I feel ACL is like whitelisting, ie, give some users/groups some permission. Is this true?
yes
you can create list of user and where this user access to do some thing
also you can create list of group and assign access then create relation between user and groups
also see: http://en.wikipedia.org/wiki/Access_control_list
Related
Hello I'd like restrict all users to just access the Work Center with ID = 1
I added a record rule for mrp.workcenter and added the domain filter [('id','=',1)]. But still I can see all the work centers...
Any ideas?
Given domain is correct and work fine.
You can see all the records from admin login. But if you can login from other user, suppose Manufacturing Manager than they can see only one record(I mean id=1).
By default, there are no any rules are apply to admin user. Please check it from other user.
define access rules in security/ir.model.access.csv there you can set rights for create, edit, view and delete for specific groups
Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.
Hi i have a group system and i'd like to add some security to it.
Users can belong to multiple groups and id like to know the best way to authorize people to see the groups only if they are in it. If they aren't i want to redirect them to a another page, which is different according to the group.
For now i created a service but i have to use it in every controller...
I've heard of multiple things but not sure if they are appropriate for my situation.
Thanks for your help
There are several different ways to do this depending on the approach/complexity. Here are a few:
1) Use Symfony ACLS. When a user is added to a particular group, you can use the symfony ACL system to grant them view access to that group, and then later check isGranted() against that group to see if they have view permissions.
2) Create a custom voter
http://symfony.com/doc/current/cookbook/security/voters.html#creating-a-custom-voter
3) If the number of groups is limited in number, you could even use Doctrine query filters to automatically add a where clause to all queries where the group_id is in a list of allowed groups for that user. You can bypass this for all admin users. http://doctrine-orm.readthedocs.org/en/latest/reference/filters.html
A user is added to 2 different groups. 1 group is provided author access and another group is provided with editor access. First group has user role 'A' and second group has user role ' A,B'. What is the access and role the user would have?
The user would have the highest access level of all groups (in this case editor access) and all roles assigned to groups (in this case A and B) in database's ACL.
There is only one exception: if the user is listed with his own name in ACL then only these rights the user would have, no matter which listed groups he's member of.
The access levels are combined. However, Deny access takes precedence over Allow access.
See the docs for more info: http://www-12.lotus.com/ldd/doc/domino_notes/7.0/help7_admin.nsf/b3266a3c17f9bb7085256b870069c0a9/52f8492cea3792698525706f0065c44b?OpenDocument
Also, as the doc states it is helpful to use the Effective access feature within the ACL dialog to see exactly what the user access is.
for example, 2 extranet roles in sitecore Role1 and Role2
Role1 is block access to item, Role2 - allow access.
I need to have behavior that revers default sitecore behavior:
5.3 How Access Rights Affect Each Other In Sitecore, every user and role can be a member of several roles. When a security account has
been assigned several roles, the access rights that the different
roles possess are added together. The security account is therefore
assigned the accumulated access rights of all the roles that it is a
member of. However, if a security account is assigned two roles and
one of the roles is denied a specific access right to an item and the
other role is granted this access right to the same item, the access
right is denied for this security account. In other words, deny
always overrules grant when access rights are accumulated.
Is it possible to do via some sitecore settings or etc ?
Thanks.
What is the behaviour you want then? If someone has both Role 1 and Role 2 - Do you want that person to have see it?
In that case you'll be better off removing inheritance on Role 1 in stead of denying access. Denying access basically tells Sitecore to start over from a specific point. Role 2 can then get the access again.
Have a read through this: Best Practices from TheClientView. The very first example sounds like what you're trying to achieve:
There is a role A that denies a write access to a “/home/contact us”
item.
There is a role B that allows write access to the item. There is a user AB that
should have power of both roles A and B. But due to explicit deny permission on
the item, the user won’t be able to get write access on it. When you break the
security inheritance it sets permissions into default deny state, which could be
overridden, by setting up explicit allow access on a role. But explicit deny
access can never be overridden by explicit allow access.