I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
Related
I am building a site on Liferay 7. By default, all the authenticated users inherit the Guest permissions (anonymous users).
There is even a label in the permissions section:
"Under the current configuration, all users automatically inherit permissions from the Guest role."
Why do I need this?
I would like to display X content only for anonymous users and when the user logs in, then I would like to display different content.
This is how my content permissions for anonymous users are configured:
Although I agree with people that say this is not the best path, yes you can do it - just to address the question at hands.
Set this to true if resources should assume that all users have the Guest role. Set this to false if resources will not assume that all users have the Guest role and, thus, do not automatically inherit permissions that belong to the Guest role.
Setting this property to false may require users to grant permissions to roles like Site Member and User.
Defaults:
permissions.check.guest.enabled=true
Why do I need this?
Permissions are not the catch-all for showing different content. If a guest is not allowed to see something, but needs to log in - that's fine. It's authenticated content, and you'll need to sign in.
If an authenticated user has no permission to see certain content, but just needs to log out in order to see it: What kind of permission is that? Let me answer that for you: It's not permission. It's rather targeted content and while it might be mimicked with permissions, this mimicry is nothing more than mimicry.
One way to implement such a requirement is through structured Web Content (you sound as if you want to show different Web Content articles). The template has access to the full API and can check if the current user is signed in or not - and show different content based on this fact.
If you want to achieve role permission using code level as like in xxxlocalserviceImpl class.You can use below code for allow permission for the guest user.
In case of document and media allow permission to guest and registerUser in Liferay 7 using rest webservice you can use this code for allow permission to upload and download the document using this code.
ResourcePermissionLocalServiceUtil.setResourcePermissions(companyId,
DLFileEntry.class.getName(), ResourceConstants.SCOPE_INDIVIDUAL,
String.valueOf(dlFileEntry.getFileEntryId()), guestRole.getRoleId(),
new String[] { ActionKeys.VIEW });
To answer your question - you can not configure that per specific asset! By default an authenticated user can not have less permissions than an unauthenticated one. You can change that behavior for all assets using permissions.check.guest.enabled=false as #Victor correctly pointed out!
We want some users of one of our SharePoint site to manage permissions on their site but do not want them to give the permission called "Manage Permissions". Because if we do so, the users start assigning the built in permission level “Full Control” to themselves. How can we achieve this?
Please note that the users with the permission level "Manage Permissions" can create and change permission levels on the Web site [Ref: Microsoft]. What we want for them to only be able to create users, groups, and assign certain permissions on the site to those users and groups.
"we want for them ... and assign permissions"
you DO realize that they can just as easily be assigning Full Control to these groups? isn't that what you say you want to AVOID?
manage the permissions for them, and allow them to self manage the GROUP MEMBERS. that way they can add people to the "publishers" group... and net result is that the user has "publish" permissions.
solution 2 can be extrapolated for some very granular needs, but I don't explain how because I wouldn't recommend it.
I have a browser:page setup in Zope, and I have:
permission="zope2.Public"
My question is what should I change this to in order to allow only Plone administrators access, and/or logged in (non-administrators) access to this page?
On Zope, you control access to views via permissions, but to permit someone to access a given permission, you must grant such permissions to a role.
Anyone in the Plone administrators group has been granted the Manager role (on Plone 4.2 that'll change to the SiteAdmin role) generally have access to most permissions. There is also the automatic Authenticated role, which is given to anyone that has been authenticated (has logged in). The latter doesn't have many default permissions though.
Permissions are generally named after the action you want to permit. If your view's goal is to manage some aspect of your Plone portal, then the cmf.ManagePortal permission is probably what you want. You can check the full list of default permissions if you need another one.
There is some excellent documentation on how security works in Plone, which includes information on how to define new permissions too, and how to assign existing permissions to roles.
permission="cmf.ManagePortal"
This setting is about permissions not about roles.
I want to have user rights split into two. Some of the policies at the client's side mention that we should have a seperate user who has only the rights to add users and nothing else, and the Site Administrator should not be able to add users.
As of now, the Site Admin is used to Add users and to manage other configuration. Can we remove the User Addition role from Site Admin?
Is there a way to create a new User Role by writing some code?
I don't think it is possible to remove any permissions from the site administrator. You could do something wild like add security code to your master page, however. That could detect the current user and the current page, and throw an error if the site administrator were in the wrong place.
You can create a custom permission level, provided your permission sets summarise to one of the options offered by the SPBasePermissions enumeration. Unfortunately there is no specific 'add user' permission, only ManagePermissions. For reference anyway, here's a basic code sample.
I think the best approach is that given by strongopinions where a piece of code runs to check who the user is if they visit the Add User page.
I would like to create a folder that users who do not have privileges to view the rest of the site can see. This user group would be granted access to the site, but I only want them to be able to view one particular page.
Is this possible to do without going to every single page and removing the new user group's access?
yeah, you should be able to create a new group and add the users to that list/subweb/whatever and just that. This is assuming that you didn't grant access to all users somewhere. If you did, then hopefully the default access is granted to a default user group (like sharepoint visitors) and you can alter that group to exclude the users you only want to access the limited part of the site.
If created correctly the new group shouldn't have access to the rest of the site.
If you are getting thrown off by the fact that the user/group is listed as having "Limited Access" on the ACLs on, say, the parent site/web. That's just a placeholder SharePoint uses to make sure people have access to at least the bare minimum set of objects (e.g. theme and other UI files and the parent web itself) to get to the list or item you actually want them to have access to.
As long as the group only has access on a single list, you should have to worry about them having access to anything else.