Security and Roles - how to deny access to everyone but allow a subset of users to view

Gabriel Tinnaro asked on July 11, 2018 15:07

Hello, all - I'm hoping that you can help me figure out how to do something - -and I'm hoping I won't hear that we've munged up our security paradigm.

On this site, only authenticated users are allowed to view any pages - all users, when they first authenticate, are added to a role (let's call it "EMPLOYEES"), and the root of the site is set so that the pages require authentication, and EMPLOYEES can view everything.

We want to build another role and call it "MANAGERS", and configure the system so that there's a section where only users with "MANAGERS" role can see them.

The challenge we're having is that our MANAGERS all are, by necessity, EMPLOYEES, and if I set the section's security so that MANAGERS have read access and EMPLOYEES do not, no one can see it because everyone is an EMPLOYEE. But if I remove EMPLOYEES from the access list, EMPLOYEES can still see it.

Would anyone be able to explain to me - or maybe point me towards the resources I ought to use to educate myself - so that I can create a section of the site only available to users in a particular group without having to explicitly create a role for not-users of the pages?

Thanks so much for your consideration!

Recent Answers

Peter Mogilnitski answered on July 11, 2018 16:08 (last edited on July 11, 2018 18:58)

Normally deny has the upper hand: if you are a member of 2 roles but one is denied - you wont get the access to a resource. Did you have a chance to look at this example? I'd say you have to separate manager and employee (a user cannot be both). And don't forget to break inheritance and copy parent permissions like it was explained in the example. Explicitly deny read access to Employee. This also means that all you users are either managers or employees. If they are not in one of those groups - they can access it.

0 votesVote for this answer Mark as a Correct answer

Gabriel Tinnaro answered on July 12, 2018 01:42

Thanks for the guidance Peter, I appreciate it. I was hoping that I was missing something -- this seems to imply that any time I want to control access to a page based on a Role, I not only need a group for the people I allow but also an additional group for the people I block. I am clearly not a security expert, but it seems I've been thinking about this all wrong. OR... maybe there's another way...

0 votesVote for this answer Mark as a Correct answer

Peter Mogilnitski answered on July 12, 2018 05:33 (last edited on December 10, 2019 02:31)

I personally find all this a bit confusing, but there is a work around:

  1. You may try to use macros to make it work the way you want. Here is a topic on it. Or you can simply choose display zone to role (from zone properies)
  2. You might as well try to use global events and program it the way you want it (i.e. on init check if a user is a member of a role).
  3. You can add a web part for example custom response that will return 401 unauthorized if user in not in a given role (i.e. enable it based on a macro:{%!CurrentUser.IsInRole("Manager")|(identity)GlobalAdministrator%})

P.S. You might as well raise this issue with the support.

0 votesVote for this answer Mark as a Correct answer

Gabriel Tinnaro answered on July 12, 2018 14:36

That's super helpful Peter, thank you! I'll start looking into those solutions.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.