1

Lets say I have users imported from active directory and I have only read only privileges on AD roles (I still can add my sitecore roles on top):

every user is in a generic domainuser role

I have other roles, for instance budgetviewers

I have a folder, budget that should be accessible only to users on budgetviewers role.

so, the typical user accessing to that folder will be on domainusers AND budgetviewers roles

Now, my problem is that deny privileges/inheritance seem to take precedence on "allow privileges". So If domainusers are denied privileges and or inheritance on the budget folder, no matter what i do to the budgetviewer role, the users are not able to see the folder. As every user is in the domainusers folder, no user can access the budget folder. If I don't limit domainusers from seen budget folder, as every user is in that role, every one will see that folder. I don't have privileges/ownership to delete the domainuser role from users. Ho should I approach this. thank you

eloycm
  • 404
  • 2
  • 12

2 Answers2

4

You should break inheritance in the security instead of denying access rights. More information can be found in the post blog and in the Sitecore Security Administrator´s Cookbook chapter 5.2.3.

Marek Musielak
  • 26,832
  • 8
  • 72
  • 80
  • Breaking the inheritance on domainuser doesn't solve the problem. I still can't allow the budgetviewer to see the folder if budgetviewer is a domainuser. – eloycm Apr 22 '13 at 18:31
  • You should never use **deny**. Breaking inheritance just says to **Sitecore** "start fresh from this item". And then set allow for **budgetviewer** users only. It's explained with an example in the linked post. – Marek Musielak Apr 22 '13 at 18:43
  • This is also a good read: http://theclientview.net/2011/04/sitecore-recommended-practices-part-3-security-roles-and-users/ – jammykam Apr 23 '13 at 05:32
2

I discover that there is a small twist on sitecore inheritance. Let's say you break the inheritance in node X for role A. Then if role B wants to access that node it must be explicitly allowed in node X. If you do that in the parent node (I was doing that) it doesn't work, the user with roles A and B will be denied. So to summarize, by breaking the inheritance I'm not telling sitecore "start fresh from this item", but instead "denied anyone not explicitly allowed on this item -- and I don't care who the parent is" breaking inheritance + inherited allow privileges on other role = deny breaking inheritance + allow privileges in the very same node= allow

eloycm
  • 404
  • 2
  • 12
  • The grammar in this answer is a bit confusing so I've left this comment. Break the inheritance then toggle the read permission ON for your desired role (or whatever permission you want to give for that role). + 1 though as this helped me – Sean T Apr 15 '19 at 13:15