Grant Access to One Channel Only - BloomReach Experience - Open Source CMS
22-01-2019

Grant Access to One Channel Only

Introduction

Goal

Grant a group access only to a specific channel and its content.

Use Case

The use case is based on a Bloomreach Experience Manager project created using the Maven archetype, with the News feature added, and a French translated channel added.

The project contains the following content root folders:

/content:
  /documents:
    /myproject:
    /monprojet:
    /administration:
  /assets:
    /myproject:
    /monprojet:
  /gallery:
    /myproject:
    /monprojet:
Note the separate assets and gallery folders for myproject and monprojet. These were not created if you followed Add a Translated Channel, so add them if necessary.

You want to create two groups:

  • french-authors
  • french-editors

You want to grant french-authors:

  • author privileges in /content/documents/monprojet (so they can create French documents)
  • readwrite privileges in /content/assets/monprojet and /content/gallery/monprojet (so they can upload French assets and images)
  • readonly privileges in  /content/assets/myproject and /content/gallery/myproject (so they can re-use English assets and images)

You want to grant french-editors:

  • editor privileges in /content/documents/monprojet (so they can publish French documents)
  • readwrite privileges in /content/assets/monprojet and /content/gallery/monprojet (so they can upload French assets and images)
  • readonly privileges in  /content/assets/myproject and /content/gallery/myproject (so they can re-use English assets and images)

You want to deny both french-authors and french-editors access to /content/documents/myproject and /content/documents/administration.

You want french-authors and french-editors to only be able to access the French preview channel (Mon Projet) in the Channels perspective.

You want french-editors to be able to edit the French channel.

You want french-authors only able to preview the French channel but not edit it.

Strategy

To be able to set up the privileges as explained above you will customize the default security domains as follows:

  • Define a new domain common-read that includes all the nodes the new groups need readonly permission on.
  • Define a new domain french-content that includes the French documents, assets and gallery folders.

Customize Security Domains

Create a New Domain for Read-Only Nodes

Log in to the Console as 'admin'.

At /hippo:configuration/hippo:domains add a new security domain common-read:

/hippo:configuration/hippo:domains:
  /common-read:
    jcr:primaryType: hipposys:domain
    /assets-node:
      jcr:primaryType: hipposys:domainrule
      /path-by-uuid:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:path
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content/assets
    /content-node:
      jcr:primaryType: hipposys:domainrule
      /node-by-uuid:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:uuid
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content
    /documents-node:
      jcr:primaryType: hipposys:domainrule
      /node-by-uuid:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:uuid
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content/documents
    /folder-templates:
      jcr:primaryType: hipposys:domainrule
      /all-templates:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:path
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /hippo:configuration/hippo:queries/hippo:templates
    /gallery:
      jcr:primaryType: hipposys:domainrule
      /path-by-uuid:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:path
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content/gallery
Download common-read.yaml for easy importing in the Console.

Create a New Domain for French Content 

At /hippo:configuration/hippo:domains add a new security domain french-content:

/hippo:configuration/hippo:domains:
  /french-content:
    jcr:primaryType: hipposys:domain
    /assets:
      jcr:primaryType: hipposys:domainrule
      /in-french-folder:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:path
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content/assets/monprojet
    /documents:
      jcr:primaryType: hipposys:domainrule
      /in-french-folder:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:path
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content/documents/monprojet
    /gallery:
      jcr:primaryType: hipposys:domainrule
      /in-french-folder:
        jcr:primaryType: hipposys:facetrule
        hipposys:equals:  true
        hipposys:facet:  jcr:path
        hipposys:filter:  false
        hipposys:type:  Reference
        hipposys:value:  /content/gallery/monprojet
Download french-content.yaml for easy importing in the Console.

Write Changes to the Repository

If you haven't done so already make sure all the changes you made in the Console are written to the repository.

Create Groups

Log in to the CMS as 'admin' and open the Admin perspective.

Create two new groups: french-editors and french-authors.

For testing purposes create two new users:

Create a new user sophie and make her a member of the french-editors group.

Create a new user alain and make him a member of the french-authors group.

Grant Permissions

Grant the following permissions:

 

readonly

readwrite

author

editor

common-read

french-authors

french-editors

     

defaultwrite

 

french-authors

french-editors

   

french-content

 

french-authors

french-authors

french-editors

hipporequests

   

french-authors

french-editors

hstconfig   french-editors    

Configure CMS Access

By default only users with at least author privileges on /content/documents are authorized to use the CMS application. Because the new groups only have read access to /content/documents you need to reconfigure who can use the CMS.

  • Log in to the Console as admin.

  • Select the node /hippo:configuration/hippo:frontend/cms.

  • Change the value of the property fronted:privileges from hippo:author to jcr:read.

  • Click Write changes to the repository.

Verify

Log in the the CMS as 'alain' and verify that you can:

  • browse the 'monprojet' content folder
  • create subfolders in the 'monprojet' folder
  • create and edit documents in the 'monprojet' folder
  • upload and use images in the 'monprojet' gallery folder
  • use images in the 'myproject' gallery folder
  • upload and use files in the 'monprojet' assets folder
  • use files in the 'myproject' assets folder
  • request publication for documents in the 'monprojet' tree
  • preview the Mon Projet channel

Verify that you can't:

  • see the 'myproject' and 'administration' folders
  • see the My Project channel
  • edit the Mon Project channel
  • upload images or create subfolders in the 'myproject' gallery folder
  • upload files or create subfolders in the 'myproject' assets folder

Do the same for 'sophie' and also verify that she can:

  • publish documents in the 'monprojet' folder
  • accept or reject publication requests in the 'monprojet' folder
  • edit the Mon Projet channel
Now that you have successfully granted French authors and editors access to the French channel and its content only, go on and create groups for English authors and editors and grant them access to the English channel and its content only.
Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?