Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
Related
I need to create multiple users in same AD and need to isolate the resources created by one user from other user.Is it really possible.since I am new to Azure I am not aware that this is really possible.It would be great if some one render their hands to advice on this.
There is no absolute isolation, there are only certain restrictions.
The users created in the AAD tenant are all the Members by default, they have the default permissions e.g. Read all properties of groups, Read properties of registered and enterprise applications. So if user A created some resources e.g. group, application, the user B will also be able to read the properties of them.
There are some restrictions, like Manage properties, ownership, and membership of groups the user owns, Manage application properties, assignments, and credentials for owned applications. This means some properties of the resources can just be managed by the Owner of them.
For more details about the default user permissions, you could refer to https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
And if the user is assigned as the admin role in the tenant, he will have more permissions than the default users, see https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
I need to give permissions to edit/create/destroy pages in a node to a group of users.
I've created a group and added a test user to that group.
I can't seem to give permission to the Pages application so see if i can see the node.
I also added game this role permissions at the node level too.
Ideally this editor role would be able to create new sub pages, which also means being able to upload media.
Your new user must have editor privilege level (you can edit user in Users application). If you want to provide ability to see content in Pages app you have to grant the user with Browse tree and Read permission (content module). To satisfy your scenario you need to grand user with Modify and Create permissions, too (maybe Design?).
Just FYI: The approach provided by Brenden (cloning the role) is very handy but there a is chance you grant the user with permission you don`t want to provide (inappropriate permissions for original role).
I've found the most efficient method is review the out of the box roles provided by Kentico and clone the one which fits closest to your needs. Then modify your cloned role to add/remove abilities and permissions.
If you're unsure of what each role can and cannot do, create a new test user with one of the roles assigned to them and log in as them. Do the same for all the roles you want to test until you find the one closest to what you're looking for.
We want some users of one of our SharePoint site to manage permissions on their site but do not want them to give the permission called "Manage Permissions". Because if we do so, the users start assigning the built in permission level “Full Control” to themselves. How can we achieve this?
Please note that the users with the permission level "Manage Permissions" can create and change permission levels on the Web site [Ref: Microsoft]. What we want for them to only be able to create users, groups, and assign certain permissions on the site to those users and groups.
"we want for them ... and assign permissions"
you DO realize that they can just as easily be assigning Full Control to these groups? isn't that what you say you want to AVOID?
manage the permissions for them, and allow them to self manage the GROUP MEMBERS. that way they can add people to the "publishers" group... and net result is that the user has "publish" permissions.
solution 2 can be extrapolated for some very granular needs, but I don't explain how because I wouldn't recommend it.
I am editing user security and am trying to give a user access to an e.List item. I select the user using the [...] button and successfully find that user by searching in our AD domain.
After I select the user and press OK, that user does not come into the CAC, just this error The filter will only accept groups and roles. Users will not be added to the filter. I don't see any filters here at all.
Have you seen this before and is it possible to set up security by users?
Thank you,
WE
Answer from ericlfg on http://www.cognoise.com/community/index.php/board,15.0.html:
Hi William,
The message you are receiving is by design. In order to add a specific user, rather than a group or role, that use needs to be a member of some kind of hierarchy in your security provider.
Ex: If you're using cognos groups and roles with a Role called "Test". You would populate this test role with members from your namespace. In the CAC, you would then select the Test group when you click on the elipsis and then that will allow you to select your individual user (or alternatively the Test role).
The same would be true if you're trying to add members directly from your 3rd party authentication provider. The individual users need to be part of a roll-up role or group in order to add that roll-up role or group to the filter. Once added to the filter you can select the individual users.
Hope this helps.
I'm using AzMan (1.0) for an ASP.Net web app, and I have a question about nested Roles.
Say I have the following roles:
MyApp
MyAppUser
MyAppAdmin
MyAppSupport
For the most part, all users (MyApp) can access the app, but some functions will be specific to the other roles.
I want to declaratively restrict access to the web pages to members of the MyApp role.
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
I will check User.IsInRole or use the AzMan API to check for operation permissions within my code.
The users are assigned to the lower level roles (user, admin, support) and those roles are added to the MyApp role.
The problem is that when I check if the user is a member of the MyApp role, they aren't, even though the role they are in belongs to the MyApp role. Is the only way to check this is to recursively go through all the roles? That'd mean I cant use the declarative security, or to do so I'd have to add all users to the top level group as well (not ideal).
It sounds like you're expecting composite Role Definition (where a Role Definition is defined to include other Role Definitions) to be supported in the call to IsInRole(). I think you'd get the results you want if you used Group inheritance and Role Assignment instead.
In other words, rather than depending on IsInRole to follow the Role Definition for "MyApp" to determine that the Role Definition "MyAppAdmin" is part of that definition, create the inheritance using Groups instead, and then assign one or more groups to your Role Definition using Role Assignment. You could create an "Administrators" group, which might be a member of the "Everyone" group.
I'm really thinking that your role names are really better group names. A role signifies certain capabilities, not a classification of users based on their rights. That's what a group is for.
For example, suppose that most users (not admins or support) have read-only access to your app. I tend to call that role "Viewer" and I assign it the tasks or operations that allows users in that role only the ability to view, not edit, any data. I would assign everyone to that role (whether I do that with just one group or several doesn't really matter). The "Support" role allows users assigned to it to perform certain operations (or tasks grouping operations). Only some people would be assigned to that role (again, maybe they are assigned individually, or I have a group named "Customer Support Reps" -- doesn't matter).
In my app, I could check IsInRole("Viewer") and everyone who is a user will be in that role. But if I check IsInRole("Support"), only the people in the "Customer Support Reps" group assigned to that role would return True.