Policies
Access Policies and Policy Templates aren't really all that complicated. They are just lists of permissions, the things you want your users to be able to do. Access Policies are assigned to User Groups, and the Users assigned to that User Group will only have the permissions allowed by the Access Policy.
A Policy Template contains the permissions you want to address with Policies. The Administrator Policy Template contains all of the permissions provided by the core MODX installation. Add-ons may require their own permissions, and so would require a customized Policy Template.
A Policy has all of the permissions allowed by the Policy Template it is assigned. Each permission will have a checkbox, so you can choose which of these permissions to activate. It is possible to simply use copies of the Administrator Policy and clear the checkboxes of permissions that you do NOT want the members of a User Group to have.
Roles provide further fine-grained control of the Access Policies and permissions of individual users within a group. Roles are seldom needed. It is almost always possible to simply create different User Groups for different sets of permissions, and certainly is easier to keep track of who can do what. The primary purpose of Roles was to allow for sub-groups in the case of large organizations. For example Managers, Personnel Managers and Editors could all belong to the same User Group, perhaps a region or office group, but each have different Roles and thus different permissions. Managers would have full access, Personnel Managers would only have access to User Management functions and internal company policy document Resources, while Editors would only have access to the Resources they are supposed to be editing, and perhaps File access to be able to manage images and files to be linked to in the Resources.
Personally I just give everybody and everything Role 0 (Super User) and otherwise forget about Roles.
A trick for determining exactly what permissions are required for any given User Group purpose is to use a copy of the Administrator Access Policy. Then you can start un-checking things you know the user doesn't need, testing from time to time to make sure you haven't cleared some globally necessary permission. Once you have the Access Policy worked out, either continue using it as it is, or create a copy of the Administrator Policy Template, remove the unused permissions, then use your new Policy Template for a new Access Policy.
Susan Ottwell
May 2017