I have just setup a three step content manager security system for content authors and would like to share some information which can be used as a cheat sheet.
While working with SDL Tridion security system, there are three things to be focused upon:
- Access Rights – Specify what all tasks a CM user (or members of a group) can perform in Content Manager. These tasks may include Creating components/pages/category/keywords, publishing to CD, workflow management, schema creation etc.
- Scope – Specify what all publications a CM user (or members of a group) can view and explore
- Permission – Specify whether a CM user (or members of a group) have Read, Write, Delete and Localize ability of Building Block items
Now to make things easier, you can also define a hierarchy of groups as defining Rights, Scope and Permissions on a single group may leas you doing lots of manual work. I have usually seen it doing through a 3-level group management –
- Choose an Existing Default Group or Create a New Group – Assign it all appropriate Access Rights as per your requirements
- Create a New Group make it a member of the group define in step 1 above – Assign it the Scope of publication as per your need
- Create one or more New Groups as per your need and make it a member of group defined in step 2 above – Control the Permisions (Read, Write, Delete, Localize) and Folder level security through this group
Below observation need to be kept in mind:
Access Rights – Union of groups applies to members. For Example: consider Group 1 and Group 2 where Group 2 is a member of Group 1 – If Group 1 have rights to create component and Group 2 have rights to publish – the member of Group 2 will be able to create component as well as publish.
Scope – Intersection of group applies to the member. For Example: Considering above case of Group 1 and Group 2 – If Group 1 is set to have rights on Pub 1, Pub 2 and pub 3 while Group 2 is set to have rights on Pub 2 – the member of Group 2 will be able to see only Pub 2 publication
Permissions – Union of groups applies to members. For Example: If Group 1 have permission on Folder 1 and Group 2 have permission on Folder 2 – the members of Group 2 will have permissions on both Folder 1 as well as Folder 2.
Director at Content Bloom India having 15+ years of experience in Software Development Life Cycle using AGILE, Iterative and RUP approaches. Experience in following: - CMS packages: SDL Tridion, Adobe Experience Manager (AEM), Sitecore, Umbraco, Kentico, and Alfresco - Search Engines: SOLR, AWS Cloud Search, Elastic Search - .NET Technologies: .NET & .NET CE Framework, ASP.NET, ASP.NET MVC, WCF, WinForms - Mobile Development: Android Native App, Windows Mobile App - Database: MS-SQL Server, MySQL - Program Management: JIRA, MS-Project, Trello - Design Tools: MS-Visio, StarUML - Infrastructure: Linux, Windows Server, AWS Have decent knowledge about Core Java, Spring MVC Instrumental in Application Architecture, Designing (HLD & LLD), Coding and deployment .NET applications (Web, Desktop, Mobile). Experience in following domain: - Digital Media & eCommerce - Travel & Hospitality - Aviation Industry - Education - Insurance - Automation - Automobile - Railways Education: Bachelor Degree in Computer Engineering and Post Graduate Diploma in Business Administration with specialization in Marketing
Pankaj Gaur's Blog 
Thanks for the quick summary, Pankaj. Scope is an intersection (subset) of the scopes along a given “chain” of Group membership scopes as you explained. A user can also get additional (union) access to other Publications through membership in a different Group (that has its own scope).
The docs have an example with a Venn diagram explaining your scope example with an additional example for a user belonging to multiple groups that have difference scopes:
http://docs.sdl.com/LiveContent/content/en-US/SDL%20Tridion%20full%20documentation-v1/GUID-0029C005-6017-4301-96F2-DAC875BAE99E
Thanks for sharing this link Alvin, this is useful 🙂
Crisp and clear, thanks Pankaj.