How do I use role-based security against content?
You can configure a Cloud CMS project to provide precise, role-based access to content types and content instances. Let's take a look at example of how this is done!
Suppose that you have three users - Jim, Dwight and Michael - and two content types (my:article and my:news). We would like things to work like this:
- Michael is the boss. He is allowed to view, create, edit and delete content content of all types.
- Dwight is a worker. He is allowed to view, create, edit and delete content of type "my:article"
- Dwight is allowed to view content of type "my:news".
- Dwight may also be allowed to view, create, edit and delete other instances of content if so deemed by Michael.
- Jim is a reviewer. He is allowed to view content of type "my:article" but nothing else.
To accomplish this, we really just need to make sure that these three users have the correct roles against the underlying content. The roles we need to think about are:
- Consumer - Gives someone "read" rights to a content instance.
- Manager - Gives someone full rights to a content instance.
We also need to create two custom roles:
- Content Type Consumer - Gives someone "read" rights to all instances of a content type.
- Content Type Collaborator - Gives someone "view", "create", "update" and "delete" rights to all instances of a content type.
Let's get started!
Create Two Content Types + a few Content Instances
For the purposes of this example, you'll need to create two content type definitions. We will use "my:article" and "my:news" but you're free to change this if you want. You'll also want to create a few content instances of each type so that you have something to play with.
Change the default Project Users team policy
To begin, go to the existing Project Users team and click on Properties. Check the box for "Manage Node permissions independently" and Save. By doing so, you will tell Cloud CMS to make sure a Team Policy is in place that makes it so that the team's Consumer role doesn't spread down onto content nodes. Instead, you'll manage those independently.
Create the Custom Roles
Go under Roles and create two custom Roles - Content Type Consumer and Content Type Collaborator. The permissions for each should be set up as follows:
- The Content Type Consumer role should grant the "Read with Definition" permission.
- The Content Type Collaborator role should grant the "Create with Definition", "Read with Definition", "Update with Definition" and "Delete with Definition" permissions, as shown here:
Set up Teams
Add Michael to the existing Project Managers team. He's a boss after all. That way, he will have Manager rights to everything in the project and this will also give him the desired capabilities against the content types.
The other two guys, Jim and Dwight, will both be unable to see any content at the present time. This is because we changed the policy of the Project Users team up above. The Project Users team therefore doesn't say anything about what content instances and types those two fellas can work with. Instead, we need to assign them one by one.
Jim the Reviewer
Jim is fairly straightforward to set up. He needs to be able to "read" content types of type "my:article".
- Go to Definitions > my:article and then click on Authorities. Grant Jim the "Content Type Consumer" role against the "my:article" definition.
This permits Jim to "view" any "my:article" content items.
Dwight the Worker
Dwight needs to be given Collaborator rights to content instances of type "my:article" and he needs to be a Consumer for "my:news".
- Go to Definitions > my:article and click on Authorities. Grant Dwight the "Content Type Collaborator" role against the "my:article" definition.
This permits Dwight to "create, read, update or delete" any "my:article" content items.
- Go to Definitions > my:news and click on Authorities. Grant Dwight the "Content Type Consumer" role against the "my:news" definition.
This permits Dwight to "view" any "my:news" content items.
Finally, let's give Dwight a one-off ability to "create, read, update or delete" a specific "my:news" instance.
- Go to Content and click on News. Then pick one of your News content instances.
- Under Authorities, grant Dwight the Consumer role to the document.
Try it Out!
You should now be able to log in as Jim. You'll notice that Jim is unable to view content that isn't of type "my:article". This may render some of his views of the content repository fairly limited. For example, if he searches for content, the only content items that will come back will be those of type "my:article". Also, under the Content page, the only content type that will appear is "Article".
You should then be able to log in as Dwight. Like Jim, Dwight will be constrained in terms of what he can view. He will be able to view Articles and News items. However, Dwight will also be able to create, update or delete Articles.
As a one-off special case, Dwight will also be able to update or delete the specific news item that you granted him access to. Cloud CMS allows you to assign ACLs at a team level, a content-type level and also a content-instance level.
Finally, if you log in as Michael, you'll be able to see and work with everything. A privilege reserved, of course, for the World's Best Boss.