How to get All Registered Roles?

How to get All Registered Roles?

Please provide some context to your question.

in restapi you could get the @roles endpoint. Is this what you want?


The question is to get all users which has role Reviewer/any role

The information is perhaps available from the allowedUsersAndRoles index in portal_catalog. Usually, local role assignment are stored on a per-object basis and not globally. My zopyx.plone.cassandra might be helpful (not sure about compatibility with decent Plone versions).

1 Like

collective.exportimport · PyPI can export all users and groups with their respective roles. It also has a export for local roles in which you can see which users and groups have additional roles in a specific context.


Roles are either assigned globally (at portal level by acl_users) or locally or are granted indirectly via group membership.

If your acl_users supports the IUserEnumeration interface, you can use its searchUsers to obtain a user list, its getUserById allows you to obtain the corresponding user objects. Those user objects have the method allowed which allows you check whether a user has effective roles in the context of a given object.

The description shows that it is difficult to determine which users have a given role because the answer depends on an object context: you effectively ask "does this user have a given effective role at this object" and the answer may be different for different objects.


Roles are assigned either global or in a local context. They can be assigned direct or by group membership.

Global role assignment can be inspected by looking at [URL-to-PloneSiteRoot]/acl_users/portal_role_manager/manage_roles. For groups the group-control-panel shows its members. This is what collective.exportimport does in some way (it excludes the group roles here).

Additional, getting all local role assignments is tricky, since potentially every content object may have different roles assigned, blocked and so on. This can be done by traversing all objects and and inspecting the __ac_local_roles__ attribute which is a mapping of user name to list of roles like: {'admin': ['Owner']}. Now you can iterate here and extract all users and groups with the Reviewer roles (and lookup the groups and its users). All this may take a while on larger databases.

But, above couldn't be enough, given your site uses some custom adapter based local role lookup. We have a PAS-plugin in use in Plone called borg.localrole. It is the most under-documented part of Plone (or at least in hi ranks there). It uses an adapter lookup

roleprovider = borg.localrole.interfaces.ILocalRoleProvider(context)
roles = roleprovider.getRoles()

which by default returns the same as


would do (and do not ask me why items)

Anyway, with this feature one can override the default adapter globally or for a specific type or behavior (or whatever you can think of), return something different (like roles based on moon-phase) and the borg.localrole PAS-plugin uses whatever the adapter returns which gets attached to the user and is valid.

<irony> Cool, shit :wink: ?</irony>

Hope that helps more than it confuses.

1 Like

Just to be sure you dont mix up things (like groups vs roles):

  • What do you need this for ? Is it for a view or something else ?