Set permissions on folders
Goal
The goal of this manual is to show how to setup a group which has permissions only on a specific folder.
This manual starts with a running application and will add a group news-editors with the following permissions:
-
editor permissions on documents in the folder news
-
editor permissions on images in the folder news
-
editor permissions on assets in the folder news
-
read permissions on all (other) images
It is advisable to also read Repository Authorization and Permissions where some of the used terms are explained in more depth.
Prerequisites
-
A running Bloomreach Experience Manager application (see Getting Started) with the News feature added.
Create folder
-
Log in to the CMS as admin
-
Go to the documents perspective
-
Create a (root) folder with the title news in images
-
Create a (root) folder with the title news in assets
Create user and group
-
Log in to the CMS as admin
-
Go to the admin perspective
-
Create a user journalist
-
Create the group news-editors
-
Make the user journalist member of news-editors
Create security domains
Security domains are configured in the Console.
A user (or group) is granted permissions by assigning a role to the user for a specific security domain. A security domain is basically a set of documents and folders or in JCR terminology a collection of nodes.
To achieve the above stated goal, two security domains are needed. One for which the news-editors group only has read permissions and one for which the news-editor group has editor permissions.
Import the security domains
-
Download the attachments news-editors-read.xml and news-editors-editor.xml.
-
Log in to the Console as admin
-
Select the node /hippo:configuration/hippo:domains
-
Click on import and select the news-editors-read.xml file, leave all the settings at their defaults and click the import button
-
Click on import and select the news-editors-editor.xml file, leave all the settings at their defaults and click the import button
-
If your project has a different name than myhippoproject, replace myhippoproject with your project's name in the value properties the following nodes:
-
/hippo:configuration/hippo:domains/news-editors-editor/news-documents/path-by-uuid
-
/hippo:configuration/hippo:domains/news-editors-read/channel-node/node-by-uuid
-
/hippo:configuration/hippo:domains/news-editors-read/news-node/node-by-uuid
-
-
Click write changes to repository
The news-editors-read security domain gives the news editors read permissions to the following folders:
-
the content folder
-
the content/documents folder
-
the content/documents/myhippoproject folder
-
the content/documents/myhippoproject/news folder
-
the content/assets folder
-
the content/gallery folder and all sub folders and documents
-
the templates for new (document) folders, image folders and asset folders
(the root node is allowed by default in defaultread)
The news-editors-editor security domain gives the news editors editor permissions to the following folders ( [channelname] has been replace by the appropriate channel ) as stated in the goal:
-
the content/documents/myhippoproject/news folder and alls sub folders and documents
-
the content/assets/news folder and alls sub folders and assets
-
the content/gallery/news folder and alls sub folders and images
The domain rules in this example use two types of facet rules to allow permissions on a folder or node. These are the node-by-uuid and the path-by-uuid rules.
The node-by-uuid facet rule uses the fact that hippo:document nodes and all derived types are referenceable. The results in the fact that the nodes always have the jcr:uuid property set to their unique identifying uuid. The facet rule matches the node where the hipposys:facet (property) with the name jcr:uuid is equal to the specified value in hipposys:value. Instead of puting the uuid directly in the hipposys:value property, the Reference facet rule type is used and the path is set in the hipposys:value. At login the uuid of the path is looked up and the uuid of the node is used as value for matching.
The path-by-uuid facet rule is similar to the node-by-uuid facet rule, except that it doesn't match on the jcr:uuid property but on a node path. The facet rule will match the folder node itself and all its descendants.
Set permissions
-
Log in to the CMS as admin
-
Go to the permissions in the admin perspective
-
Grant the group news-editors the role readwrite in defaultwrite
-
Grant the group news-editors the role readonly in news-editors-read
-
Grant the group news-editors the role editor in news-editors-editor
Configure CMS access
By default, only users with at least author-level access to /content/documents are authorized to use the CMS application. Because the news editors only have read access to /content/documents, we need to reconfigure who can use the CMS. See Configure login to CMS and Console applications for more information.
-
Log in to the Console as admin
-
Select the node /hippo:configuration/hippo:frontend/cms
-
Change the value of the property privileges from hippo:author to jcr:read
-
Click Write changes to the repository
Test
-
Log in to the CMS as journalist
-
Check that only the folder news in documents is visible
-
Add a document to the news folder
-
Check that only the folder news in assets is visible
-
Add an asset to the news folder
-
Check that all images are visible
-
Check that only images can be added to the news folder
Groovy script for easy configuration
A groovy script was created to allow admins to configure permissions on folders easily for the most common use cases. You can grab it here.