Page-level permissions (ACLs) 'Create' permission does not work unless Permission for page type is a

It works fine for me. There must be some denial or no permission set somewhere. Please use the security debug to see what permission returns false.

Here are screen shots of my setup (I am using user 'Andy'):
User role
Privilege level

Content module permissions (and there are no permissions set for the Page types)
ACL permissions
The user can create any allowed page type in given scope

I would use two browsers. In browser A login as admin and go to the security debug. In browser B login as the user you want to test. In browser B prepare for the action you want to debug. Switch to browser A and click the "Clear debug log" button to clear all the logs. Switch to the browser B and perform given action.
Now, switch back to browser A and click on the "Security" tab to refresh the log. What permissions returns "false"? In my case I have all green - so it is working fine.

Hi Juraj,

Thanks for the detailed reply.

I have confirmed that AliceM has the same setup as your user 'Andy'. This is the message that AliceM sees:

This is the Security Debug that seems to be failing. Could you please share your screenshot for the "Create" permission.

Thank you for the screen shot. AS you can see in the error message and in the debug, there is no page type allowed to be created under this page. You need to adjust the page type scopes and/or the allowed child page types for the parent's page type. Please see this documentation on limiting the pages user can create.

Thanks Juraj.

I have created a Page type scope which allows all page types Page type scope which allows all page types. There are no other Page type scopes preventing or limiting child Page types. I have also confirmed that there are allowed children under the correct Page type allowed children under the correct Page type.

How did you overcome the problem in your test scenario? When I look at your screenshot it appears that your user Andy was able to create a large number of Page types.

I do not have any scopes defined for that section. I would try removing the scopes in your case too. Check also other scopes just to be sure there are no overlapping ones. And then, for the child and parent types - what is the type of the parent page and what type you want to create? I do not know this so I cannot tell whether this is set correctly. From the debug it seems you are trying to create a CMS.News page type - is this one allowed as a child type? The screen shot shows just the first page...

Hi Juraj,

I have removed all page type scopes. This did no fix the issue.

I have also tried moving the "Create" permission to the Root level and changed to using the user "Andy" to match you scenario.

Here are screenshots of my setup (I am now also using user 'Andy'):

User role

Privilege level

Content module permissions (and there are no permissions set for the Page types)

ACL permissions

The user still CANNOT create any allowed page (even though there is no scope as per your instructions)

Cannot create under Root

Cannot create under /News

Cannot create under /Other

To confirm that the Page type scope does not resolve the issue I have also tested using a Page type scope.

Page type scope that allows all Page types

Cannot create page under /News even with Page type scope

Note that adding the Page type scope still does not help but it does change the error message from "You don't have permission to create pages." to "The page type scope applied to this path allows only certain page types to be created. You don't have permission to create any of these page types."

As per your request for Allowed child types screenshot - these have been left as default from the Corporate Site template site.

Menu items allowed Children 3rd page

News

I am using Kentico v12.0.99 and the "Create" feature does not seem to work.

Thanks for the screen shots. I was reviewing them and comparing with mine and I am not sure what happened - but on one of my screen shots I sent previously I do not had the "Create" permission set for the Content module but now, when I am checking the instance again, it is being checked! I may have mixed some instances. I am sorry about that. Indeed, you need to have either the permissions to create set for the Content module OR set it for a particular page type you want the user to allow to create.

Thanks Juraj.

So as per the Kentico documentation on this page https://docs.xperience.io/k12sp/managing-users/configuring-permissions/configuring-page-permissions/page-level-permissions-acls The definition for the "Create" permission is:

Create - Allows the user or members of the role to create new pages under this page.

But what you are saying is that this is wrong. It is actually:

Create - Allows the user or members of the role to create new pages under this page IF THEY ALSO have Create permission on specific Page types.

Is that correct?

I found the issue in my case - I have overlooked that the user is assigned to a global role with the permission allowed.

So, to explain it - the permissions are set on various levels or layers. It is like an onion. And if there is a deny permission or no permission set on any of the levels, better safe than sorry, the denial permission is applied.

So, in this case you allowed to create pages on the page level. But now the system looks at the higher level "OK, user can create page but what page type should I allow? All? Or some particular only?" And now, there is no allow permission set for content module (all page types) nor any particular page type is being allowed. So, system says "I do not know what page type to allow, the permissions are not set, better safe than sorry, creation denied!".

I hope it makes sense now and I am sorry for all the confusion. I got trapped with the global role and provided you with a false information!