Roles / ACL / Authentication

Vote:
 

Hi all,

I've been trying to figure out the best method to allow permissions across both a website made in episerver and CMS itself, but I can't seem to get a procedure downpat.

Essentially what I want is to create groups with the following permissions:

- Editors: Can only see edit within the CMS and can edit/create pages.

- Publishers: Can only see edit within the CMS, can edit/create pages and publish them.

- General Admin: Can see edit within the CMS, and limited admin options.

- Superuser: All options open.

Now I know there are some default options I can use, but I'd like some information on how I can define these things, whether that's a database change, change in web.config, or within the CMS itself it would be great to know.

#91168
Sep 29, 2014 6:28
Vote:
 

What about creating my own custom roles within the web config? I saw a few lines changed but I couldn't gather how they got the permissions...

I've just found this: http://world.episerver.com/Articles/Items/Authentication-and-Authorization-in-EPiServer-CMS-61/, but not sure about the whole ASP configuration stuff and how it currently works with episerver. Do you know where I can find info on this to help me understand it better? Thanks.

#91211
Sep 30, 2014 1:27
Vote:
 

What do you mean by creating your own roles in web.config? You can create new roles/groups in Admin mode.

However, there are three (?) authorization rules in web.config to restrict access to UI, Edit- and Admin mode. For those cases I usually use the virtual roles CmsAdmins and CmsEditors, which are defined in episerverFramework.config. I think the default groups are WebEditors and WebAdmins out-of-the-box. By doing that I only need to change them in one place if I want to allow more groups to e.g. Edit mode. You have to define these groups anyways, since they are used by EPiServer in authorization attributes in MVC actions.

I don't know if that made it any clearer, or if I just made it more complicated for you :)

#91212
Sep 30, 2014 3:06
Vote:
 

What if, for example. I want to allow a particular group access to the Admin mode, but restrict certain options within the Admin section.

Otherwise I understand where you're coming from with the assigning groups to the WebEditors and WebAdmins. I've just gotten a directive to see if we can further customise specific options within these sections.

#91213
Sep 30, 2014 3:11
Vote:
 

There are no access levels within Admin mode. It's all or nothing. Except for your own plugins in Admin mode, where you have full control over the authorization.

#91214
Sep 30, 2014 3:15
Vote:
 

Ok. Thanks for that. Just one more question...

If I wanted to create a group (eg. FooGroup) that has the virtual role of CmsEditor, I would have to define them in episerverFramework.config? Or is there a more convenient way of assigning a group to a group/role?

#91215
Sep 30, 2014 3:28
Vote:
 

Yes, you have to add them in episerverFramework.config. However, I would not recomend to use these virtual roles for setting access rights on pages. Just use these groups to grant access to Edit and/or Admin mode and nothing more. Then create additional groups for different editor access levels.

#91216
Sep 30, 2014 3:38
Vote:
 

Does that mean I have to put the users in both groups then? (ie the edit/admin access group, and the page permissions group)

#91217
Edited, Sep 30, 2014 3:51
Vote:
 

Yes. That's best practice. Otherwise your client can't just create new groups from Admin mode, they also have to change the config files (which forces a recycle of the application by the way).

#91218
Sep 30, 2014 3:58
Vote:
 

Ok cool. Thanks very much for your help Johan. :)

#91219
Sep 30, 2014 4:01
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.