I am trying to create a role within Sitecore which can publish content, but only within a specific area(s) of the site. I've added the standard Sitecore\Client Publishing role to my role, but I can't see how to prevent the role from being able to publish all areas of the site. I've looked at the Security editor and the Access viewer, but setting the write access of the sections only seems to affect the ability to edit those sections and has no effect on the ability to publish on those sections.
Sitecore allow role to publish content in specific areas only
Asked Answered
Do you have a workflow in place? –
Leucomaine
Yes I do. All I want to do is restrict access to the approve/publish stages to certain users. –
Morrissette
I had a similar situation once and I created roles per section which only had read and write to that section and no where else (let say 'editor section 1') and another role which only had publishing permission for that section (let say 'publisher section 1'). Then added 'editor section 1' role to 'publisher section 1' role which gives you the role for publishing only specific section. You do not need multiple workflows, same workflow with multiple roles can also achieve this goal
When you say "and another role which only had publishing permission for that section (let say 'publisher section 1')." How did you do that? The permissions in sitecore don't appear to have a way to define publishing permissions per item. –
Oared
Probably late, but what I meant was to have role for the workflow published state. Have a look here doc.sitecore.net/sitecore_experience_platform/content_authoring/… –
Juetta
Can you please clarify Naveed? I understand that you can grant the workflow command execute to commands and grant workflow write execute to states. How exactly would you plan to implement this given the basic "Sample Workflow" –
Erythrism
Workflow is the typical way this is handled. Giving roles access to approve (this could be called 'publish') content of certain sections of the content tree will be the best way to achieve what you are describing. Combine this with an auto-publish action to make it more user friendly.
One thing to keep in mind though using this method is referenced items (images from media library the content may be using for example). Take a look at the 'Publishing Spider' module on the shared source library http://trac.sitecore.net/PublishingSpider
EDIT: Update
I recently discovered this setting in the web.config: "Publishing.CheckSecurity". If set to true, this setting will only publish items if the user has read + write on the item and will only remove items from the web DB if the user has delete permissions.
Nice answer, creating workflows for different aspects of the site would help. –
Ginnie
Thanks for your answer! Do I need to create separate workflows to allow different access to approval within different areas of my site or can I reuse the same workflow throughout? –
Morrissette
You can use the same workflow throughout if you like and restrict permissions to the section of the tree you dont want them to see. To see an item in the workbox you need Read & Write permissions on the content item itself. –
Bursa
Is your "Edit:Update" in conjunction with the PublishingSpider module? I tried just changing the web.config file and it's not working. Did you add the "Sitecore Client Publishing" role to the user? –
Cotopaxi
The setting referred to in the update is a standalone setting for the core CMS. Any settings for the module will be in an include file (at least of the module is written well) found in the 'App_Config/Include' directory. The user will need to be part of, or inherit, the "Sitecore Client Publishing" role to have access to the publishing commands and applications. Alternatively you can set-up your own "client access" role by switching to the core database and giving permissions to appropriate applications on a custom role. –
Bursa
Thanks for that! As an FYI to all that are reading, the publish buttons still appear and the user is able to go through the publishing steps but the pages don't actually publish. –
Cotopaxi
I had a similar situation once and I created roles per section which only had read and write to that section and no where else (let say 'editor section 1') and another role which only had publishing permission for that section (let say 'publisher section 1'). Then added 'editor section 1' role to 'publisher section 1' role which gives you the role for publishing only specific section. You do not need multiple workflows, same workflow with multiple roles can also achieve this goal
When you say "and another role which only had publishing permission for that section (let say 'publisher section 1')." How did you do that? The permissions in sitecore don't appear to have a way to define publishing permissions per item. –
Oared
Probably late, but what I meant was to have role for the workflow published state. Have a look here doc.sitecore.net/sitecore_experience_platform/content_authoring/… –
Juetta
Can you please clarify Naveed? I understand that you can grant the workflow command execute to commands and grant workflow write execute to states. How exactly would you plan to implement this given the basic "Sample Workflow" –
Erythrism
Answer to this is to set Publishing.CheckSecurity to true
You need to find this code inside web
<!-- PUBLISHING SECURITY
Check security rights when publishing?
When CheckSecurity=true, Read rights are required for all source items. When it is
determined that an item should be updated or created in the target database,
Write right is required on the source item. If it is determined that the item
should be deleted from target database, Delete right is required on the target item.
In summary, only the Read, Write and Delete rights are used. All other rights are ignored.
Default value: false
-->
<setting name="Publishing.CheckSecurity" value="false" />
Set the value="true"
But again you have to govern the security tightly, and assign user role properly. Failed to do so you will experience buggy publishing.
Hope that will help
© 2022 - 2024 — McMap. All rights reserved.