I would like to create a user/login to our Episerver solution. This user should be able to access the Catalog UI interface, but the user should not be able to access the CMS editor and not be able to edit CMS pages.
I have created the CatalogUI role in our solution, and created a virtual role in web.config:
This allows the a user with the CatalogUI role to access the Catalog UI interface. Good. But if I only grant the user the CatalogUI role, the user is unable to login.
I have fixed this by adding the CatalogManagers virtual role to the list of allowed roles for the EPiServer location:
Now the user can login, but he can access the CMS editor. However it looks as if the user can only browse the CMS editor and not actually modify anything.
I would prefer if the user was unable to open the CMS editor at all, so I tried to deny the user access to the EPiServer/CMS location:
I can't open the CMS editor, and I can still access the CatalogUI but I get an error about access to things under EPiServer/CMS/Stores not being allowed. Then I gave the user access to this path:
Now I'm stuck. What can I try next? It looks as if I can't block access to the CMS editor by blocking access to the path EPiServer/CMS.
Is this as far as I can get? It looks as if I now have a user that can access the Catalog UI but the user can also access the CMS editor, even though the user doesn't have permission to change anything in the CMS editor?