Have you configured the virtual roles CmsAdmin and CmsEditors in EPiServerFrameWork.config? They are used for authorization in the mvc part of EPiServer.
What you mean "configured the virtual roles"? EPiServerFramework.config looks correct -- I can see the virtual roles in there:
<add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
<add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />
What configuration needs to take place apart from them being in the file?
Are you using WebAdmins and WebEditors as groups for editors and admins? Otherwise you have to add your own roles to each virtual role in the roles attribute.
Now you're mapping WebAdmins and Administrators to the CmsAdmins roles and so on.
Also check if you have configured following paths in web.config correctly:
<episerver.shell>
<publicModules rootPath="~/modules/" autoDiscovery="Minimal"/>
<protectedModules rootPath="~/yourUI/">
<add name="shell"/>
<add name="cms"/>
</protectedModules>
</episerver.shell>
So, just to clarify --
Visitor Groups operates off the CmsEditors and CmsAdmins roles.
And the "EPiServer.Security.MappedRole" converts one role to another. So this code...
<add roles="WebAdmins, Administrators" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer" />
<add roles="WebEditors" mode="Any" name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer" />
...is saying that the "WebAdmins" and "Administrators" roles are both also valid for the "CmsAdmins" role. And the "WebEditors" role is also valid for the "CmsEditors" role.
Is that correct?
That's correct regarding "EPiServer.Security.MappedRole". And I hope Visitor Groups is using asp.net mvc and authorization rules, just like other parts of EPiServer Framework like Online Center and My Settings.
Turns out groups on this server were a little different -- users weren't in the WebAdmins and WebEditors roles that were mapped to CmsAdmins and CmsEditors. I changed the config of those MappedRoles, and we're good now.
Thanks Johan -- I appreciate the pointer on how access works for Visitor Groups. Wouldn't have found it otherwise.
In order to control visitor group access security list we discovered that you need to add missing virtual role in episerverframework.config file:
<add name="VisitorGroupAdmins" roles="{your roles here}" type="EPiServer.Security.MappedRole, EPiServer" mode="Any"/>
Great to find this, and thanks Valdis, your lien of code fixed it for me. But... We had to change the assembly in the setting so it look like this:
<add name="VisitorGroupAdmins" roles="{your roles here}" type="EPiServer.Security.MappedRole, EPiServer.Framework" mode="Any"/>
True Valdis, I saw what section it was on just after I pressed ok on my comment ;-)
I'm glad everyone has fixed their issues, but I would like to add a little clarification for future reference.
"To access Visitor Groups in the global menu you must be a member of the access groups CmsAdmins or VisitorGroupAdmins, otherwise you will be prompted to a login page. If you want editors to be able to add, edit and delete visitor groups, you can provide access by adding them to VisitorGroupAdmins (CmsAdmins and CmsEditors are already defined in the configuration)."
The idea we had was that by default just admins would have access to the UI, but it could be modified by adding the VisitorGroupAdmins role.
And yes Johan, that is standrad asp.net roles, so you don't have to use the MappedRole configuration to add it. It can be managed like any role in the system.
Regards
Per Gunsarfs
How is access to Visitor Groups handled? After upgrading to R2, Visitor Groups does not appear in the right-click menu, and if I try to access it from the overhead menu in Edit/Admin Modes, I get prompted for credentials.
The path for Visitor Groups is:
/admin/CMS/VisitorGroups
I checked all the through the web.config, and the only access path I can see that would apply is the path to /admin. I have the correct groups in here, and I have access to both Edit and Admin Modes, so I know this works. Yet, Visitor Groups does not work, either in the link from Edit/Admin Mode or from the right-click menu.
Is there some other access control around Visitor Groups that I'm not aware of?