Thursday, June 28, 2018

Setting SXA security roles (with a small twist)

General setup 

 After setting up your SXA project, one of the next things you typically want to do is follow a myriad of guides to help finalize your setup.
One of these is to set up Security based on the SXA sites.
In order to do this, a number of the powershell scripts exist that are offered by the SXA product out of the box to help you set up the Tenant as well as the Site Security.

You can find all relevant information her:

After you do this, I did however notice a problem...

We created a number of editors that had the 'Site author' and 'Site designer' roles.
However, the created users were not able to do all necessary actions immediately.

This user is now indeed able to log in and see and edit that SXA site.

First issue

But when we performed the following test:

Create a new page (Page type) > go into the Experience Editor > Add a (default) Promo block
At this moment the experience editor gives a popup that lets you create site content or content under the Data folder.
> We click the Create button next to the Data folder ...

And there we get a popup warning screen that says that this users does not have access to create that content...

This immediately felt like a problem in the SXA setup since I tested this on a vanilla SC9 and SXA 1.7.1 installation...

After some investigation and great support from the Sitecore SXA team they acknowledged this as a bug on their side and we found the following solution:

As a workaround for the issue, you can try the following steps:

1. Go to the item: /sitecore/system/Settings/Foundation/Experience Accelerator/Local Datasources/Virtual Page Data
2. Add the permission for the "Create" security right for all the needed users or role.  (In this case that is the SXA Author created role)

Publishing Issue

Just another thing to keep in mind is that with these rights, the editor is not able to perform any publishing. This might be by design for the users you just created.

If you do want to grant the publishing rights, then just assign the Sitecore Client Publishing role and they are good to go.

If your intent is to take away publishing as a whole then there are some next steps.
As you will notice, the Publish section on the Ribbon is indeed as good as empty and no publishing is possible from there out.

However, right clicking on the Content Tree in Sitecore will still give you the option to publish. As well as the Publish button on the Experience Optimizer section in the Experience Editor that is still available...

Clicking this will however result in the following error:

So, actually apart from confusing the editors they are virtually unable to ever publish anything.

If you want to resolve this, make the following modifications to the security on the roles:

 1. Go to the Security Editor;
2. Select the sitecore\Sitecore Client Designing role;
3. Navigate to the  /sitecore/content/Applications/Content Editor/Context Menues/Default/Publish Item item.
4. Forbid rights inheritance as described in the below screenshot:

5. Select the sitecore\Sitecore Client Publishing role;
6. Allow the Read access explicitly as shown on the below screenshot:

7. After that, assign the sitecore\Sitecore Client Publishing  OR sitecore\Sitecore Client Advanced Publishing roles to your user.

There you go, you should be all set and ready to go :)