WiscWeb CMS - Working with Authorization Packages

In order to limit the privileges that users have to modify parts of the site, Administrators can apply authorization packages to their site's components. An authorization package (AP) gives you the ability to define for each user or each group what they can and cannot do on the site.

There are a few different levels of APs:

  • Global AP
    • is attached to the Project tree item
    • applies to all pages, links, and elements in the project structure, assuming they have no APs that are more specific
  • General AP (simply called Authorization Package in the CMS)
    • is attached to structural elements or pages
    • can apply to subordinate pages if you choose
    • overrides settings of Global AP
  • Detailed AP
    • is attached to structural elements, pages, or content elements
    • cannot apply to substructures
    • overrides settings of Global AP and General APs

One important component of using APs is the idea of inheritance, or the propagation of one AP's settings to subordinate pages or elements. The way that inheritance affects the development of a site when using Create and Connect Page off of a structural element is as follows:

  • If the structural element has a general AP, then the created page will inherit it
  • If the structural element does not have an AP, then the created page will inherit the AP of the next higher page (assuming the AP exists)
  • If the higher page does not have an AP, then the created page will inherit an AP that was pre-assigned to its Content Class (assuming the AP exists)
  • Otherwise, no AP is inherited

For any of the APs mentioned above, it is possible to choose authorizations for three different scopes of people:

  • Everyone
    • will apply to all users
  • Groups
    • will apply to all users of a particular group
    • overrides authorizations set for Everyone
  • Users
    • will apply to an individual user
    • overrides authorizations set for Everyone and for Groups

Combining these different types of APs with the various authorization scopes of people gives Administrators great control over if and how various people access different parts of the site. One practical example of this is two different divisions working on the same project - the people in a Products division should not be able to modify the content belonging to the Services division.

Other, less common types of APs that are possible for a project are the following:

  • Content Class AP
  • Project Variant AP
  • Language Variant AP
  • Asset Manager Folders' APs
  • Detailed APs for attributes of an Asset Manager folder or external folder

Allowing Administrators All Privileges

Before setting permissions via APs for general users in your CMS project, keep in mind that your Administrators should be granted all permissions. If you were to remove certain permissions for "Everyone" in the CMS, such as the ability to assign APs, for example, you as an Administrator may be taking away your own privileges!

Below, we will begin by explicitly allowing all permissions for the Administrators of your site.

Setting Up a Global Authorization Package

With the global AP, we will set Administrators' permissions to the maximum, and remove some of the powerful permissions from everyone else. Technically speaking, this necessitates choosing to "allow" all permissions for the Administrators group, and choosing to "deny" some permissions for the Everyone group. Recall the description of APs above, which mentions that group-wise authorizations override the settings for the Everyone group, a ‘group' that is in the CMS by default.

  1. Browse beneath Administer Project Structure and select the Project item.

  2. In the Action Menu, select Create a Global Authorization Package.

    Create a Global Authorization Package

    A new window appears.

  3. Give the AP a name, such as "Global AP," and click OK.

    image336.png

    SmartTree now shows the Global AP attached to the Project item.

    image338.png

  4. Select the Global AP item, and click "Edit Global Authorizations" in the Action Menu.

    image340.png

    image342.png

    A new window appears, which shows the different segments of users in the project, according to what was mentioned above:

    1. Everyone
    2. Groups
    3. Users
  5. Check the Administrators' group that you want to select, and click Next in the lower-right corner.

    image344.png

    The following screen shows you all of the permissions that you can explicitly allow or deny. Because we have not previously set up any permissions for any users, all of the abilities are implicitly allowed. However, we want to explicitly allow all permissions for Administrators, so that later permissions we set will not take away any of our abilities.

  6. Explicitly allow all the settings for Administrators, by clicking "Full control" at the bottom of each list of authorizations. Click OK when you are done.

    image346.png

    The Administrators group that we added permissions for now shows up underneath the Global AP in SmartTree. We could return to this group if we needed to edit/remove authorizations.

    image348.png

    Having added permissions for Administrators, now we need to remove some permissions from other users.

  7. Click again on the Global AP item, and again click on "Edit Global Authorizations" in the Action Menu.

    image340.png

    image342.png

    A new window appears, again presenting you with the groups and users that you can modify - notice, though, that the Administrators' group is now gone, because it appears in SmartTree beneath the Global AP item.

  8. Check the Everyone group, and click Next.

    image351.png

    The next screen shows all of the permissions that you can explicitly allow or deny. Because no settings for the Everyone group yet exist elsewhere in any AP, all of these permissions are implicitly allowed. So, we need to explicitly deny any permissions that are dangerous for everyone in the project to have (with the exception of the Administrators, since we already explicitly allowed all of these permissions).

  9. Depending on your intended permissions, check to deny at least the following options for the Everyone group:

    1. Global Authorizations > Content class replacement
    2. Global Authorizations > Use the Navigation Manager
    3. Links > Define Workflow
    4. Pages and Instances (in detail) > Assign authorization package
    5. Elements > Assign authorization package
    6. Content Classes > Assign authorization package
  10. When you are finished setting the permissions, click OK.

    image353.png

    The Everyone group now shows up beneath the Global AP item in SmartTree.

Set Up Other Groups in Global AP as Needed

You could also set up other groups' permissions in the Global AP as necessary. You would set up group permissions in the Global AP if you want those permissions to affect the group throughout the website. You might more likely set up their permissions with a General Authorization Package (GAP) as described below, which would then affect only a certain branch of the website.

Setting Up a General Authorization Package

A General Authorization Package (AP) is useful for affecting only a select branch or branches of a website and its permissions. Important to keep in mind is that a General AP's settings will override those of the Global AP, if there is one.

In this How To, we will take a look at how you could remove all but Administrators' and a certain group's ability to modify a section of the website. This How To assumes that there is already an Administrators group and an event editors' group, for those who will manage the events section on the website. See "How To: Create a Group" for information on setting up a group.

  1. In SmartTree, navigate to the branch of the site that you want to set an AP for, and select the page. Since in this How To we will be removing most user's ability to modify events on the site, we will navigate to the Events page.

    image355.png

  2. Click to "Define [General] Authorization Package" in the Action Menu.

    image357.png

    A new window appears, allowing you to give a name to the General AP, and also allowing you to choose whether the AP ought to be inherited when new pages are created beneath this page in the future.

    image359.png

  3. Specify a name for the General AP, and click OK. When specifying the name, consider whether it is an AP that you would like to re-use elsewhere; if so, consider describing its function.

    image361.png

    The General AP shows up underneath the page in SmartTree.

    image363.png

  4. Click on the General AP and click "Edit Authorizations" in the Action Menu.

    Events GAPEdit Authorizations

    A new window appears, allowing you to select groups and users to modify permissions for.

  5. Follow steps 5 and 6 from the above "How To: Set Up a Global Authorization Package," in order to allow Administrators the same permissions in this branch.

    You might think that we would not need to explicitly give Administrators the same permissions in this area, but because we are going to disallow most permissions for the Everyone group in this General AP, the Everyone group's settings in this General AP would override the Global AP's settings for Administrators, and thereby disallow Administrators from editing the Events page.

  6. Again, click on the General AP and click "Edit Authorizations" in the Action Menu.

    Events GAPEdit Authorizations

    Again, a new window appears, allowing you to select groups and users to modify permissions for. Because we want only the Administrators and event editors to be able to edit this branch of the website, we will now assign the editors "Allow" permissions to edit, and the Everyone group "Deny."

  7. Check the event editors' group, and click Next in the lower-right corner.

    Checking the event editor's group

    The next screen allows you to select which permissions the event editors are granted. We want to explicitly grant any permissions we expect the editors to have, since we are then going to explicitly deny permissions to everyone else.

  8. Check off the permissions that you want to grant the event editors, paying close attention to allow the Read and Edit permissions. Some permissions that you may not want to allow, however, are the following:

    1. Links > Define Workflow
    2. Pages and Instances (in detail) > Assign authorization package
    3. Elements > Assign authorization package
  9. Click OK when you are finished.

    SmartTree

    The group appears in SmartTree beneath the General AP. We could return to this group if we needed to edit/remove authorizations.

  10. Click again on the General AP item, and again click on "Edit Authorizations" in the Action Menu.

    Events GAPEdit Authorizations

    A new window appears, again presenting you with the groups and users that you can modify - notice, though, that the event editors' group is now gone, because it appears in SmartTree beneath the General AP item.

  11. Check the Everyone group, and click Next.

    Checking the Everyone group

    The next screen shows all of the permissions that you can explicitly allow or deny. Because we do not want users other than Administrators and event editors to be able to edit this branch of the site, we will deny many permissions from the Everyone group. However, we still want them to be able to see these pages' content, so we will allow some certain permissions.

  12. Check to allow the following permissions for the Everyone group, and deny all other permissions:

    1. Pages and Instances (in general) > Read
    2. Links > Read link element
    3. Pages and Instances (in detail) > Show information
    4. Pages and Instances (in detail) > Show reference list
    5. Pages and Instances (in detail) > Show versions
    6. Elements > Read
  13. Click OK when you are finished.

    The Everyone group now shows up beneath the General AP item in SmartTree.

    Everyone group in SmartTree

    Now that we have set up the permissions, we want to apply these permissions to every part of this branch of the site. To do so, we need to attach this same General AP to the structural containers and navigation list associated with the Events page.

  14. In SmartTree, click on the Events page's con_Center_Column element, and click "Define [General] Authorization Package" from the Action Menu.

    SmartTree showing con_Center_ColumnDefine Authorization Package

  15. In the window that appears, choose to "Connect to existing authorization package," for the Events GAP, and click OK.

    Connect to existing authorization package

    The General AP is now connected to the con_Center_Column container.

    SmartTree

  16. With the General AP selected, click Inherit to Following Levels in the Action Menu.

    Inherit to Following Levels

    A new window appears to confirm your choice to inherit the authorizations.

  17. Click Yes to inherit the authorizations.

    A new window appears, asking whether you want to e-mail a notification to one of the project's users.

  18. Uncheck the box to do an e-mail notification, and when you are finished, press OK.

    Notice that the substructures now have the same General AP applied to them.

  19. Follow steps 12-16 for these other elements of the Events page:

    1. con_Left_Column
    2. con_Right_Column
    3. lst_Navigation

    By doing so, you ensure that any of the content beneath the main Events page will be affected by the same General AP.

    Once your General AP is in place, you can test its functionality by adding/removing yourself from the event editors' group, and trying to edit content within SmartEdit. You will notice that when you are not in the event editors' group, the Events page and its subpages have red dots with slashes through them if you try to open a Foundation page or block; these red dots indicate that you do not have permissions to edit the content.

    Blocked red dots

Removing an Authorization Package From a Page / Element

If you need to remove a General or Detailed AP from some page or element, consider using the "Disconnect Authorization Package" option in the Action Menu when you have the AP selected. That will allow you to remove it from the page or element, without deleting it from the system. By doing so, you could later reconnect the AP to some other page or element.

Setting Up a Detailed Authorization Package

In addition to the Global AP and General APs, you can also create a Detailed AP to override the other two. In our case, perhaps we want an individual element within the events portion of the website to be controlled only by Administrators. In that case, we can specify a Detailed AP to disallow modification of the headline on the Events page.

  1. In SmartTree, navigate to the Events page. It already has a General AP applied to it, but can have a Detailed AP in addition.

    SmartTree showing General AP

  2. In the Action Menu, click to "Define Detailed Authorization Package."

    Define detailed authorization package

    A new window appears, allowing you to type in a name for the Detailed AP.

  3. Type in a name that is appropriate for the purpose, and click OK.

    Name the AP

    The Detailed AP shows up in SmartTree beneath the Events page, together with the General AP that we created before.

    Detailed AP in SmartTree

  4. Select the Detailed AP and click "Edit Detailed Authorizations" in the Action Menu.

    Selecting the Detailed APEdit Detailed Authorizations

    As usual, a new window appears where you can select the group(s) to edit permissions for. Because of the General AP we created in the previous How To, Administrators are already given all permissions, and the EventEditors group is given most permissions. If our objective is to only allow Administrators to be able to change the Events page's headline, then all we need to do is deny EventEditors the permission to edit headlines.

  5. Check the EventEditors group, and click Next in the lower-right corner.

    Check the event editor's group

  6. On the following page, simply click to deny the following:

    Pages and Instances (in detail) > Edit headlines

  7. Click OK when you are finished.

    Detailed AP with group beneath it

    The Detailed AP now has the EventEditors group beneath it.

    Now, when a member of the EventEditors group goes to the Events page, they will be able to modify any part of it, except for its title:

    Certain red dots blocked

    With these 3 APs in place, EventEditors will have nearly full control over the Events portion of the site, with the exception of the ability to edit the Events' page headline; Administrators will have complete control; and other users will have no control over its content.

Where to Find Existing Authorization Packages

When working with APs, if you would like to see all of the ones that you have created on your site, navigate in SmartTree to Administer Project Settings > Packages > Authorization Packages to see any General APs and to Administer Project Settings > Packages > Detailed Authorization Packages to see any Detailed APs.

You can edit any of these APs from this location (but not the Global AP), as well as remove the usage of particular APs from some or all of their locations in the site:

  1. Select one of the APs from the listing, and click "Edit Reference List" in the Action Menu.

    Selecting the AP

    A new window appears, showing you all of the places where the AP is connected.

    List of connections to AP

  2. If you want to disconnect the AP from any pages or elements, check the boxes next to them, and click the link to "Disconnect package from selected items."

    Option to disconnect a packageimage411.png

  3. On the following page, confirm by clicking Yes. The AP will then be disconnected from whichever pages(s) or element(s) you chose, but will still be connected elsewhere.




Keywords:reddot red dot wiscwebcms wisc web wiscweb cms content management system opentext open text authorization packages global detailed APs disconnecting connecting viewing GAPs   Doc ID:12955
Owner:Ryan H.Group:WiscWeb CMS
Created:2009-12-27 19:00 CDTUpdated:2014-12-02 12:34 CDT
Sites:DoIT Help Desk, WiscWeb CMS
Feedback:  0   0