Setting SXA security roles (with a small twist)

-

General setup 

 After setting up your SXA project, one of the next things you typically want to do is follow a myriad of guides to help finalize your setup.
One of these is to set up Security based on the SXA sites.
In order to do this, a number of the powershell scripts exist that are offered by the SXA product out of the box to help you set up the Tenant as well as the Site Security.

You can find all relevant information her:
https://doc.sitecore.net/sitecore_experience_accelerator/setting_up_and_configuring/setting_up/set_up_security_for_a_tenant_and_a_site

After you do this, I did however notice a problem...

We created a number of editors that had the 'Site author' and 'Site designer' roles.
However, the created users were not able to do all necessary actions immediately.

This user is now indeed able to log in and see and edit that SXA site.


First issue


But when we performed the following test:

Create a new page (Page type) > go into the Experience Editor > Add a (default) Promo block
At this moment the experience editor gives a popup that lets you create site content or content under the Data folder.
> We click the Create button next to the Data folder ...




And there we get a popup warning screen that says that this users does not have access to create that content...

This immediately felt like a problem in the SXA setup since I tested this on a vanilla SC9 and SXA 1.7.1 installation...

After some investigation and great support from the Sitecore SXA team they acknowledged this as a bug on their side and we found the following solution:

As a workaround for the issue, you can try the following steps:

1. Go to the item: /sitecore/system/Settings/Foundation/Experience Accelerator/Local Datasources/Virtual Page Data
2. Add the permission for the "Create" security right for all the needed users or role.  (In this case that is the SXA Author created role)

Publishing Issue

Just another thing to keep in mind is that with these rights, the editor is not able to perform any publishing. This might be by design for the users you just created.

If you do want to grant the publishing rights, then just assign the Sitecore Client Publishing role and they are good to go.

HOWEVER
If your intent is to take away publishing as a whole then there are some next steps.
As you will notice, the Publish section on the Ribbon is indeed as good as empty and no publishing is possible from there out.

However, right clicking on the Content Tree in Sitecore will still give you the option to publish. As well as the Publish button on the Experience Optimizer section in the Experience Editor that is still available...

Clicking this will however result in the following error:



So, actually apart from confusing the editors they are virtually unable to ever publish anything.

If you want to resolve this, make the following modifications to the security on the roles:

 1. Go to the Security Editor;
2. Select the sitecore\Sitecore Client Designing role;
3. Navigate to the  /sitecore/content/Applications/Content Editor/Context Menues/Default/Publish Item item.
4. Forbid rights inheritance as described in the below screenshot:



5. Select the sitecore\Sitecore Client Publishing role;
6. Allow the Read access explicitly as shown on the below screenshot:



7. After that, assign the sitecore\Sitecore Client Publishing  OR sitecore\Sitecore Client Advanced Publishing roles to your user.




There you go, you should be all set and ready to go :)

Comments

  1. Islam KhattabJuly 4, 2018 at 6:36 PM

    In a single tenant setup with multiple sites Site1 and Site2 for example, if a user with "SXA Site Author" role and "sitecore\Sitecore Client Publishing" role tried to publish the tenant node we found that this will publish everything even items in other sites that he do not have write access to.

    We have tested this approach and found that users for Site1 could only edit Site1 data and cannot Site2 data and vice versa, but now we need to have a “Publisher” role to be able to publish the site new items, but I found when assigning the user to “sitecore\Sitecore Client Publishing” sitecore role that any user with this role can publish any items in the content tree regardless this account has access to the items to not.

    So I want to limit the publish items task for users to only data they are able to read and write into so Site1 users when publishing items they only publish items starting Site1 node and its subitems and skip all site2 data, SO I found a Sitecore configuration “Publishing.CheckSecurity”

    When I set this to true I found that it seems to skip all items even items users just created and nothing get published using Site user, So my question is, Is this the best practice to achieve this requirement? Is there a best practice followed to define “SXA Site Publisher” role for SXA in Sitecore .

    ReplyDelete
    Replies
    1. Kris VerheireAugust 1, 2018 at 1:49 PM

      No, there is no such functionality available unfortunately. Lately I have been confronted with the same problem where i did not want to the editor to see specific items, while at the same time this item should be available for back-end code to run.
      I will take this up with support together with your question on publishing.
      Another possible solution can be found in part 2 here: http://chowson.github.io/security-based-publishing-restrictions-in-sitecore/

      Delete
  2. UnknownAugust 29, 2018 at 2:20 PM

    This blog is really awesome Thanks for sharing most valuable information with us.

    Sitecore Online Training

    ReplyDelete
  3. UnknownSeptember 13, 2018 at 11:47 AM

    This is a really well written blog. I’ll be sure to bookmark it and return to read more of your useful information. Thanks for the post.Umbraco web development services

    ReplyDelete

Post a Comment

Popular posts from this blog

Stupid exception: Device is not ready – System.IOException .net

-
When installing a Sitecore implementation from an development server environment to my laptop I ran into an absolutely stupid error. And it's great to have this kind of errors pop up from time to time even if you have been in the development world for so long and are still unable to fix it immediately. So, what error did I get? Device is not ready – System.IOException .net That is right... Nothing at all related to Sitecore. But then you start to doubt that as my stacktrace showed to Lucene [IOException: The device is not ready. ] System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) +1091 System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost) +1413 System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost) +92 Sitecore.IO.FileUtil.EnsureFolder(String path) +128 Sitecore.ContentSearch.LuceneProvider.LuceneIndex.CreateDirectory(String folder) +100 Sitecore.Co
Read more

Sitecore 8.2 in-depth preview + 8.3 update info and Sitecore Ecommerce information

-
Image
During the last Sitecore User group session here in Belgium, Ryan Donovan was featured as the central speaker. The following two topics were on the agenda: Sitecore Commerce An in-depth information on 8.2 and 8.3 I was impressed by the drive behind Ryan and his team(s). It emphasized the drive that is pushing Sitecore forward. Sitecore is putting a lot of effort in producing well hardened and tested product releases that bring new features and rich applications. Sitecore Commerce Previous Sitecore commerce solutions were structured around either SCpbCS and SCpbMD. However, the vNext commerce product has been newly developed from the ground up. Previously, the commerce solution focussed itself around the architecture of Commerce Server to provide and API, manage the products and to derive the entire feature set from. With this Commerce vNext solution, Sitecore has set forward the aspiration to become one of the market leaders in commerce. The fist aim is to focu
Read more

Date Ranges in C#

-
DateRange utility class Throughout development there are a number of typical things that tend to recur. One of these is implementing a means to display start and end dates for News, Events, Symposiums, Lives etc etc Writing a little class that manages printing these dates seemed like a necessary task that just had to be done in order to make this tedious task be a thing of the past. Therefore I created my "DateRange" class (what's in a name) that should handle this entirely for you. The Idea The intriquities of displaying a datetime range should be an abstraction. You should only need to worry about passing the correct dates (start and end - if applicable) to the Utility class combined with an optional formatting. The class can be entirely configured through use of Enumerations for all the separate settings such as DayFormat etc. An additional class was used to implement this utility, the StringValue attribute class. You can easily use thie class to a
Read more