November Happy Hour will be moved to Thursday December 5th.

CMS Permissions

Vote:
 

Hi All,

I'm struggling to find a way of restricting access to CMS for employees who need access and edit the web site/pages, add content etc but do not necessarily need access to any user information.

I may be missing something but I can see how to restrict access for groups to pages within the site but no way of restricting CMS permissions and views. Can someone point me in the right direction please.

Thanks in advance,

J

#185718
Nov 30, 2017 11:05
Vote:
 

James,

This page explains how Access Rights work in the CMS: webhelp.episerver.com/latest/cms-admin/access-rights.htm. Are you placing all CMS users into the WebAdmins group?

#185749
Nov 30, 2017 17:14
Vote:
 

http://webhelp.episerver.com/latest/cms-admin/access-rights.htm 

Right link for Bob's post 

#185750
Nov 30, 2017 17:31
Vote:
 

Hi,

Sorry for the delay in coming back. Yes everyone is in webadmins group at present which isnt ideal. All the documents talk of inbuilt groups which are limited there doesnt appear to be a way to give people access to different areas of cms.

Thanks,

J

#186253
Dec 14, 2017 16:33
Vote:
 

J,

You can assign to groups or users various access rights to specific nodes in the page tree. For example, look at this image from the Epi CMS UI: https://ibb.co/eEvTVR.

The Everyone group can only view content in the Marketing node, while Ann has full capabilities. Does this screen address your need to give different people/groups access to different areas of cms?

#186256
Dec 14, 2017 17:11
Vote:
 

Hi Bob,

I'm all about restricting the visibility of user data. So we have a saas application running on another url but users log on to episerver to then access the app. This means we hold email addresses, user names and company details in epi server. Ideally i'd like the team that setup the users and a restricted number of administrators to be the only people able to access this data. The team that setup the users dont need to edit sites or administer episerver in anyway other than setup the user. I cant see anyway to allow them to setup users without them being webadmins?

On a separate note I've tested using the webeditors group so at least our marketing dept etc wouldn't  have access to the user details. Even though I've given the group read, create, change, delete and publish permissions to the entire tree I don't appear to be able to edit the pages via cms it just comes up blank. Is this something setup in the config files possibly?

Thanks for your help with this, much appreciated.

J

#186345
Dec 18, 2017 12:26
Vote:
 

Something you could try is to create a location path directly to the view for creating users if that is the only part they should access. And give them direct url like: http://localhost/EPiServer/CMS/Admin/EditUser.aspx

  <location path="EPiServer/CMS/admin/edituser.aspx">
    <system.web>
      <authorization>
        <allow roles="WebAdmins, Administrators, NEWGROUPNAME" />
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

You would also need to make their group be able to access in my case /EPiServer because css/js files are located below:

<location path="EPiServer">
    <system.web>
     ....
     ....
      <authorization>
        <allow roles="WebEditors, WebAdmins, Administrators, NEWGROUPNAME" />
        <deny users="*" />
      </authorization>

Then give this group only read access to the pages in the site.

#186360
Dec 18, 2017 16:03
Vote:
 

Please review the help topic "Access Rights." The link appears above in an earlier thread. It says this about the WebEditors group "Add users to this group who need access to the edit view. Then add the users to other groups to give them specific edit rights to content. On large websites, editors are often organized in groups according to content structure or languages." 

Have you followed the instructions following "Then"?

#186376
Edited, Dec 18, 2017 22:53
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.