Grant Access to One Channel
Important note when using the walkthroughs
When the walkthroughs refer to some yaml configuration, in general, it is meant that you import this yaml into a locally running repository via the Console with auto-export enabled. If however you copy some yaml blob directly into your idea without auto-export, you have to uncomment the following lines if present in the yaml:
#.meta:category: system #.meta:add-new-system-values: true
The reason for this is that the auto-export for some properties knows implicitly to add this meta info, however the yaml import in the Console does not support .meta lines. Thus, you have two options when following the walkthroughs:
- Copy the yaml snippet as-is into the Console with auto-export running
- Copy the yaml snippet to your idea while uncommenting the commented meta info
Introduction
Goal
Grant a group access only to a specific channel and its content.
Use Case
The use case is based on a Bloomreach Experience Manager project created using the Maven archetype, with the News feature added, and a French translated channel added.
The project contains the following content root folders:
/content: /documents: /myproject: /monprojet: /administration: /assets: /myproject: /monprojet: /gallery: /myproject: /monprojet:
You want to create two groups:
- french-authors
- french-editors
You want to grant French authors:
- author privileges in /content/documents/monprojet (so they can create French documents)
- author privileges in /content/assets/monprojet and /content/gallery/monprojet (so they can upload French assets and images)
- readwrite privileges in /content/assets/monprojet and /content/gallery/monprojet so they can write to assets and images
You want to grant French editors:
- editor privileges in /content/documents/monprojet (so they can publish French documents)
- editor privileges in /content/assets/monprojet and /content/gallery/monprojet (so they can upload French assets and images)
- readwrite privileges in /content/assets/monprojet and /content/gallery/monprojet so they can write to assets and images
You want to deny both French authors and French editors access to /content/documents/myproject and /content/documents/administration.
You want French authors and French editors to only be able to access the French preview channel (Mon Projet) in the Experience manager.
You want French editors to be able to edit the French channel.
You want French authors only able to preview the French channel but not edit it.
Strategy
To be able to set up the privileges as explained above you will customize the security configuration as follows:
- Create a French test author and French test editor (local development only)
- Create a French editor and author group with the required userroles (configuration)
- Create a new domain for the French documents, gallery and assets for french authors/editors having role author/editor
- Create a new domain for the French gallery and assets for french authors/editors having role readwrite (this is needed for authors/editors to be able to save to gallery/asset documents)
Preliminary
Log in to the Console as admin and make sure that Autoexport is on.
Create Test Users
Note: below steps creating users can also be easily done in the CMS UI
In the Console, below /hippo:configuration/hippo:users add a French test author and editor by importing the YAML files:
/french-author: jcr:primaryType: hipposys:user hipposys:active: true hipposys:password: french-author hipposys:securityprovider: internal
and
/french-editor: jcr:primaryType: hipposys:user hipposys:active: true hipposys:password: french-editor hipposys:securityprovider: internal
Note the above created users won't be autoexported but need to be manually added in local yaml files below /repository-data/application/src/main/resources/hcm-config.
Create the French Editor / Author Groups
Note: below steps creating groups can also be easily done in the CMS UI.
In the Console, below /hippo:configuration/hippo:groups add:
/french-authors: jcr:primaryType: hipposys:group hipposys:members: #.meta:category: system #.meta:add-new-system-values: true type: string value: [french-author] hipposys:securityprovider: internal hipposys:userroles: [xm.cms.user, xm.content.user, xm.channel.user, xm.report.user, xm.dashboard.user, xm.channel.viewer] and /french-editors: jcr:primaryType: hipposys:group hipposys:members: #.meta:category: system #.meta:add-new-system-values: true type: string value: [french-editor] hipposys:securityprovider: internal hipposys:userroles: [xm.cms.user, xm.content.user, xm.channel.user, xm.report.user, xm.dashboard.user, xm.channel.webmaster]
The above is pretty trivial, but pay careful attention to the userroles. The default editor and author group have only one userrole, xm.default-user.editor or respectively xm.default-user.author. Assigning these default userroles to the French groups would however show both the non French documents as well to the French users, since the default userroles inherit from xm.content.author / xm.content.editor, which gives author/editor roles on the default /hippo:configuration/hippo:domains/content which we don't want. Therefore, we have to explicitly define per French group what the userroles should be. Both French editors and authors should see:
- The Content application hence: xm.content.user
- The Experience manager application hence: xm.channel.user
- The Content reports application hence: xm.report.user
- The Home application hence: xm.dashboard.user
The French editors however should be webmaster on the French channel and the French authors should be viewer on the French channels, and therefore require respectively the xm.channel.webmaster and xm.channel.viewer userroles. See for more details the default provided userroles.
Note2: after the above setup works locally, best to remove the test members 'french-author' and 'french-editor' from the groups again since cleaner if you do not deploy this as is to production. If you want to do it really clean, you can add the creation of the users to the development bootstrap data and in the main.yaml of the development module add the users to the groups (where the groups are really application configuration, not development:
definitions:
config:
/hippo:configuration/hippo:groups/french-authors:
hipposys:members:
operation: add
type: string
value: [french-author]
/hippo:configuration/hippo:groups/french-editors:
hipposys:members:
operation: add
type: string
value: [french-editor]
Customize Security Domains
Note: below steps creating domains cannot be done in the CMS UI however assigning the groups and users to the domains can be done in the CMS UI
Similar to the default /hippo:configuration/hippo:domains/content domain, we now need a domain for the French documents, gallery items and assets, hence the following domain is needed:
/content-french: jcr:primaryType: hipposys:domain /content-domain: jcr:primaryType: hipposys:domainrule /content-and-descendants: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: jcr:path hipposys:type: Reference hipposys:value: /content/documents/monprojet /assets: jcr:primaryType: hipposys:domainrule /assets-french: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: jcr:path hipposys:filter: false hipposys:type: Reference hipposys:value: /content/assets/monprojet /gallery: jcr:primaryType: hipposys:domainrule /gallery-french: jcr:primaryType: hipposys:facetrule hipposys:equals: true hipposys:facet: jcr:path hipposys:filter: false hipposys:type: Reference hipposys:value: /content/gallery/monprojet /author: jcr:primaryType: hipposys:authrole hipposys:groups: #.meta:category: system #.meta:add-new-system-values: true type: string value: [french-authors] hipposys:role: author hipposys:users: #.meta:category: system #.meta:add-new-system-values: true type: string value: [] /editor: jcr:primaryType: hipposys:authrole hipposys:groups: #.meta:category: system #.meta:add-new-system-values: true type: string value: [french-editor] hipposys:role: editor hipposys:users: #.meta:category: system #.meta:add-new-system-values: true type: string value: []
The above domain makes sure that French editors have role editor below the French documents, gallery items and assets and likewise, the French authors have role author.
Now we still miss one domain, which is comparable to the domain /hippo:configuration/hippo:domains/non-publishable-readwrite : The role author or editor does not give you the jcr write privilege to actually write to jcr nodes. In general this is not needed since the workflow user session does the writing. However, editors and authors need explicit jcr:write privilege on:
- Document drafts they are holder of
- Image sets and assets to be able to write to these nodes
Number 1 is covered throughout the entire repository through the standard provided draft-document-holder-readwrite security domain. But for gallery items and assets unfortunately there are no drafts which you can be the holder of, therefore the following domain is needed to grant role readwrite to the French editors and authors on French gallery items and assets:
/content-french-assets-images-readwrite:
jcr:primaryType: hipposys:domain
/readwrite:
jcr:primaryType: hipposys:authrole
hipposys:groups:
#.meta:category: system
#.meta:add-new-system-values: true
type: string
value: [french-editors, french-authors]
hipposys:role: readwrite
hipposys:users:
#.meta:category: system
#.meta:add-new-system-values: true
type: string
value: []
/french-assets-domain:
jcr:primaryType: hipposys:domainrule
/documents-only:
jcr:primaryType: hipposys:facetrule
hipposys:equals: true
hipposys:facet: hippo:availability
hipposys:type: String
hipposys:value: live
/non-publishable:
jcr:primaryType: hipposys:facetrule
hipposys:equals: false
hipposys:facet: nodetype
hipposys:type: String
hipposys:value: hippostd:publishable
/french-assets-and-descendants:
jcr:primaryType: hipposys:facetrule
hipposys:equals: true
hipposys:facet: jcr:path
hipposys:type: Reference
hipposys:value: /content/assets/monprojet
/french-gallery-domain:
jcr:primaryType: hipposys:domainrule
/documents-only:
jcr:primaryType: hipposys:facetrule
hipposys:equals: true
hipposys:facet: hippo:availability
hipposys:type: String
hipposys:value: live
/non-publishable:
jcr:primaryType: hipposys:facetrule
hipposys:equals: false
hipposys:facet: nodetype
hipposys:type: String
hipposys:value: hippostd:publishable
/french-gallery-and-descendants:
jcr:primaryType: hipposys:facetrule
hipposys:equals: true
hipposys:facet: jcr:path
hipposys:type: Reference
hipposys:value: /content/gallery/monprojet
Verify
Log in into the CMS as french-author and verify that you can:
- browse the 'monprojet' content folder
- create subfolders in the 'monprojet' folder
- create and edit documents in the 'monprojet' folder
- upload and use images in the 'monprojet' gallery folder
- use images in the 'myproject' gallery folder
- upload and use files in the 'monprojet' assets folder
- use files in the 'myproject' assets folder
- request publication for documents in the 'monprojet' tree
- preview the Mon Projet channel
- see the Mon Projet
Verify that you can't:
- see the 'myproject' and 'administration' folders
- see the My Project channel
- edit the Mon Projet channel
- upload images or create subfolders in the 'myproject' gallery folder
- upload files or create subfolders in the 'myproject' assets folder
Do the same for french-editor and also verify that she can:
- publish documents in the 'monprojet' folder
- accept or reject publication requests in the 'monprojet' folder
- edit the Mon Projet channel