Page Security Issue

Larry Wildey asked on September 18, 2015 23:02

I have a site with both internal and external users. The external users should only be able to browse the site and the internal would have edit capabilities. All users have to login to the site through an openid login page.

The site's security is setup such that Everyone has access to the root and then on most of the site we deny unauthenticated users so that they can't get to pages without logging in. We now want to secure some pages to only be accessible to internal users but when we break inheritance on the page and deny the external users role the users still can access the page. The only way we seem to be able to deny external users access is to deny authenticated users and then only the global admins can access the page.

I am looking for best practices on setting up the roles for this basic site as well as a fix for my particular issue if possible.

Thanks,

Recent Answers

David te Kloese answered on September 18, 2015 23:35

Hi,

Are you sure you've set the "Requires authentication" to Yes ?

You can find more detailed info here: https://docs.kentico.com/pages/viewpage.action?pageId=58335521

Greets,

David

2 votesVote for this answer Mark as a Correct answer

Roman Hutnyk answered on September 19, 2015 21:01

Larry,

First of all I'd recommend to use Requires Authentication instead denying unauthenticated, like David said.

How do you distinguish internal vs. external users? By default Kentico assigns users, those log in with OpenID, to the CMSOpenIDUsers role? Is it valid statement for your application? If it is, now you have to configure security correctly for that role - do you have any issues with that?

0 votesVote for this answer Mark as a Correct answer

Larry Wildey answered on September 21, 2015 19:51

David,

Yes we have the Requires Authentication choice also selected on the majority of the site so I guess I could eliminate the denial for unauthenticated user as this is a duplication. Good point.

Roman,

Both internal and external users go through openid but we do have roles setup that contain customers, internal users, and clients, external users. But as I stated, if I change the security setting on a page to deny the external users and then have a user with that role login they can access the page. Some how the security is not being correctly determined. THe only thing I have found so far is to deny all and then only global admins can access the page but I don't want to assign alot of people the global admin role who really should not be given that level of access.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.