CMS newbie playing with workflows and all of that involves here, and through this example scenario, I would like to know if I am using the system as intended and/or have a wrong understanding of how roles, memberships, access rights, etc., work within the EPiServer context (or in general).
I have this setup:
a sequential approval workflow that is triggered by the PageCheckedIn event
the approver is a mapped role (i.e. a virtual role), "PublishApprovers", that maps to the WebEditors role (which is also a group? Still getting used to the terminology)
the virtual role has permission to publish all pages.
When I hit the "Ready to Publish" button for a page, I observed that the workflow was not triggered. When I tried to start the workflow manually, I get the following error message: "User PublishApprovers, has not read or publish access for New Page".
After digging through the code a bit, it seems like a significant point of failure is when the mapped virtual role provider checks the following:
// IPrincipal principal = the virtual role as a System.Security.Principal.GenericPrincipal instance
// role = "WebEditors", which is the only role that the MappedRole maps to in the "roles" attribute in web.config in my example
principal.IsInRole(role)
The IsInRole method evaluates to false. Question 1: Does this look like THE reason why my virtual role is not recognized as having publish rights and thus failing to start my workflow?
Taking cues from this thread, I created a group in the Admin view called "PublishApprovers" (to match the virtual role name). I did not make any other changes, such as assigning users to this new group. I check in another page, and the workflow now is triggered as usual (and can successfully be started manually)*.
I could stop here and say that this is the "fix", but I am not 100% sure that this method is the "right" thing to do, primarily because I am having trouble reconciling "virtual" roles with having to create an actual, matching group in the database in order for things to work properly. Some questions:
Is this the "right" way to use the system? Is it an "OK" way?
Are there any concepts, terms, etc., that I am not understanding in the right way?
* I also observed that
principal.IsInRole(role)
is never evaluated with the virtual role as a GenericPrincipal during the workflow start process.
CMS newbie playing with workflows and all of that involves here, and through this example scenario, I would like to know if I am using the system as intended and/or have a wrong understanding of how roles, memberships, access rights, etc., work within the EPiServer context (or in general).
I have this setup:
When I hit the "Ready to Publish" button for a page, I observed that the workflow was not triggered. When I tried to start the workflow manually, I get the following error message: "User PublishApprovers, has not read or publish access for New Page".
After digging through the code a bit, it seems like a significant point of failure is when the mapped virtual role provider checks the following:
The IsInRole method evaluates to false. Question 1: Does this look like THE reason why my virtual role is not recognized as having publish rights and thus failing to start my workflow?
Taking cues from this thread, I created a group in the Admin view called "PublishApprovers" (to match the virtual role name). I did not make any other changes, such as assigning users to this new group. I check in another page, and the workflow now is triggered as usual (and can successfully be started manually)*.
I could stop here and say that this is the "fix", but I am not 100% sure that this method is the "right" thing to do, primarily because I am having trouble reconciling "virtual" roles with having to create an actual, matching group in the database in order for things to work properly. Some questions:
* I also observed that
is never evaluated with the virtual role as a GenericPrincipal during the workflow start process.