I want to restrict some users to view the control menu based on the inherited site roles. I tried with userGroupRoleLocalService to fetch user and it is displaying the default roles and not from the inherited roles.
Could someone help me with how to fetch the inherited site roles in FTL?
Its is not a good practise to perform permission checks based on the existence of certain Roles. Rather use a permissionChecker - afaik there is a "VIEW_CONTROL_PANEL"
(for ResourceName "90" i.e. Portal) permission to check. Assign this permission to the roles you want to grant access to control panel. In your freemarker theme use:
<#if permissionChecker.hasPermission(scopeGroupId, "90", 0, "VIEW_CONTROL_PANEL")>
<#liferay.control_menu />
</#if>
Related
Is it possible to set VIEW only permission to a single document library file (DLFileEntry) to the users of a different site.
Example : DocumentA exists in SiteA and I want to set view permissions to all the users of SITEB only to this document.
Thanks for reading.
-Mike
You'll need some kind of indirection: Permissions in Liferay are handled through roles (teams behave as roles as well), not by other arbitrary groups of users. If you assign all the users to a user group and make that user group member of the site in question, as well as assign them to a role that you create for this purpose.
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
I have created a 'Site User' role which is appropriate for users who will be Viewers on every available portlet. For example a user with this role should be only allowed to view documents in Documents and Media portlet but not allowed to add a new document or edit an existed.
I have defined the proper permissions in my Site role, however users with this Site role are still able to create events or add documents etc.
All these users are also assigned with the Social Office User role but as I'm seeing there is no such permission granted from this role.
I'm wondering if this is a normal behavior or the only solution is to modify portlets in a way that they won't allow users without the 'Site Admin' role to perform certain actions.
They're most likely still assigned to the "User" role (portal wide), or gets the permission from being a "Site Member". As you can't remove permissions, only add them through roles, check these roles for their bundled permissions.
They're assigned as default to Site Member role as Olaf stated. Look this file:
https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/resource-actions/documentlibrary.xml
As Site Member you have :
<site-member-defaults>
<action-key>ADD_DOCUMENT</action-key>
<action-key>ADD_FOLDER</action-key>
<action-key>ADD_SHORTCUT</action-key>
<action-key>SUBSCRIBE</action-key>
<action-key>VIEW</action-key>
</site-member-defaults>
as default action permissions.
I have created a custom Regular Role and I have inserted it inside portlet.xml of so-portlet(security-role-ref element) and I have also mapped it with the respective role in liferay-portlet.xml.
However, when a user owns only this custom Regular Role, an error message is displayed "You do not have the roles required to access this portlet".
It is also strange that this happens only in user's personal site, on any other site user is able to view the specific portlet.
Does anyone has any idea about this?
Since you have a Custom Regular Role for your App, you should edit the default Role Permissions
log as an admin
Go to Control Panel, Roles,
Find your Role, and from the Actions menu on the right side, pick Define Permissions
From the left menu, find your application
Edit your permissions. Make sure to have the 'View' action granted for your Role. You can additionally, allow it for all sites (default), or you can just select the 'User Personal Site'
Now, if you want to make an exception for a specific portlet instance (that's what I meant in my question, in the comments) you can:
Log as Admin
Navigate to the specific Page where your portlet instance is added.
Enable Edit Controls, and edit your portlet (mini menu on the upper right side, with the wrench icon)
Pick permissions and have your Role allowed to view the portlet
The Personal Site is a Private Site if I remember well, so i think your user is not a site member, necessary condition to view the private pages.
We want some users of one of our SharePoint site to manage permissions on their site but do not want them to give the permission called "Manage Permissions". Because if we do so, the users start assigning the built in permission level “Full Control” to themselves. How can we achieve this?
Please note that the users with the permission level "Manage Permissions" can create and change permission levels on the Web site [Ref: Microsoft]. What we want for them to only be able to create users, groups, and assign certain permissions on the site to those users and groups.
"we want for them ... and assign permissions"
you DO realize that they can just as easily be assigning Full Control to these groups? isn't that what you say you want to AVOID?
manage the permissions for them, and allow them to self manage the GROUP MEMBERS. that way they can add people to the "publishers" group... and net result is that the user has "publish" permissions.
solution 2 can be extrapolated for some very granular needs, but I don't explain how because I wouldn't recommend it.