The system recognizes the following permissions:
| • | User is a global administrator - she is authorized for all operations and her access cannot be denied or otherwise limited. The global administrators are the only persons who can use the Site Manager user interface. |
| • | User is an editor – she can access the CMS Desk interface. This attribute doesn’t implicate any particular permissions. This attribute differentiates the site editors and “registered users” who only access the front-end web site and secured site areas. |
| • | Roles have permissions for chosen modules – role members can take specified actions in specified modules. These permissions are set in the Site Manager -> Administration -> Permissions section, in the appropriate permission matrix. You can find more details on permissions in the documentation of appropriate modules. |
| • | Roles have global permissions for all content - these permissions can be set in the Site Manager -> Administration -> Permissions section, in the permission matrix called Module: CMS Content. Here you can set the following permissions: |
| • | Read - read all documents |
| • | Create - create any document |
| • | Modify - modify any document |
| • | Delete - delete any document |
| • | Destroy - destroy any document (delete without undo option) |
| • | Browse tree - browse content tree |
| • | Modify permissions - manage local permissions of any document |
| • | Manage workflow - approve/reject any document at any workflow step |
| • | Check in any document - authorizes user to perform the Check in or Undo checkout actions on the Properties -> Versions tab of a document |
| • | Design web site - this permissions allows user to edit page templates on the Design tab. Please note: although the user can make the changes only for his web site, the changes may affect other web sites if he modifies a page template shared among multiple web sites. |
| • | Roles have global permissions for particular document type – role members can take specified actions with particular types of documents. These permissions can be set in the Administration -> Permissions section, in the appropriate permission matrix prefixed with "Document type:". |
| • | Read - read all documents of this type |
| • | Create - create documents of this type |
| • | Modify - modify all documents of this type |
| • | Delete - delete all documents of this type |
| • | Destroy - destroy all documents of this type |
| • | Browse tree - display child documents of all documents of this type |
| • | Modify permissions - manage local permissions of all documents of this type |
| • | Users or roles have local permissions for particular content tree section or particular document. These permissions are combined with global permissions for all content and global permissions for document types. If some permission is “denied” in the local permissions, the “deny” attribute overrides both local and global permissions. Local permissions are described in detail in the following paragraph. |
Managing local document permissions
You can manage local permissions (i.e. permissions for particular site section or particular document) in CMS Desk -> Content -> select some document in the content tree -> click Properties -> choose the Security tab.
Setting the permissions
Select the appropriate user or role in the left box. If the user or role is not available in the box, you may need to add them using the Add button on the right. Now you can choose if the permissions should be "allowed" or "denied". You can configure the following permissions:
| • | Full control - perform all operations with document |
| • | Read - read document content |
| • | Modify - modify document content, check-in, check-out |
| • | Create - create new documents under this document |
| • | Delete - delete this document |
| • | Destroy - destroy this document (without undo option) |
| • | Browse tree - unfold the current document and see its child documents |
| • | Modify permissions - change document permissions |
Permission inheritance
You will typically need to set up permissions for site sections, rather than for particular documents. In this case, you grant users with permission for the main section document, such as /products and these permissions are inherited to all child documents.
Example
Consider the site structure like this:
| • | Root |
| • | Home |
| • | News |
| • | Products |
| • | Category 1 |
| • | Category 2 |
You may want to grant users with following permissions:
JohnS |
Marketing manager John can manage all content. |
Grant user with Full control permission on the root or grant some of this user's roles with permissions for the CMS Content module. |
MarkJ |
Product manager Mark can manage only the documents in the /Products section. |
Grant user with Browse tree permission on the root so that he can browse to the Products section.
Grant user with Read, Modify, Create, Delete, Destroy and Browse tree permission on the /Products document. These permissions are inherited down to the child documents under the /Products section.
Please note that if you click on the /Products/Category 1 document, the Browse tree permission is grayed and disabled. It means this permission is inherited and cannot be removed - you can only deny the permission (unless you break inheritance - see below). |
AliceM |
Copy writer Alice can modify the copy of all documents, but Mark prefers to manage the copy of the /Products section by himself only. |
Grant user with Read, Modify, Create, Delete and Browse tree permission on the root.
Go to the /Products document and deny the Modify, Create, Delete permission for the user so that Alice cannot modify the copy in the /Products section. |
Please note: It's recommended that you configure local permissions for roles and then only assign users to the appropriate roles. In this example, you would first create roles "Marketing manager", "Product manager" and "Copy writer" and then configure their permissions.
Breaking the inheritance
In case you need to break the permission inheritance and configure different permissions for some site section, you need to click Change permission inheritance... link in the Security dialog and choose one of the following options:
| • | Break inheritance and copy parent permissions - breaks inheritance and the permissions of the selected document are set to a copy of the original permissions. |
| • | Break inheritance and remove parent permissions - breaks inheritance and the permissions of the selected document are cleared. |
Restoring the inheritance
If you decide to inherit the permissions from the parent again, click the Change permission inheritance... link in the Security dialog and then clickRestore inheritance to parent document permissions.
Multiple Sites and Security
The user accounts can be shared over several web sites that are served by a single installation of Kentico CMS. You can specify which web sites an editor can edit. This applies only to the CMS Desk access. The logons to live web site (to the member sections) are not affected by assigned web sites.
Every web site has its own set of roles (there are no shared or global roles). The global permissions are assigned to these roles, which means every web site can use a different configuration of role permissions.