CMS User login problem

Vote:
 

I've created some new access rights on a site that I've not done this on for a few years, so the steps required are a bit rusty.

The usergroup is called "Sandboxeditor" who has got full permissions on a specific node in our content tree.
It has got read access only the root folders.

I've created a user, and assigned this user to the group.

I’ve added the following to my web.config to (I think) allow access to edit mode:

 

<location path="{my-cms-path}">
    <system.web>
      <httpRuntime maxRequestLength="1000000"/>
      <pages enableEventValidation="true">
        <controls>
          <add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI"/>
          <add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer"/>
          <add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI"/>
        </controls>
      </pages>
      <globalization requestEncoding="utf-8" responseEncoding="utf-8"/>
      <authorization>
        <allow roles="SandboxEditor, WebEditors, WebAdmin
s, Administrators, UpdatesArticleUsers"/>
        <deny users="*"/>
      </authorization>

    

The issue is that I don't get a login error (so username password is correct), but if I try and access the CMS URL, I get sent back to the login screen.
I'm sure I've missed off a step along the way, but can't recall what

 

#82038
Mar 04, 2014 16:42
Vote:
 

First, the normal way is to restrict WebEditors to only be able to login to Edit mode, then create separate groups that actually have access rights in page tree. That way, it's easy to administrate adding new editor groups that have access rights to part of the tree without having to touch web.config. 

#82043
Mar 04, 2014 17:27
Vote:
 

sure, but I'm forgetting the steps to do that.. What does one do / where should I update /edit to allow that?

#82044
Mar 04, 2014 17:28
Vote:
 

First limit WebEditor access rights to only have read access like everyone user in admin mode (set access rights). Easiest to do it in admin mode since you can set access rights for parts of the tree structure there compared to page by page in edit mode.
Add access rights for SandboxEditor to allow edit part of the tree using the same tool in admin mode.
Create user that belongs to both groups. 
Login
Enjoy!
You do not need to add SandboxEditor to any location tags in web.config then...since the user is also a webeditor and can then log in to edit mode.
Note: Remember to do the same for files...for production environment. Otherwise user can edit only parts of the page tree but access all files and delete then which is usually not the Sandbox behavior you are looking for :)

#82045
Edited, Mar 04, 2014 17:39
Vote:
 

Daniel is absolutely right. There's also a good article on this topic: http://world.episerver.com/Articles/Items/Restricting-Page-Display-in-Edit-Mode/ which gives example scenarios and best practices in regards to using the WebEditors and Webadmins virtual roles.

#82069
Edited, Mar 05, 2014 10:18
Vote:
 

Arild: Seems the link you are referring to does not exist.

#82072
Mar 05, 2014 10:31
Vote:
 
#82076
Mar 05, 2014 10:45
Vote:
 

Right, removing everyone group and replacing it with an anonymous group will make it possible to hide parts of the tree structure for editors as well. I like that little trick...

#82077
Mar 05, 2014 10:49
Vote:
 

@Arild: Interesting, the link clearly works for me now. But I got a friendly 404 before my last comment. I guess that I have to talk to the World team about this...

#82078
Mar 05, 2014 10:53
Vote:
 

I've tried doing the above anonymous group. It's fine, but ends up hiding half your site when you when try and view it.. (as once logged in they no longer have read access!). Also need to give them read access on any parent pages so the tree and load. I've done that on an EPiServer 7 site.

I think my main issues are just a larger configuration problem, as at some point config files were upgraded from IIS6 to IIS7. I'd already tried all the above before I posted here.. 

Thanks for all the suggestions either way.

 

#82080
Mar 05, 2014 10:59
Vote:
 

@Danny: In addition to the <location path="(your-cms-path)"> you should also have nodes for access to Admin mode <location path="(your-cms-path)/CMS/Admin"> and the UI <location path="UI">

Are these present? How do they look?

#82082
Edited, Mar 05, 2014 11:14
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.