Forums (Obsolete)

Member

LeRoy - 7/11/2011 6:07:51 PM

Managing page permissions

On my site I want to give permission over certain subsections to specific roles. So far the only thing that has worked is to deny everyone everything but browse tree at root of the site and then breaking inheritance on the sections that I want each role to have access to and granting a role access there. This seems like a management issue, constantly breaking inheritance. I also couldn't find any documentation on best practices for permissioning.

What is the best way to set up role permissions on site subsections?

Kentico Support

kentico_zdenekc - 7/13/2011 6:54:54 AM

RE:Managing page permissions

Hi,

There's no universal approach, it always depends on the actual aim.
Actually the approach you're describing is the better one with current design.
There might be some changes in the next version 6.0, that would make the management easier, however I cannot give you any details right now.

Could you please optionally describe your aimed scenario so we could try to recommend if there was any better approach?
Thanks.

Regards,
Zdenek

Member

LeRoy - 7/13/2011 11:10:21 AM

RE:Managing page permissions

My site's structure looks like this

main
+ about
+ resources
+ support
...

At its most basic level I would like to have a different role for access to each of the 1st subsections (about, resources, support...) and denied access to the other. The only solution I have come up with is to deny all of the roles at the "main" level. Then, on each of the sections, break inheritance and allow only a specific role modify rights and so forth.

This seems acceptable albeit a little bit of a pain when I need to add a role and will have to specifically deny that role access on all 1st subsections before allowing them on a specific one. It becomes even more problematic when I have sections deeper down (a second or third level subsection) that I need to apply "allow" access to and I have to break inheritance again. Then it becomes something I have to keep notes on in order to manage all the permissions.

I just hoped there was a better way to perhaps override a deny with an allow or there would be some trick. At the very least I want to make sure I am using a prescribed method rather than creating my own trouble.

I am also interested how 6.0 might change this process.

Kentico Support

kentico_zdenekc - 7/22/2011 9:09:47 PM

RE:Managing page permissions

Hi,

Thank you for information.
The way how you currently ensure the permissions is probably the best one that can be used with given ACL evaluation implementation today.

If there is only Create:Allow and not explicitly Deny defined, the result is Deny only when both CMS Content module and specific Document type were not allowed. In other cases the result was Allow.

The changes suggested for 6.0 are expected to change this evaluation when the ACL is insignificant (no record / no explicit Allow). It would result to Deny.
Which means you would only need to add Allow for specific role on the requested document (branch starting node), it would propagate to the child nodes through the inheritance and other roles would get Deny in that scope automatically. That would - I believe - make your scenario much easier to setup and manage.

I cannot confirm that it will be the default behavior, maybe a web.config key will be needed.
I would suggest you to contact us after 6.0 release so we can provide the most accurate information.

Best regards,
Zdenek C.


Member	lawrence.dine-moov2 - 5/22/2012 4:20:30 AM RE:Managing page permissions I realise this is an old post but this is very relevant to my current issue. I'm wondering if the setting Zdenek mentioned ever made it into version 6 and if not, will it be in version 7? Thanks, Lawrence


Kentico Developer	kentico_ivanat - 5/22/2012 6:25:14 AM RE:Managing page permissions Hi, unfortunately, this functionality was not improved because of backwards compatibility. I informed responsible development team that this was requested again. The requirement really makes sense, but integration to the current system would be very difficult. Best regards, Ivana Tomanickova