This article covers a Bloomreach Experience Manager version 11. There's an updated version available that covers our most recent release.

Set permissions on folders

Goal

The goal of this manual is to show how to setup a group which has permissions only on a specific folder.

This manual starts with a running application and will add a group news-editors with the following permissions:

  • editor permissions on documents in the folder news

  • editor permissions on images in the folder news

  • editor permissions on assets in the folder news

  • read permissions on all (other) images

It is advisable to also read Repository Authorization and Permissions where some of the used terms are explained in more depth.

Prerequisites

Create folder

  • Log in to the CMS as admin

  • Go to the documents perspective

  • Create a (root) folder with the title news in images

  • Create a (root) folder with the title news in assets

Create user and group

  • Log in to the CMS as admin

  • Go to the admin perspective

  • Create a user journalist

  • Create the group news-editors

  • Make the user journalist member of news-editors

Create security domains

Security domains are configured in the Console.

A user (or group) is granted permissions by assigning a role to the user for a specific security domain. A security domain is basically a set of documents and folders or in JCR terminology a collection of nodes.

To achieve the above stated goal, two security domains are needed. One for which the news-editors group only has read permissions and one for which the news-editor group has editor permissions.

Import the security domains

  • Download the attachments news-editors-read.xml and news-editors-editor.xml.

  • Log in to the Console as admin

  • Select the node  /hippo:configuration/hippo:domains

  • Click on import and select the news-editors-read.xml file, leave all the settings at their defaults and click the import button

  • Click on import and select the news-editors-editor.xml file, leave all the settings at their defaults and click the import button

  • If your project has a different name than myhippoproject, replace myhippoproject with your project's name in the value properties the following nodes:

    • /hippo:configuration/hippo:domains/news-editors-editor/news-documents/path-by-uuid

    • /hippo:configuration/hippo:domains/news-editors-read/channel-node/node-by-uuid 

    • /hippo:configuration/hippo:domains/news-editors-read/news-node/node-by-uuid

  • Click write changes to repository

The news-editors-read security domain gives the news editors read permissions to the following folders:

  • the content folder

  • the content/documents folder

  • the  content/documents/myhippoproject folder

  • the  content/documents/myhippoproject/news folder 

  • the content/assets folder

  • the content/gallery folder and all sub folders and documents

  • the templates for new (document) folders, image folders and asset folders
    (the root node is allowed by default in defaultread)

The news-editors-editor security domain gives the news editors editor permissions to the following folders ( [channelname] has been replace by the appropriate channel ) as stated in the goal:

  • the content/documents/myhippoproject/news folder and alls sub folders and documents

  • the content/assets/news folder and alls sub folders and assets

  • the content/gallery/news folder and alls sub folders and images

The domain rules in this example use two types of facet rules to allow permissions on a folder or node. These are the node-by-uuid and the path-by-uuid rules.

The node-by-uuid facet rule uses the fact that hippo:document nodes and all derived types are referenceable. The results in the fact that the nodes always have the jcr:uuid property set to their unique identifying uuid. The facet rule matches the node where the hipposys:facet (property) with the name jcr:uuid is equal to the specified value in hipposys:value. Instead of puting the uuid directly in the hipposys:value property, the Reference facet rule type is used and the path is set in the hipposys:value. At login the uuid of the path is looked up and the uuid of the node is used as value for matching.

The path-by-uuid facet rule is similar to the node-by-uuid facet rule, except that it doesn't match on the jcr:uuid property but on a node path. The facet rule will match the folder node itself and all its descendants.

Set permissions

  • Log in to the CMS as admin

  • Go to the permissions in the admin perspective

  • Grant the group news-editors the role readwrite in defaultwrite

  • Grant the group news-editors the role readonly in news-editors-read

  • Grant the group news-editors the role editor in news-editors-editor

Configure CMS access

By default, only users with at least author-level access to /content/documents are authorized to use the CMS application. Because the news editors only have read access to /content/documents, we need to reconfigure who can use the CMS. See  Configure login to CMS and Console applications for more information.

  • Log in to the  Console as admin

  • Select the node /hippo:configuration/hippo:frontend/cms

  • Change the value of the property privileges from   hippo:author to jcr:read

  • Click Write changes to the repository

Test

  • Log in to the CMS as journalist

  • Check that only the folder news in documents is visible

  • Add a document to the news folder

  • Check that only the folder news in assets is visible

  • Add an asset to the news folder

  • Check that all images are visible

  • Check that only images can be added to the news folder

Groovy script for easy configuration

A groovy script was created to allow admins to configure permissions on folders easily for the most common use cases. You can grab it here.

Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?