macro Identity logic

ruben verschueren asked on August 30, 2018 16:49

I'm getting into Kentico and I am testing out CI, staging, deployments etc. In ran into the macro security scenario where it is best practice to set up macro identities with an effective user.

What I don't understand is the logic behind it. the cms_macroIdentity table has a FK to the cms_user table, which I think is the effective user relationship. The cms_userMacroIdentity contains the links between the different users and the macro Identity.

So As I understand It, I need to synchronise the entire CMS_MacroIdentity table and all the CMS_user records it is pointing to. I also need to somehow determine that my users in the target system link to a certain macro Identity. The documentation also states that the effective user of a Macro Identity can be different on each environment (so why bother having an effective user at all?).

Why not link the macro's to a user role? that would eliminate the need of any links with actual users.

Sorry if all this is obvious to a more seasoned user, I'm trying to understand the reasoning behind it, rather than just blindly follow the documentation.

Recent Answers

Zach Perry answered on August 30, 2018 17:01

See if this article helps explain some of it.

0 votesVote for this answer Mark as a Correct answer

Peter Mogilnitski answered on August 30, 2018 19:14

We are trying to use the unsigned macros {% CurrentDocument.DocumentName @%} everywhere. The advantage of unsigned macros is that they do not store an identifier of the author or a security hash. The issue is that unsigned macros are always evaluated with the permissions of a public user. As a result, expressions that require any permissions will not resolve correctly.

So technically you need to use macro identity for those cases where permissions are required. If you have several developers working on the project they can share the same macro identity (for example global admin which exists in all environments). So when move objects from between environments there is no macro security issues, because the global admin identity - exist everywhere. Global Admin perhaps not a good example but you can use an identity that you are comfortable with and it exists in all environments.

0 votesVote for this answer Mark as a Correct answer

ruben verschueren answered on September 3, 2018 09:45 (last edited on September 3, 2018 14:05)

So what you are saying is basically use it, but set it up manually for developers and may one for production content editors, but don't synchronise it.

0 votesVote for this answer Mark as a Correct answer

Peter Mogilnitski answered on September 5, 2018 16:59 (last edited on September 5, 2018 17:12)

I am saying you use it! you can create user for developers and user for editors (or actually pick the existing ones: there are already users administrator and cmseditor. These by default exist in Kentico, so they will be automatically in all environments.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.