I've been trying to figure out the best method to allow permissions across both a website made in episerver and CMS itself, but I can't seem to get a procedure downpat.
Essentially what I want is to create groups with the following permissions:
- Editors: Can only see edit within the CMS and can edit/create pages.
- Publishers: Can only see edit within the CMS, can edit/create pages and publish them.
- General Admin: Can see edit within the CMS, and limited admin options.
- Superuser: All options open.
Now I know there are some default options I can use, but I'd like some information on how I can define these things, whether that's a database change, change in web.config, or within the CMS itself it would be great to know.
Please have a look at the online help http://webhelp.episerver.com/CMS/7.5/EN/Default.htm#Authorization/Admin_SettingAccessRightsTreeStructure.htm%3FTocPath%3DAdministering%2520the%2520website%7CSetting%2520access%2520rights%7C_____2
What about creating my own custom roles within the web config? I saw a few lines changed but I couldn't gather how they got the permissions...
I've just found this: http://world.episerver.com/Articles/Items/Authentication-and-Authorization-in-EPiServer-CMS-61/, but not sure about the whole ASP configuration stuff and how it currently works with episerver. Do you know where I can find info on this to help me understand it better? Thanks.
What do you mean by creating your own roles in web.config? You can create new roles/groups in Admin mode.
However, there are three (?) authorization rules in web.config to restrict access to UI, Edit- and Admin mode. For those cases I usually use the virtual roles CmsAdmins and CmsEditors, which are defined in episerverFramework.config. I think the default groups are WebEditors and WebAdmins out-of-the-box. By doing that I only need to change them in one place if I want to allow more groups to e.g. Edit mode. You have to define these groups anyways, since they are used by EPiServer in authorization attributes in MVC actions.
I don't know if that made it any clearer, or if I just made it more complicated for you :)
What if, for example. I want to allow a particular group access to the Admin mode, but restrict certain options within the Admin section.
Otherwise I understand where you're coming from with the assigning groups to the WebEditors and WebAdmins. I've just gotten a directive to see if we can further customise specific options within these sections.
There are no access levels within Admin mode. It's all or nothing. Except for your own plugins in Admin mode, where you have full control over the authorization.
Ok. Thanks for that. Just one more question...
If I wanted to create a group (eg. FooGroup) that has the virtual role of CmsEditor, I would have to define them in episerverFramework.config? Or is there a more convenient way of assigning a group to a group/role?
Yes, you have to add them in episerverFramework.config. However, I would not recomend to use these virtual roles for setting access rights on pages. Just use these groups to grant access to Edit and/or Admin mode and nothing more. Then create additional groups for different editor access levels.
Does that mean I have to put the users in both groups then? (ie the edit/admin access group, and the page permissions group)
Yes. That's best practice. Otherwise your client can't just create new groups from Admin mode, they also have to change the config files (which forces a recycle of the application by the way).
Ok cool. Thanks very much for your help Johan. :)