configuring page-level permissions

Kàren Vaganyan asked on June 22, 2016 20:11

I’m having trouble creating page level permissions that allow only a particular role access to a section of pages. For example I have a role called ‘Marketing Editors’ and I want only Marketing Editors to have access to pages under Marketing & Communications in the tree structure. So I went to the security tab, added the role to the Users and Roles list, and gave them access to read, modify, create etc. But I want all other roles to not have access to those pages. Is there a way to accomplish that without adding all other roles to the list and setting them as Deny for Full Control.

Not sure if my explanation is clear so let me know if I need to elaborate. Thanks!

Correct Answer

Rui Wang answered on June 23, 2016 21:15

Hi Karen, the best way to setup permission for your case is to limit the module level permission and give out more page level permission where needed. The common mistake is the the role gets all the permissions on the Content Module level, which means all editors in that role can edit everything within the content tree, which lead to a lot of deny you have to setup.

The best way to do this is: For the roles like Marketing Editor, Sales Editor, when you setup the module permission for Content, only check Browse Tree and Read. That's the minimum for the editor to see the tree. And in this case, they cannot edit any content at all. Then go to the content tree, go to /Marketing > permission, add the Marketing Editor role, and check Edit, modify, delete (maybe). Then similar thing for /Sales with Sales Editor role. Now any one in the marketing editor role will only be able to modify content within the /Marketing section.

1 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on June 22, 2016 21:21

Check out this question and my answer on Stackoverflow related to something very very similar to your situation.

http://stackoverflow.com/questions/37447930/in-kentico-deny-access-to-a-single-page-unless-a-use-is-in-a-particular-role/37448462#37448462

0 votesVote for this answer Mark as a Correct answer

Kàren Vaganyan answered on June 22, 2016 23:30

Hi Brenden, I’m experiencing the same thing Jeffrey Fillian mentioned in his second response, Deny takes precedence over Allow. So even though I add the role to the page and allow it full control, the deny from the Everyone still has precedence.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on June 23, 2016 00:25

You have to break permission inheritance on that page/node so you can remove that. Follow the instructions I provided and it will work, I do it all the time.

0 votesVote for this answer Mark as a Correct answer

Kàren Vaganyan answered on August 16, 2016 19:42

Thanks Rui! That seems to have worked quite well.

0 votesVote for this answer Mark as a Correct answer