Restrict a role from a page

Jason Howard asked on August 22, 2023 16:44

We are currently upgrading from v12 to v13 and one of the features that we used in K12 that has been removed was the Groups application to restrict pages to certain group members/users.

The scenario is we have 100 or so different groups that people can have access to and certain pages were then restricted so only be viewed by a particular group. I have been trying to replicate this in K13 using roles but from what I can gather is that the Deny rule always wins so trying something like assigning a page security of Everyone role Deny Read GroupN role Allow Read Does not work as by definition all users will be part of the Everyone role so they are denied access even if they have the GroupN role.

I tried assigning the Everyone role with no security rights checked and keeping Allow Read on the GroupN role but any user not belonging to GroupN could still view the page.

Thought about using negative roles so have a Negative GroupN role and a positive GroupN role but all the Negative roles would have to be added to a page as Deny and all users would be assigned the Negative role on login if they did not have the positive role but that seems horrible to manage and what if a user was a member of two groups.

Just wondering if anyone has done something similar or could provide another view on this?

Correct Answer

Jason Howard answered on August 23, 2023 17:40

Thanks Juraj, Yes, this is for website visitors rather than editors. The Everyone role is an out of the box role.

I managed to trace down what was causing my issue. My setup was as follow: on the Root Node there were no security restrictions and Requires Authentication was set to No. On a page that I wanted to restrict access to I broke inheritance removing parent permissions, set Requires Authentication to Yes and then added the GroupA role with Read access. However any authenticated user was able to view the page regardless of whether they had the GroupA role or not.

After a lot of testing the issue was that at some point the "Authenticated users" role was given read access to the Content module in the Permissions application for the site in question. Removing that Read access resolved the problem and only users that have the GroupA role assigned to them can view the page.

Thanks again to yourself and Brendan for taking the time to reply.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on August 22, 2023 17:33

When setting role permissions in the content tree, deny always wins. I'd suggest checking this documentation out and see if this helps your set up process.

0 votesVote for this answer Mark as a Correct answer

Jason Howard answered on August 22, 2023 18:26

Thanks Brendan, yes I had a look at the documentation but that only lead me to having negative groups and positive groups but that is a lot of management when creating new restricted pages and I don't think that would work when a user is a member of different positive groups.

Ideally you would want the editor to say this Role has read access to this page and thereby imply that any other users without that role do not have access but that doesn't seem possible in a simple manner much like the way groups worked in K12 where the page owning group was the relevant group. May just have to implement a custom field that specifies the Role that has access and redirect if a user visits that page and does not have that role - a pain but at least it gives us a relatively simple operation for editors. Search results would include it unfortunately but I think that is the best that can happen.

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on August 23, 2023 07:25 (last edited on August 23, 2023 07:27)

Where did you get the role Everyone - is it your custom role where you assign all the users? Also, are we talking about editor users and access to the pages in the Pages app, content tree? Or live site permissions?
If a user is in multiple roles and at least one role has deny or not specified permission, better safe than sorry, the denial permission wins. It should be the same as setting up disk permissions in Windows.

Also, there is the "Check page permissions" setting which changes the behavior a bit -> If you also want the system to filter the pages displayed to editors in the content tree according to the configured permissions. This means, that the editor may/may not see given page in the content tree based on the read permission.

Have you tried using the permissions inheritance and break it, copy from parent and then adjust it for particular roles? E.g. set deny to all roles and then go to particular page/section, break the inheritance, copy permissions from parent and just adjust the permissions to allow for one particular role. the other roles will inherit the denial permissions.
Setting up permissions is always tricky and in some cases it requires some more clicking and manual configuration - again so that the administrator deliberately clicks and knows what is being set and where. Better safe than sorry. It really depends on the sensitivity of the data. If it is not something that crucial you can use your workaround.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.