I am trying to set up a User Group in Episerver to give access rights to edit portions of the website while the rest of the site is read. Right now, we only have the out-of-the-package virtual roles set up, but access to those roles is managed within Azure AD groups and not within Episerver itself. We have had no trouble using this method to grant access rights and users can log in without issue. However, all documentation, such as this page on access rights in the CMS is not helpful because, within our configuration of Episerver, all of the access rights options are grayed out.
In this situation, role based authorization doesn't seem to work since we want to limit portions of the site, and not specific blocks or controllers.
Can anyone provide information on how to allow access rights to be customized for User Groups or roles outside of using the CMS?
We are on Version 10.10.1.0
You need to create the Azure AD roles to allow access to the sections of the site you need. Log in once with someone who is a member of those roles (so Episerver gets a cache of the role name) then use admin > Set access right to assign those roles to the sections of the tree you want to restrict.
If the section in the tree is greyed out you need to untick "Inherit settings from parent item" to allow the access rights to be set for that part of the tree.
Is there another place besides web.config that I need to define custom virtual roles? I removed myself from all roles except the new role, and I can log into the CMS but it appears that I do not have access to the CMS, and I get the following error in the browser: ERR_TOO_MANY_REDIRECTS
The FormsEditors role is the new one I added, but the following is how I have it set up.
<add name="Administrators" type="EPiServer.Security.WindowsAdministratorsRole, EPiServer.Framework" />
<add name="Everyone" type="EPiServer.Security.EveryoneRole, EPiServer.Framework" />
<add name="Authenticated" type="EPiServer.Security.AuthenticatedRole, EPiServer.Framework" />
<add name="Anonymous" type="EPiServer.Security.AnonymousRole, EPiServer.Framework" />
<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
<add name="CmsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebEditors" mode="Any" />
<add name="FormsEditors" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="FormsUsers, WebEditors" mode="Any" />
<add name="Creator" type="EPiServer.Security.CreatorRole, EPiServer" />
<add name="PackagingAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
I checked the CMS before adding this to web.config and unchecking the box you mentioned appeared to allow me to modify the tree but with the addition of this new role in the code, it doesn't seem to find it. What can I do to have the CMS acknowledge this new role?
Looking at your virtual roles configuration you are using the Episerver default groups WebAdmins and WebEditors - these groups are by default used (and should be only used) for managing the access to Episerver UI edit and admin views. So what yo now have done effectively to your account is that you have removed your access to edit and admin view. So you are now authenticated but you are not authorized to edit or admin view paths (see my p.s. comment at the bottom).
So in your access configuration you most likely would like to have a role/claim/group for editing the site content (set the access rights for this) and then you would have this FormsEditors group that would have only access to edit the forms. So then if the user should be only able to edit forms you would give them in AD the role WebEditors (so that they can see the Episerver edit view) and the you would also give them the role FormsUsers (so that they can edit forms). The virtual role config now says that all WebEditors have the FormsEditors virtual role so the FormsUsers AD role is not need OR you need to change the config and remove WebEditors from the virtual role. The next question is that do you really need the virtual role as you could also use FormsUsers role from AD to set the access rights - but if you would have like sitepublishers role in AD and only some logins have this role, then this role could be used also in the virtual roles config so that if user has role FormsUsers or SitePublishers then they will match the virtual role FormsEditors -> can edit forms.
p.s. Look at web.config location elements for Episerver UI url and util, and the authorization elements. There are the roles used to allow access to UI and util paths.
Thank you, your answer was very helpful. I have one more question - What permissions need to be given so that someone can add a form using Episerver Forms by clicking the plus button in the Episerver Folder on the right of the CMS screen. I have found that, while I am an admin, it is accessible, but when I am using my created role, it is not. I have given the role all access on the certain parts of the site, but I would like for them to create a form, as the name implies.
Most likely you have not correctly setup the access rights if you can't create a new Episerver Forms form container (aka new form).
Login to Episerver with an account that has access to the admin view. In admin view click the 'Set access rights' under the Admin tab (making the assumption that your site is not using site-specific assets, this is configured in admin -> config tab -> manage websites -> select your site, by default the checkbox is not checked for site specific assets).
With the above you created a simple very high level access rights, which you could fine tune to be more fine grained (like, someone can create form but cannot publish it etc).
See the CMS access rights help here and expand the node '—Table: Explanation of each access type—' to see the explantion of each item.
You could also limit the form container creation by setting create access right in the content type. Admin view -> Content type tab -> Under 'Block Types' select content type "[Forms] Form container" and on the right panel click 'Settings'. In the bottom there is 'Access level' and by default Everyone can create this type. So if you want to limit it here, then uncheck the checkbox from Everyone and then use the 'Add Users/Groups' button to add your group and allow only it to create the content type. But most likely the above case is what you need/want.
And a humble request, if you think my answer solves your case, could you please mark it as answer? ;-D (you can also vote up Davids answer because I think that answered your AD question)