Permissions for Document Types

Dat Nguyen asked on October 30, 2014 17:05

Using Kentico 8 Permissions Application, I am unable to make permissions for document types work as I expected. For instance, I have a Consultant role that should not be able to Modify the Blog. So I allowed the Consultant to have only the following permissions for Blog document type: Read, Browse Tree. However, when I test the Consultant role, I am still able to Modify fields of the Blog and Create documents under the Blog. The Delete function does not work as expected because that permission was not granted. Please let me know if this is a bug or if I am required to use page-level permissions to prevent that role from modifying. If I have to use page-level permissions to deny Modify, this is not ideal because I would need to use page-level permissions to break inheritance for all blog posts that lives under the Blog.

Recent Answers

Bill Tran answered on October 31, 2014 20:51

Make sure you selected the correct site (not global) and then see if the permissions are correct.

For the page level permissions, you always structure it in such a way to allow the blog post to inherit from the parent so that you don't have to set the permissions on the individual blogs.

0 votesVote for this answer Mark as a Correct answer

Dat Nguyen answered on November 1, 2014 16:20

Yes, the permissions were chosen for the individual site, and I use the "Report for User" field to make sure that the account that belongs to the Consultant role has only the "Read" and "Browse Tree" permissions for the Blog document type. However, the user account can still "Create" and "Modify" that document type even though I did not give it the permission to do so. Keep in mind that I also left "Delete" unchecked, and I was not unable to delete the Blog with that role, as expected. As a test, I checked "Delete", and I was able to delete the Blog, as expected. So I can say with some confidence that the "Modify" permission for document-type does not seem to be working.

I forgot to mention that the role must be allowed to modify Blog Posts, which is why I cannot set the page-level permissions to Deny Modify on the Blog -- all Blog Posts under this Blog will inherit Deny Modify. That means I would have to go through every Blog Month/Post and break inheritance. That is why I am trying to get the document type-level permissions to work the way I expected them to, and avoid page-level permissions altogether. I also do not have the luxury of moving Blog Posts to another location in the Tree in order to avoid inheriting from Blog.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.