Setting SXA security roles (with a small twist)
General setup
After setting up your SXA project, one of the next things you typically want to do is follow a myriad of guides to help finalize your setup.
One of these is to set up Security based on the SXA sites.
In order to do this, a number of the powershell scripts exist that are offered by the SXA product out of the box to help you set up the Tenant as well as the Site Security.
You can find all relevant information her:
https://doc.sitecore.net/sitecore_experience_accelerator/setting_up_and_configuring/setting_up/set_up_security_for_a_tenant_and_a_site
After you do this, I did however notice a problem...
We created a number of editors that had the 'Site author' and 'Site designer' roles.
However, the created users were not able to do all necessary actions immediately.
This user is now indeed able to log in and see and edit that SXA site.
First issue
But when we performed the following test:
Create a new page (Page type) > go into the Experience Editor > Add a (default) Promo block
At this moment the experience editor gives a popup that lets you create site content or content under the Data folder.
> We click the Create button next to the Data folder ...
And there we get a popup warning screen that says that this users does not have access to create that content...
This immediately felt like a problem in the SXA setup since I tested this on a vanilla SC9 and SXA 1.7.1 installation...
After some investigation and great support from the Sitecore SXA team they acknowledged this as a bug on their side and we found the following solution:
As a workaround for the issue, you can try the following steps:
1. Go to the item: /sitecore/system/Settings/Foundation/Experience Accelerator/Local Datasources/Virtual Page Data
2. Add the permission for the "Create" security right for all the needed users or role. (In this case that is the SXA Author created role)
Publishing Issue
Just another thing to keep in mind is that with these rights, the editor is not able to perform any publishing. This might be by design for the users you just created.If you do want to grant the publishing rights, then just assign the Sitecore Client Publishing role and they are good to go.
HOWEVER
If your intent is to take away publishing as a whole then there are some next steps.
As you will notice, the Publish section on the Ribbon is indeed as good as empty and no publishing is possible from there out.
However, right clicking on the Content Tree in Sitecore will still give you the option to publish. As well as the Publish button on the Experience Optimizer section in the Experience Editor that is still available...
Clicking this will however result in the following error:
So, actually apart from confusing the editors they are virtually unable to ever publish anything.
If you want to resolve this, make the following modifications to the security on the roles:
1. Go to the Security Editor;
2. Select the sitecore\Sitecore Client Designing role;
3. Navigate to the /sitecore/content/Applications/Content Editor/Context Menues/Default/Publish Item item.
4. Forbid rights inheritance as described in the below screenshot:
5. Select the sitecore\Sitecore Client Publishing role;
6. Allow the Read access explicitly as shown on the below screenshot:
7. After that, assign the sitecore\Sitecore Client Publishing OR sitecore\Sitecore Client Advanced Publishing roles to your user.
There you go, you should be all set and ready to go :)
In a single tenant setup with multiple sites Site1 and Site2 for example, if a user with "SXA Site Author" role and "sitecore\Sitecore Client Publishing" role tried to publish the tenant node we found that this will publish everything even items in other sites that he do not have write access to.
ReplyDeleteWe have tested this approach and found that users for Site1 could only edit Site1 data and cannot Site2 data and vice versa, but now we need to have a “Publisher” role to be able to publish the site new items, but I found when assigning the user to “sitecore\Sitecore Client Publishing” sitecore role that any user with this role can publish any items in the content tree regardless this account has access to the items to not.
So I want to limit the publish items task for users to only data they are able to read and write into so Site1 users when publishing items they only publish items starting Site1 node and its subitems and skip all site2 data, SO I found a Sitecore configuration “Publishing.CheckSecurity”
When I set this to true I found that it seems to skip all items even items users just created and nothing get published using Site user, So my question is, Is this the best practice to achieve this requirement? Is there a best practice followed to define “SXA Site Publisher” role for SXA in Sitecore .
No, there is no such functionality available unfortunately. Lately I have been confronted with the same problem where i did not want to the editor to see specific items, while at the same time this item should be available for back-end code to run.
DeleteI will take this up with support together with your question on publishing.
Another possible solution can be found in part 2 here: http://chowson.github.io/security-based-publishing-restrictions-in-sitecore/
This blog is really awesome Thanks for sharing most valuable information with us.
ReplyDeleteSitecore Online Training
This is a really well written blog. I’ll be sure to bookmark it and return to read more of your useful information. Thanks for the post.Umbraco web development services
ReplyDelete