Grant Access to One Channel Only - BloomReach Experience - Open Source CMS

This article covers a Hippo CMS version 10. There's an updated version available that covers our most recent release.

06-04-2016

Grant Access to One Channel Only

Introduction

Goal

Grant a group access only to a specific channel and its content.

Use Case

The use case is based on a Hippo project created using the Maven archetype, with the News feature added, and a French translated channel added.

The project contains the following content root folders:

+ content
  + documents
    + myhippoproject
    + monprojethippo
    + administration
  + assets
    + myhippoproject
    + monprojethippo
  + gallery
    + myhippoproject
    + monprojethippo
Note the separate assets and gallery folders for myhippoproject and monprojethippo. These were not created if you followed Add a Translated Channel, so add them if necessary.

You want to create two groups:

  • french-authors
  • french-editors

You want to grant french-authors:

  • author privileges in /content/documents/monprojethippo (so they can create French documents)
  • readwrite privileges in /content/assets/monprojethippo and /content/gallery/monprojethippo (so they can upload French assets and images)
  • readonly privileges in  /content/assets/myhippoproject and /content/gallery/myhippoproject (so they can re-use English assets and images)

You want to grant french-editors:

  • editor privileges in /content/documents/monprojethippo (so they can publish French documents)
  • readwrite privileges in /content/assets/monprojethippo and /content/gallery/monprojethippo (so they can upload French assets and images)
  • readonly privileges in  /content/assets/myhippoproject and /content/gallery/myhippoproject (so they can re-use English assets and images)

You want to deny both french-authors and french-editors access to /content/documents/myhippoproject and /content/documents/administration.

You want french-authors and french-editors to only be able to access the French preview channel (Mon Projet Hippo) in the Channels perspective.

Strategy

To be able to set up the privileges as explained above you will customize the default security domains as follows:

  • Define a new domain common-read that includes all the nodes the new groups need readonly permission on.
  • Define a new domain french-content that includes the French documents, assets and gallery folders.

Customize Security Domains

Create a New Domain for Read-Only Nodes

Log in to the Console as 'admin'.

At /hippo:configuration/hippo:domains add a new security domain common-read:

/hippo:configuration/hippo:domains
  + common-read [hipposys:domain]
    + assets-node [hipposys:domainrule]
      + path-by-uuid [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  hippo:paths
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/assets
    + content-node [hipposys:domainrule]
      + node-by-uuid [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  jcr:uuid
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content
    + documents-node [hipposys:domainrule]
      + node-by-uuid [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  jcr:uuid
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/documents
    + folder-templates [hipposys:domainrule]
      + all-templates [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  hippo:paths
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /hippo:configuration/hippo:queries/hippo:templates
    + gallery [hipposys:domainrule]
      + path-by-uuid [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  hippo:paths
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/gallery
Download common-read.xml for easy importing in the Console.

Create a New Domain for French Content 

At /hippo:configuration/hippo:domains add a new security domain french-content:

/hippo:configuration/hippo:domains
  + french-content [hipposys:domain]
    + assets [hipposys:domainrule]
      + in-french-folder [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  hippo:paths
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/assets/monprojethippo
    + documents [hipposys:domainrule]
      + in-french-folder [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  hippo:paths
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/documents/monprojethippo
    + gallery [hipposys:domainrule]
      + in-french-folder [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  hippo:paths
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/gallery/monprojethippo
Download french-content.xml for easy importing in the Console.

Write Changes to the Repository

If you haven't done so already make sure all the changes you made in the Console are written to the repository.

Create Groups

Log in to the CMS as 'admin' and open the Admin perspective.

Create two new groups: french-editors and french-authors.

For testing purposes create two new users:

Create a new user sophie and make her a member of the french-editors group.

Create a new user alain and make her a member of the french-authors group.

Grant Permissions

Grant the following permissions:

 

readonly

readwrite

author

editor

common-read

french-authors

french-editors

     

defaultwrite

 

french-authors

french-editors

   

french-content

 

french-authors

french-authors

french-editors

hipporequests

   

french-authors

french-editors

Configure CMS Access

By default only users with at least author privileges on /content/documents are authorized to use the CMS application. Because the new groups only have read access to /content/documents you need to reconfigure who can use the CMS.

  • Log in to the  Console as admin.

  • Select the node /hippo:configuration/hippo:frontend/cms.

  • Change the value of the property privileges from hippo:author to jcr:read.

  • Click 'Write changes to the repository'.

Verify

Log in the the CMS as 'alain' and verify that you can:

  • browse the 'monprojethippo' content folder
  • create subfolders in the 'monprojethippo' folder
  • create and edit documents in the 'monprojethippo' folder
  • upload and use images in the 'monprojethippo' gallery folder
  • use images in the 'myhippoproject' gallery folder
  • upload and use files in the 'monprojethippo' assets folder
  • use files in the 'myhippoproject' assets folder
  • request publication for documents in the 'monprojethippo' tree
  • preview the Mon Projet Hippo channel

Verify that you can't:

  • see the 'myhippoproject' and 'administration' folders
  • see the My Hippo Project channel
  • upload images or create subfolders in the 'myhippoproject' gallery folder
  • upload files or create subfolders in the 'myhippoproject' assets folder

Do the same for 'sophie' and also verify that she can:

  • publish documents in the 'monprojethippo' folder
  • accept or reject publication requests in the 'monprojethippo' folder
Now that you have successfully granted French authors and editors access to the French channel and its content only, go on and create groups for English authors and editors and grant them access to the English channel and its content only.
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?