Grant Access to One Channel

Important note when using the walkthroughs

When the walkthroughs refer to some yaml configuration, in general, it is meant that you import this yaml into a locally running repository via the Console with auto-export enabled. If however you copy some yaml blob directly into your idea without auto-export, you have to uncomment the following lines if present in the yaml:

#.meta:category: system
#.meta:add-new-system-values: true

The reason for this is that the auto-export for some properties knows implicitly to add this meta info, however the yaml import in the Console does not support .meta lines. Thus, you have two options when following the walkthroughs:

  1. Copy the yaml snippet as-is into the Console with auto-export running
  2. Copy the yaml snippet to your idea while uncommenting the commented meta info

Introduction

Goal

Grant a group access only to a specific channel and its content.

Use Case

The use case is based on a Bloomreach Experience Manager project created using the Maven archetype, with the News feature added, and a French translated channel added.

The project contains the following content root folders:

/content:
  /documents:
    /myproject:
    /monprojet:
    /administration:
  /assets:
    /myproject:
    /monprojet:
  /gallery:
    /myproject:
    /monprojet:
Note the separate assets and gallery folders for myproject and monprojet. These were not created if you followed Add a Translated Channel, so add them if necessary.

You want to create two groups:

  • french-authors
  • french-editors

You want to grant French authors:

  • author privileges in /content/documents/monprojet (so they can create French documents)
  • author privileges in /content/assets/monprojet and /content/gallery/monprojet (so they can upload French assets and images)
  • readwrite privileges in /content/assets/monprojet and /content/gallery/monprojet so they can write to assets and images

You want to grant French editors:

  • editor privileges in /content/documents/monprojet (so they can publish French documents)
  • editor privileges in /content/assets/monprojet and /content/gallery/monprojet (so they can upload French assets and images)
  • readwrite privileges in /content/assets/monprojet and /content/gallery/monprojet so they can write to assets and images

You want to deny both French authors and French editors access to /content/documents/myproject and /content/documents/administration.

You want French authors and French editors to only be able to access the French preview channel (Mon Projet) in the Experience manager.

You want French editors to be able to edit the French channel.

You want French authors only able to preview the French channel but not edit it.

Strategy

To be able to set up the privileges as explained above you will customize the security configuration as follows:

  • Create a French test author and French test editor (local development only)
  • Create a French editor and author group with the required userroles (configuration)
  • Create a new domain for the French documents, gallery and assets for french authors/editors having role author/editor
  • Create a new domain for the French gallery and assets for french authors/editors having role readwrite (this is needed for authors/editors to be able to save to gallery/asset documents)

Preliminary

Log in to the Console as admin and make sure that Autoexport is on.

Create Test Users

Note: below steps creating users can also be easily done in the CMS UI

In the Console, below /hippo:configuration/hippo:users add a French test author and editor by importing the YAML files:

/french-author:
  jcr:primaryType: hipposys:user
  hipposys:active: true
  hipposys:password: french-author
  hipposys:securityprovider: internal

and

/french-editor:
  jcr:primaryType: hipposys:user
  hipposys:active: true
  hipposys:password: french-editor
  hipposys:securityprovider: internal

Note the above created users won't be autoexported but need to be manually added in local yaml files below /repository-data/application/src/main/resources/hcm-config

Create the French Editor / Author Groups 

Note: below steps creating groups can also be easily done in the CMS UI.

In the Console, below /hippo:configuration/hippo:groups add:

/french-authors:
  jcr:primaryType: hipposys:group
  hipposys:members:     
    #.meta:category: system
    #.meta:add-new-system-values: true
    type: string
    value: [french-author]
  hipposys:securityprovider: internal
  hipposys:userroles: [xm.cms.user, xm.content.user, xm.channel.user, xm.report.user, xm.dashboard.user, xm.channel.viewer]
and

/french-editors:
  jcr:primaryType: hipposys:group
  hipposys:members:
    #.meta:category: system
    #.meta:add-new-system-values: true
    type: string
    value: [french-editor]
  hipposys:securityprovider: internal
  hipposys:userroles: [xm.cms.user, xm.content.user, xm.channel.user, xm.report.user,  xm.dashboard.user, xm.channel.webmaster]

The above is pretty trivial, but pay careful attention to the userroles. The default editor and author group have only one userrole, xm.default-user.editor or respectively xm.default-user.author. Assigning these default userroles to the French groups would however show both the non French documents as well to the French users, since the default userroles inherit from xm.content.authorxm.content.editor, which gives author/editor roles on the default /hippo:configuration/hippo:domains/content which we don't want. Therefore, we have to explicitly define per French group what the userroles should be. Both French editors and authors should see:

  • The Content application hence: xm.content.user
  • The Experience manager application hence: xm.channel.user
  • The Content reports application hence: xm.report.user
  • The Home application hence: xm.dashboard.user

The French editors however should be webmaster on the French channel and the French authors should be viewer on the French channels, and therefore require respectively the xm.channel.webmaster and xm.channel.viewer userroles. See for more details the default provided userroles.

Note2: after the above setup works locally, best to remove the test members 'french-author' and 'french-editor' from the groups again since cleaner if you do not deploy this as is to production. If you want to do it really clean, you can add the creation of the users to the development bootstrap data and in the main.yaml of the development module add the users to the groups (where the groups are really application configuration, not development:

 definitions:
  config:
    /hippo:configuration/hippo:groups/french-authors:
      hipposys:members:
        operation: add
        type: string
        value: [french-author]
    /hippo:configuration/hippo:groups/french-editors:
      hipposys:members:
        operation: add
        type: string
        value: [french-editor]

Customize Security Domains

Note: below steps creating domains cannot be done in the CMS UI however assigning the groups and users to the domains can be done in the CMS UI 

Similar to the default /hippo:configuration/hippo:domains/content domain, we now need a domain for the French documents, gallery items and assets, hence the following domain is needed:

/content-french:
  jcr:primaryType: hipposys:domain
  /content-domain:
    jcr:primaryType: hipposys:domainrule
    /content-and-descendants:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: jcr:path
      hipposys:type: Reference
      hipposys:value: /content/documents/monprojet
  /assets:
    jcr:primaryType: hipposys:domainrule
    /assets-french:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: jcr:path
      hipposys:filter: false
      hipposys:type: Reference
      hipposys:value: /content/assets/monprojet
  /gallery:
    jcr:primaryType: hipposys:domainrule
    /gallery-french:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: jcr:path
      hipposys:filter: false
      hipposys:type: Reference
      hipposys:value: /content/gallery/monprojet
  /author:
    jcr:primaryType: hipposys:authrole
    hipposys:groups: 
      #.meta:category: system
      #.meta:add-new-system-values: true
      type: string
      value: [french-authors]
    hipposys:role: author
    hipposys:users: 
      #.meta:category: system
      #.meta:add-new-system-values: true
      type: string
      value: []
  /editor:
    jcr:primaryType: hipposys:authrole
    hipposys:groups: 
      #.meta:category: system
      #.meta:add-new-system-values: true
      type: string
      value: [french-editor]
    hipposys:role: editor
    hipposys:users:
      #.meta:category: system
      #.meta:add-new-system-values: true
      type: string
      value: []

The above domain makes sure that French editors have role editor below the French documents, gallery items and assets and likewise, the French authors have role author

Now we still miss one domain, which is comparable to the domain /hippo:configuration/hippo:domains/non-publishable-readwrite : The role author or editor does not give you the jcr write privilege to actually write to jcr nodes. In general this is not needed since the workflow user session does the writing. However, editors and authors need explicit jcr:write privilege on:

  1. Document drafts they are holder of
  2. Image sets and assets to be able to write to these nodes

Number 1 is covered throughout the entire repository through the standard provided draft-document-holder-readwrite security domain. But for gallery items and assets unfortunately there are no drafts which you can be the holder of, therefore the following domain is needed to grant role readwrite to the French editors and authors on French gallery items and assets:

/content-french-assets-images-readwrite:
  jcr:primaryType: hipposys:domain
  /readwrite:
    jcr:primaryType: hipposys:authrole
    hipposys:groups: 
      #.meta:category: system
      #.meta:add-new-system-values: true
      type: string
      value: [french-editors, french-authors]
    hipposys:role: readwrite
    hipposys:users: 
      #.meta:category: system
      #.meta:add-new-system-values: true
      type: string
      value: []
  /french-assets-domain:
    jcr:primaryType: hipposys:domainrule
    /documents-only:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: hippo:availability
      hipposys:type: String
      hipposys:value: live
    /non-publishable:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: false
      hipposys:facet: nodetype
      hipposys:type: String
      hipposys:value: hippostd:publishable
    /french-assets-and-descendants:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: jcr:path
      hipposys:type: Reference
      hipposys:value: /content/assets/monprojet
  /french-gallery-domain:
    jcr:primaryType: hipposys:domainrule
    /documents-only:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: hippo:availability
      hipposys:type: String
      hipposys:value: live
    /non-publishable:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: false
      hipposys:facet: nodetype
      hipposys:type: String
      hipposys:value: hippostd:publishable
    /french-gallery-and-descendants:
      jcr:primaryType: hipposys:facetrule
      hipposys:equals: true
      hipposys:facet: jcr:path
      hipposys:type: Reference
      hipposys:value: /content/gallery/monprojet

Verify

Log in into the CMS as french-author and verify that you can:

  • browse the 'monprojet' content folder
  • create subfolders in the 'monprojet' folder
  • create and edit documents in the 'monprojet' folder
  • upload and use images in the 'monprojet' gallery folder
  • use images in the 'myproject' gallery folder
  • upload and use files in the 'monprojet' assets folder
  • use files in the 'myproject' assets folder
  • request publication for documents in the 'monprojet' tree
  • preview the Mon Projet channel
  • see the Mon Projet

Verify that you can't:

  • see the 'myproject' and 'administration' folders
  • see the My Project channel
  • edit the Mon Projet channel
  • upload images or create subfolders in the 'myproject' gallery folder
  • upload files or create subfolders in the 'myproject' assets folder

Do the same for french-editor and also verify that she can:

  • publish documents in the 'monprojet' folder
  • accept or reject publication requests in the 'monprojet' folder
  • edit the Mon Projet channel
Now that you have successfully granted French authors and editors access to the French channel and its content only, go on and create groups for English authors and editors and grant them access to the English channel and its content only.
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?