This article covers a Bloomreach Experience Manager version 11. There's an updated version available that covers our most recent release.

Deny Access to a Folder

Introduction

Goal

Deny a group access to a specific folder in the content repository.

Use Case

The use case is based on a Hippo project created using the Maven archetype, with the News feature added.

Such a project contains two root content folders:

  • /content/documents/myhippoproject
    Contains the news articles.
  • /content/documents/administration
    Contains resource bundles to manage static labels on the website.

By default the 'editor' group has editor privileges on both folders, and the 'author' group has author privileges in both folders.

You want to deny the 'author' group access to the administration folder, while the 'editor' group retains all its privileges.

Strategy

To be able to deny access to the administration folder you will customize the default security domains as follows:

  • Exclude the administration folder from the default hippodocuments and hippofolders domains.
  • Define a new domain administrationdocuments that includes only the administration folder.
  • Assign the 'editor' group editor privileges on the administrationdocuments domain.

Customize Security Domains

Exclude the Folder from the Default Domains

Log in to the Console as 'admin'.

At /hippo:configuration/hippo:domains/hippodocuments/hippo-document add a new facet rule exclude-administration-folder:

/hippo:configuration/hippo:domains/hippodocuments/hippo-document
  + exclude-administration-folder [hipposys:facetrule]
    - hipposys:equals:  false
    - hipposys:facet:  jcr:path
    - hipposys:filter:  false
    - hipposys:type:  Reference
    - hipposys:value:  /content/documents/administration
Download exclude-administration-folder.xml for easy importing in the Console.

At /hippo:configuration/hippo:domains/hippofolders/hippostd-folder add the same facet rule exclude-administration-folder:

/hippo:configuration/hippo:domains/hippofolders/hippostd-folder
  + exclude-administration-folder [hipposys:facetrule]
    - hipposys:equals:  false
    - hipposys:facet:  jcr:path
    - hipposys:filter:  false
    - hipposys:type:  Reference
    - hipposys:value:  /content/documents/administration
Download exclude-administration-folder.xml for easy importing in the Console.

Create a New Domain for the Folder

At /hippo:configuration/hippo:domains add a new security domain administrationdocuments:

/hippo:configuration/hippo:domains
  + administrationdocuments [hipposys:domain]
    + hippo-document [hipposys:domainrule]
      + hide-prototypes [hipposys:facetrule]
        - hipposys:equals:  false
        - hipposys:facet:  nodename
        - hipposys:filter:  false
        - hipposys:type:  Name
        - hipposys:value:  hipposysedit:prototype
      + include-administration-folder [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  jcr:path
        - hipposys:filter:  false
        - hipposys:type:  Reference
        - hipposys:value:  /content/documents/administration
      + nodetype-hippo-document [hipposys:facetrule]
        - hipposys:equals:  true
        - hipposys:facet:  nodetype
        - hipposys:filter:  false
        - hipposys:type:  Name
        - hipposys:value:  hippo:document
Download administrationdocuments.xml for easy importing in the Console.

Grant Permissions

Grant the Admin and Editors Groups Editor Privileges on the New Domain

Log in to the CMS as 'admin'.

Browse to the Admin perspective.

Select 'Permissions'.

Grant the group 'admin' editor privileges in the administrationdocuments domain.

Grant the group 'editor' editor privileges  in the administrationdocuments domain.

Log out.

Verify Permissions

Log in to the CMS as 'editor'.

Verify that you can browse to the administration folder and can edit documents inside the administration folder.

Log out.

Log in to the CMS as 'author'.

Verify that you can't see the administration folder.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?