a permission setting, click on the relevant icon. The permission will be saved immediately.