Experience Manager Preview With Security Delegation
For rendering the preview channels in the Experience manager, the HST uses a session from the previewuser session pool. For some customers it is however undesirable that the HST previewuser can read all preview documents : Some preview documents might only be allowed to be read by some CMS editors/authors. Excluding these documents for the previewuser is a straightforward security configuration that has been available since the early days, see Repository Authorization and Permissions. To make sure an editor/author can still preview the document in the Experience manager preview we introduced Repository Session Security Delegation.
The desired read access for cms editors/authors when previewing the site in the Experience manager is to be able to view all the documents that the HST previewuser can read + all the preview documents the editor/author is allowed to read :
By default when rendering a preview channel, all the documents that the HST previewuser can read and the documents the CMS logged in user can read can be rendered. To disable this behavior and only render documents that the HST previewuser can read, you can set the property cms.preview.security.delegation.enabled in the hst-config.properties to false. In general however, this is never needed.