CmsEditors is a built-in role that you need to map your custom roles against. So, this is probably what you need:
{
"Episerver": {
"Cms": {
"MappedRoles": {
"Items": {
"CmsEditors": {
"MappedRoles": [
"Editor",
"limitedEditor"
]
}
}
}
}
}
}
I've excluded CmsAdmins now, which is also a built-in role that you need to map your custom roles against. But I assume you get the point.
Above configuration call also be done via code:
services.Configure<VirtualRoleOptions>(options => options.Roles ... );
I recommend that you stick with the built-in roles CmsEditors and CmsAdmins, but you can configure the application to use other roles as well. But add-ons and other external code might depend on these because they have hard-coded these.
services.Configure<CmsPolicyOptions>(options => options.EditRoles .... );
Now when I read your post again, it's a bit unclear what you actually want to achieve and what your issue is. But I assume you have custom roles in your claims, and you want to give these users access to edit and/or admin mode? If that's the case, then you need to map them against CmsEditors and CmsAdmins, just like in my example. You don't need to build a custom virtual role for this. A custom virtual role is only needed if you have more complex requirements, e.g. users of a certain age living in city X should be member of this group. But if you then want these users to have access to edit mode, you need to map this role as well to CmsEditors.
Sounds like Trond wants to create the programmatic version of the config example you wrote Johan. Which as you mention I don't think can be done.
The code example in the documentation isn't a direct one to one alternative of the config. If you want to create a mapped role then do it via the config which I believe you described Trond, you already did.
I need that the limiteduser only have access to edit a sub path of the site. Today the cmsEditor have access to edit all site.
When I do like below example limitedEditor also have edit rights for every pages and subpages.
{
"Episerver": {
"Cms": {
"MappedRoles": {
"Items": {
"CmsEditors": {
"MappedRoles": [
"Editor",
"limitedEditor"
]
}
}
}
}
}
}
MayBe its better to configure that CmsEditors only have readaccess to the pages? And then I open up for write/edit access for the different users like below
"Cms": {
"MappedRoles": {
"Items": {
"CmsEditors": {
"MappedRoles": [
"WebEditors",
"superUser",
"limitedUser"
]
},
"superuser": { // has editaccess on all pages
"MappedRoles": [
"superUser",
],
}
"limeteduser": { // has editaccess on sub set of pages
"MappedRoles": [
"limetedUser",
],
}
}
}
}
Yes, that's what you need to do. If you want to limit access to certain parts of the content tree, you should not assign any content permissions to CmsEditors. Use this group to only gain access to edit mode.
I tried to map a virtual provider something like this (not real names):
When I login with a user with the “Editor” claim ( from the identity manager) I get all rights as expected.
If I log in with a user with the claim “limitedEditor” I has no access, and find in the log that it have to be in role CmsEditors or CmsAdmin. I have added the group to the root of the cms and inhert to all the sites in the page in admin/AccessRights with read access. I also give write access to subpages that need this.
I testet to add limitedEditor role to CMSEditors to se if the user works, and I was logged inn as expected, but vil all right.
In the documentation docs.developers.optimizely.com/content-cloud/v12.0.0-content-cloud/docs/virtual-roles I see that we can register the virtual role programmatically.
I try to create a simple CustomVirtualRoleType and add to the startup as the code example
services.AddVirtualRole<CustomVirtualRoleType>("limitedEditors");
public class CustomVirtualRoleType : VirtualRoleProviderBase
{
public CustomVirtualRoleType()
{
SupportsClaims = true;
EnableIsInRoleCache = false;
SecurityEntityType = SecurityEntityType.Role;
}
public override bool IsInVirtualRole(IPrincipal principal, object context)
{
if (principal.IsInRole("limitedEditor"))
{
return true;
}
return false;
}
}
Then I found that I need to remove the virtual role for "limitedEditors" from the config.
When login inn I get no access and find in the log that I need to be of type CMSEditors or CMSAdmin
What am I missing??