Setting up User Groups while using Azure AD

Vote:
 

I am trying to set up a User Group in Episerver to give access rights to edit portions of the website while the rest of the site is read. Right now, we only have the out-of-the-package virtual roles set up, but access to those roles is managed within Azure AD groups and not within Episerver itself. We have had no trouble using this method to grant access rights and users can log in without issue. However, all documentation, such as this page on access rights in the CMS is not helpful because, within our configuration of Episerver, all of the access rights options are grayed out. 

In this situation, role based authorization doesn't seem to work since we want to limit portions of the site, and not specific blocks or controllers. 

Can anyone provide information on how to allow access rights to be customized for User Groups or roles outside of using the CMS?

We are on Version 10.10.1.0

#197707
Oct 10, 2018 21:11
Vote:
 

Hello Paige

You need to create the Azure AD roles to allow access to the sections of the site you need. Log in once with someone who is a member of those roles (so Episerver gets a cache of the role name) then use admin > Set access right to assign those roles to the sections of the tree you want to restrict.

If the section in the tree is greyed out you need to untick "Inherit settings from parent item" to allow the access rights to be set for that part of the tree.

David

#197708
Edited, Oct 10, 2018 21:27
Vote:
 

David, 

Is there another place besides web.config that I need to define custom virtual roles? I removed myself from all roles except the new role, and I can log into the CMS but it appears that I do not have access to the CMS, and I get the following error in the browser: ERR_TOO_MANY_REDIRECTS

The FormsEditors role is the new one I added, but the following is how I have it set up. 

<virtualRoles addClaims="true">
			<providers>
				<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
				<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
				<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework" />
				<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework" />
				<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
				<add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" />
				<add name="FormsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="FormsUsers, WebEditors" mode="Any" />
				<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
				<add name="PackagingAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
			</providers>
</virtualRoles>

I checked the CMS before adding this to web.config and unchecking the box you mentioned appeared to allow me to modify the tree but with the addition of this new role in the code, it doesn't seem to find it. What can I do to have the CMS acknowledge this new role?

#197744
Oct 11, 2018 23:10
Vote:
 

Hi Paige,

Looking at your virtual roles configuration you are using the Episerver default groups WebAdmins and WebEditors - these groups are by default used (and should be only used) for managing the access to Episerver UI edit and admin views. So what yo now have done effectively to your account is that you have removed your access to edit and admin view. So you are now authenticated but you are not authorized to edit or admin view paths (see my p.s. comment at the bottom).

So in your access configuration you most likely would like to have a role/claim/group for editing the site content (set the access rights for this) and then you would have this FormsEditors group that would have only access to edit the forms. So then if the user should be only able to edit forms you would give them in AD the role WebEditors (so that they can see the Episerver edit view) and the you would also give them the role FormsUsers (so that they can edit forms). The virtual role config now says that all WebEditors have the FormsEditors virtual role so the FormsUsers AD role is not need OR you need to change the config and remove WebEditors from the virtual role. The next question is that do you really need the virtual role as you could also use FormsUsers role from AD to set the access rights - but if you would have like sitepublishers role in AD and only some logins have this role, then this role could be used also in the virtual roles config so that if user has role FormsUsers or SitePublishers then they will match the virtual role FormsEditors -> can edit forms.

p.s. Look at web.config location elements for Episerver UI url and util, and the authorization elements. There are the roles used to allow access to UI and util paths.

#197794
Oct 13, 2018 20:22
Vote:
 

Antti,

Thank you, your answer was very helpful. I have one more question - What permissions need to be given so that someone can add a form using Episerver Forms by clicking the plus button in the Episerver Folder on the right of the CMS screen. I have found that, while I am an admin, it is accessible, but when I am using my created role, it is not. I have given the role all access on the certain parts of the site, but I would like for them to create a form, as the name implies.

#197939
Edited, Oct 17, 2018 15:53
Vote:
 

Hi Paige,

Most likely you have not correctly setup the access rights if you can't create a new Episerver Forms form container (aka new form).

Login to Episerver with an account that has access to the admin view. In admin view click the 'Set access rights' under the Admin tab (making the assumption that your site is not using site-specific assets, this is configured in admin -> config tab -> manage websites -> select your site, by default the checkbox is not checked for site specific assets).

  • on the access rights view you are presented with the hierarchial content structure (assuming you just have one site now)
  • expand the node 'For All Sites'
  • select the 'Episerver Forms' (this is the Forms root node)
  • under the content tree you can see the current access rights for this node (and by default the settings are inherited to child nodes)
    • if you have no user groups listed here, it means no one can create new forms
  • so I'm once again assuming that you have this new role/claim called: FormsEditors (virtual role or coming from AD)
    • if the role is not listed then you need to add it
      • click Add Users/Groups
      • in the dialog select Type: Groups and click search (you can also type the name of your group to the name field)
      • in the list double click the FormsEditors or select and click the arrow to right button to move it to the right column
      • click OK
    • in the access rights view make sure that you have selected the checkboxes on the line it has your group name
      • read, create, change, delete, publish administer
    • select the 'Apply settings for all subitems' checkbox
    • click Save (click, OK, you are sure)

With the above you created a simple very high level access rights, which you could fine tune to be more fine grained (like, someone can create form but cannot publish it etc).

See the CMS access rights help here and expand the node '—Table: Explanation of each access type—' to see the explantion of each item.

You could also limit the form container creation by setting create access right in the content type. Admin view -> Content type tab -> Under 'Block Types' select content type "[Forms] Form container" and on the right panel click 'Settings'. In the bottom there is 'Access level' and by default Everyone can create this type. So if you want to limit it here, then uncheck the checkbox from Everyone and then use the 'Add Users/Groups' button to add your group and allow only it to create the content type. But most likely the above case is what you need/want.

And a humble request, if you think my answer solves your case, could you please mark it as answer? ;-D (you can also vote up Davids answer because I think that answered your AD question)

#197946
Edited, Oct 17, 2018 18:05
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.