|
Guest
|
norashlea
-
7/22/2006 7:17:00 AM
Permissions-Matrix Jungle!!!
I need some URGENT help with implementing user/group-style permission on a site. I'm hoping someone will be monitoring the forum over the weekend, because I need to have this implemented by Monday, and I've been fiddling for a whole day with just about every combination of groups/users/permissions, and so far I can't get it to work properly. It's a fairly common security matrix, so I'm sure it's simple and I'm just missing something important.
I'm using Workflow, and there are various users who are to be given read/write access to specific sections of the site. (Everyone should be able to read and unfold the tree, but only Admins or the Section Editor should be able to edit content of specific sections)
I have a group created called "Site Editor", which has Read and Unfold permission only on CMS Content.
The site has various sections, which are to have specific "Site Editors". These site editors should have the additional permissions of Check in any Document, Create, Delete and Modify, BUT, they should have these permissions ONLY for the section of the site that they are granted permission for. So I created the following groups, and set permission for CMS Content in the Permissions matrix:
1. "Site Editor" -- Read, Unfold 2. "Training Editor" -- Check in any Document, Create, Delete, Modify
Then I created two users:
i) "trainingtest" -- assigned to the groups Site Editors and Training Editor ii) "othertest" -- assigned to only the group Site Editors
Then on the Content tab, at the Root level, I set Page Permissions as follows:
====================================================================== A.
Site Editors group -- Allow=Read,Unfold; Deny=everything else
Added Training Editor group -- Deny=all (trainingtest user should get Read/Unfold permission from membership of the Site Editors group) Deny overrides Allow, therefore logging in as "trainingtest" wasn't able to unfold tree Modified Training Editor group - Allow=Read,Unfold; Deny=everything else "trainingtest" can unfold all leaves of the tree ======================================================================
B. The Home page (and section under Home) inherits permissions from parent, and I didn't modify this at all (therefore, all permissions as above)
====================================================================== C. Training section -- this is the only section that the "trainingtest" user should have access to check a document out and edit. On this section I set permissions as:
Site Editors group -- Allow=Read,Unfold tree; Deny=everything else (inherited from Root) Training Editor Group -- Allow=Read,Modify,Create,Delete,Unfold; Deny=everything else ======================================================================
BUT .....
The user "trainingtest" can check out, edit, and save/check in a document at ANY LEAF OF THE TREE!!!! I've tried every combination of permissions I can come up with, and it seems I've only got an all-or-nothing scenario -- trainingtest has write access to everything or nothing at all!!!
The global permission set for CMS Content in Permissions seems to be overriding the local page permission, which is to DENY write access to the Training Editor group for anything other than the Training section.
URGENT PLEASE -- how can I implement this??
Thanks, Sharon.
|
|
|
Guest
|
norashlea
-
7/23/2006 6:04:21 AM
Re: Permissions-Matrix Jungle!!!
Update ...
I've got it working the way it is supposed to (ie, everyone has read access to everything, but only "trainingtest" has full editing access to the specific section), but I'm not sure whether I've implemented it the best way.
What I had been trying to do was have an "Editors" group, and then allow full editing to this group for the specific section of the site only.
I removed all the permissions except Read and Unfold tree to CMS Content for the Editors group, and included the Editors group at the site root level, specifically denying all access except Read and Unfold tree. Then, on the section to have access, I broke inheriting permissions from the root, deleted the Editors group, added a user who is a member of the Editors group, and enabled relevant permissions.
The user now has full access to the specific section of the site, and read-only access to everything else.
I tried using the Editor group at the section level, specifically allowing relevant permissions, but when I logged in as the user I could check out/in documents, but wasn't able to send the document for approval after check-in. The only way I could enable that was to add a specific user at the section level.
I'm sure I'm still missing something, though, because I thought that you would be able to specify permissions on a section for a whole Role (which is including all the members of the Role), rather than having to specify individual users.
Regards, Sharon.
|
|
|
Guest
|
admin
-
7/24/2006 11:59:28 AM
Re: Permissions-Matrix Jungle!!!
Hi Sharon,
yes, the global permissions ALWAYS override the local permissions. The local permissions can be assigned to users as well as to roles. Unfortunately, I'm not sure why this didn't work for you.
Best Regards,
|
|
|
Guest
|
norashlea
-
7/24/2006 11:20:45 PM
Re: Permissions-Matrix Jungle!!!
Thanks Petr,
After a bit more fiddling, I've figured it out what I had wrong.
There was a role that I had created during my experimentation that had global create/delete/modify permissions. I had previously deleted all these temporary experimental roles, but had missed this one. On top of that, my user was still a member of this role (in combination with being a member of the correct Editors role). Then at the page level, I had denied this role the modify/create/delete permission, but the global was overriding it.
As soon as I deleted the role, I was able to assign the page-level editing permissions to the relevant editor role rather than a specific user, and everything is hunky dory!
Still not sure why the user was able to check in/out but not send to the next step in the workflow, but I've got it sorted now.
Thanks,
Regards, Sharon.
|
|
|