Hi @emiller ,

The best way to manage this is via custom roles. You can read more about this here:

And more about how to set up custom roles here:

Once you have a custom role set up for your colleagues that do not have approval to post on the community you can restrict their ability to post in a Community category by following this guide:

Oliver’s reply is correct / the best for “how to” restrict, but adding some context: 

There’s not a holistic “read-only” setting for the entire community, nor a way you can apply permissions for a Custom role across each part of the platform. So you’ll need to do this for each Platform area where there are posting/replying permissions:

• Community - for every single category
• Knowledge Base
• Product Updates
• Ideas

Groups don’t have permissions, so this is a gap in your ability to restrict posting/replying, so hopefully the restrictions elsewhere (and your guidance) can cover it. 

Thanks for the info @olimarrio and @DannyPancratz but I’m still not sure if there is a reasonable way to accomplish this.  As I understand it, permissions are additive between primary and custom roles, and primary roles are fixed - they cannot be edited and you cannot create any new ones. So if an employee has the primary role of “Registered User” (the main role assigned to nearly all community members) and the custom role “Employee,” I would not be able to revoke posting permissions using the custom role unless I also revoked that permission for the primary role which would then impact all other community members.  I assume I would then have to create another custom role (for all non-employee members), assign it to everyone else (many thousands of members) and grant that custom role posting permissions.  Did I get that right? 

@emiller 

I have also been thinking about this this week. 

The issue I have is we will have Employees who contribute, and those who do not, i.e. View only.

As you rightly say, permission are cumulative starting with Primary Roles.

The solution I have come up with is thus.

Primary Role	Custom Role
Registered User	Employee - Contributor	This custom role serves only for Reporting and analytics
Unregistered / not logged in	Employee - Viewer	The primary role serves no purpose and the custom role can be created to be made as view only.

This requires assigning to NON contributing employees the unregistered Primary role.

@emiller good catch. This is correct: 

permissions are additive between primary and custom roles, and primary roles are fixed - they cannot be edited and you cannot create any new ones. So if an employee has the primary role of “Registered User” (the main role assigned to nearly all community members) and the custom role “Employee,” I would not be able to revoke posting permissions using the custom role unless I also revoked that permission for the primary role which would then impact all other community members.  I assume I would then have to create another custom role (for all non-employee members), assign it to everyone else (many thousands of members) and grant that custom role posting permissions.  

@Alistair FIeld’s solution would work. 

My community pushes a custom role for each type of user (Customer / Partner / Employee) via an automation based on their Salesforce contact. 

Depending on what roles you’d want, I’d recommend doing something like that. Having the custom roles not only allows you to set permissions the way you want, but helps with quick analytics and metrics you’ll like be asked. The analytics dashboards are filterable by custom roles, so taking the time to set up for permissions will provide an ROI when someone asks you for role-based metrics. 

I’m currently doing this using a Zapier to send new posts to a slack channel. I then invited all the product teams to that Slack channel so they could monitor the incoming questions.

@juan.delrio what you can do is encourage the team to set keyword notifications in Slack. i.e. if a specific term is used within the slack workspace you get notified.

 https://slack.com/help/articles/201355156-Configure-your-Slack-notifications#keyword-notifications

I have used it with great success with Account names (when I was a CSM I could see any discussions around MY accounts) and for Community Topics pushed to slack, I could quickly find pieces I am interested or well versed in.

I used key words on slack so I can find any conversations where they are whispering  about the community!  It’s a handy tool!

@Alistair FIeld @DannyPancratz I don’t think I can use the unregistered/not logged in role.  Our community is private and everyone needs to authenticate via SSO and thus be a registered and logged in to see anything. 

I will look into pushing notifications into Slack - that looks interesting, though it would address different workflows/use cases than the one I originally posted about here.

@emiller then I would suggest not doing the unregistered solution and instead automating your CRM to assign a custom role for the account type for everyone when they sign up). 

Or the very simplest solution. Backfill all the existing users with a custom role: staff or not-staff. 

Then build an automation via Zapier or another tool based on the new-user is created webhook event. 

After everyone has a custom role (and you know net-new users will have one too), you can set permissions for posting based on if they have that or not. 

1. New user signs up
2. Filter by domain
3. If contains your domain, assign employee role
   If not, assign non-employee role 

That + a backfill of the existing accounts using the bulk action for adding a custom role, should get you to where you need. 

@emiller 

When a user first logs in / registers, sure, they will receive the Registered User role.

But that does not mean they keep it forever.

You can change it and the role will not be “reset” to Registered User on the next log in.