views:

143

answers:

2

I have a section of my content tree which I would like to deny ALL permissions to except for specific roles. This seems like a really obvious task to perform, and yet I don't see an example of it in the Security Administrator's Cookbook and I can't figure out an easy way to do it using the security tools. I must be missing something obvious... ???

Say I have this:

sitecore
-content
  -branchA
  -branchB

Everything I created in the content tree is readable by extranet\Anonymous by default. But even when I click on the "Require Login" on the security ribbon, all users still have read access, they just have to log in. I want to make branchB readable by ONLY sitecore\SomeRole members. How is this done?

+1  A: 

It sounds like your problem is that you're allowing the extranet\Anonymous user to have read access too far up in the tree. Remove the access grant at the top level (don't deny it, just remove it) and grant it wherever you really need it (like at branchA).

EliThompson
+1  A: 

Ok, follow this guideline.

Let's say we have sitecore\SomeRole and a content tree like this:

Home
  branchA
    itemA1
  branchB
    itemB1

We'd like to deny acccess to branchB and all its descendants for everyone, except for SomeRole.

First off, in Security Editor select Home node, choose sitecore\Everyone role and set the following permissions:

alt text

Now check the access in AccessViewer - that's what we need:

alt text

Let's allow branchB for SomeRole. Go back to Security Editor and explicitly allow permissions for SomeRole:

alt text

And check this in AccessViewer again:

alt text

Hope this answers your question. Beware that Sitecore versions prior to 6.2.X have an issue: AccessViewer doesn't refresh correctly after permissions are set. Kill aspnetwp (w3wp) to fix this.

Yan Sklyarenko
Hmmmm... this would probably be very useful if I saw the images. :) All I can see is "Alt text". I think I figured it out, although what I did was go to the Home node and click on Remove Inherit. Then set deny Inheritance for extranet\Everyone. Will __Everyone really get everyone? I wasn't having much luck with that.
Bryan
Sorry, I thought the images are visible for everyone like for me - nothing proves otherwise... I'll try to update the initial answer to display the images.Yes, __Everyone means everyone. It is a global role. There are local domain everyones (sitecore\Everyone, extranet\Everyone, etc.) which are everyone for all roles in a particular domain. And there's a gloabl Everyone to include all of this.
Yan Sklyarenko
See if the images are fixed now
Yan Sklyarenko
Got 'em now. Thanks Yan!
Bryan