I have just setup a three step content manager security system for content authors and would like to share some information which can be used as a cheat sheet.
While working with SDL Tridion security system, there are three things to be focused upon:
- Access Rights – Specify what all tasks a CM user (or members of a group) can perform in Content Manager. These tasks may include Creating components/pages/category/keywords, publishing to CD, workflow management, schema creation etc.
- Scope – Specify what all publications a CM user (or members of a group) can view and explore
- Permission – Specify whether a CM user (or members of a group) have Read, Write, Delete and Localize ability of Building Block items
Now to make things easier, you can also define a hierarchy of groups as defining Rights, Scope and Permissions on a single group may leas you doing lots of manual work. I have usually seen it doing through a 3-level group management –
- Choose an Existing Default Group or Create a New Group – Assign it all appropriate Access Rights as per your requirements
- Create a New Group make it a member of the group define in step 1 above – Assign it the Scope of publication as per your need
- Create one or more New Groups as per your need and make it a member of group defined in step 2 above – Control the Permisions (Read, Write, Delete, Localize) and Folder level security through this group
Below observation need to be kept in mind:
Access Rights – Union of groups applies to members. For Example: consider Group 1 and Group 2 where Group 2 is a member of Group 1 – If Group 1 have rights to create component and Group 2 have rights to publish – the member of Group 2 will be able to create component as well as publish.
Scope – Intersection of group applies to the member. For Example: Considering above case of Group 1 and Group 2 – If Group 1 is set to have rights on Pub 1, Pub 2 and pub 3 while Group 2 is set to have rights on Pub 2 – the member of Group 2 will be able to see only Pub 2 publication
Permissions – Union of groups applies to members. For Example: If Group 1 have permission on Folder 1 and Group 2 have permission on Folder 2 – the members of Group 2 will have permissions on both Folder 1 as well as Folder 2.
Thanks for the quick summary, Pankaj. Scope is an intersection (subset) of the scopes along a given “chain” of Group membership scopes as you explained. A user can also get additional (union) access to other Publications through membership in a different Group (that has its own scope).
The docs have an example with a Venn diagram explaining your scope example with an additional example for a user belonging to multiple groups that have difference scopes:
http://docs.sdl.com/LiveContent/content/en-US/SDL%20Tridion%20full%20documentation-v1/GUID-0029C005-6017-4301-96F2-DAC875BAE99E
Thanks for sharing this link Alvin, this is useful 🙂
Crisp and clear, thanks Pankaj.