Sitecore - Workbox security - sitecore

In my Sitecore workbox, there are several workflow states being displayed. (Draft, Awaiting, Approved)
How can I restrict acess only to one/few(Draft) workflow states for a particular role (e.g. Junior Manager) in Sitecore?
(I m using v6.5)

Yes, you can. To be able to see the various workflow states you'll need read access to that workflow state as well as write access to the item you want to approve/ reject.
From the Workflow Cookbook (chapter 3.1 and 3.2):
3.1The Content Editor and Workbox only displays workflow commands for
non-Administrator users when: The user has write access to the
associated item. and The user has write access to the command’s parent
workflow state. and The user has read access to the workflow command
itself.
3.2 Users who have read access to a workflow state can see that state in
their workbox as long as the state includes workflow commands for
which they have command execute access rights. If business
requirements state that a particular workflow state should be hidden
from a given set of users, you can restrict access to that state for
those users by: Hiding all the workflow commands in the state from the
users in question. or Explicitly hiding the workflow state itself from
the users in question. To explicitly hide a workflow state: Turn off
the inheritance access right for the workflow state item and do not
grant read access to the workflow state to the user and all the roles
assigned to the user. or Deny the user or one of the roles that the
user is assigned read access to the workflow state item.

Related

Django role based permissions

I'm developing a huge application in django and I need a permission system and I assume that the native user/group permission within django is not sufficient. Here my needs:
The application will be available through multiple departments. In each department there will be nearly the same actions. But maybe an user will be allowed to add a new team member in department A and in department B he is only allowed to view the team list and in the other departments he has no access at all.
I though using a RBAC system would be most appropriate. Roles must also be inheritable, stored in a model an managable through an interface. Any good ideas or suggestions? Regards
What you are looking for is called abac aka Attribute-Based Access Control. It's an evolution of RBAC as an access control model. In RBAC, you define access control in terms of roles, groups, and potentially permissions. You then have to write code within your application to make sense of the roles and groups. This is called identity-centric access control.
In ABAC, there are 2 new elements:
attributes which are a generalization of groups and roles. Attributes are a key-value pair that can describe anyone and anything. For instance, department, member, and action are all attributes.
policies tie attributes together to determine whether access should be granted or denied. Policies are a human-friendly way of expressing authorization. Rather than write custom code in your app, you write a policy that can be centrally managed and reused across apps, databases and APIs.
There are a couple of ABAC languages such as xacml and alfa. Using ALFA, I could write the following policy:
A user will be allowed to add a new team member in department A
In department B he is only allowed to view the team list
In the other departments he has no access at all.
Roles must also be inheritable, stored in a model an managable through an interface.
policyset appAccess{
apply firstApplicable
policy members{
target clause object = "member"
apply firstApplicable
/**
* A user can add a member to a department if they are a manager and if they are assigned to that department.
*/
rule addMember{
target clause role == "manager" and action == "add"
permit
condition user.department == target.department
}
}
}
One of the key benefits of ABAC is that you can develop as many policies as you like, audit them, share them, and not have to touch your application code at all because you end up externalizing authorization.
There are several engines / projects that implement ABAC such as:
AuthZForce (a Java library for XACML authorization)
Axiomatics Policy Server (commercial product - disclaimer: I work there)
AT&T XACML
There are two components to this question:
First, role management. Roles can be achieved through group membership, i.e. departmentA_addMember & departmentB_listMembers. These Groups would have corresponding permissions attached, e.g. "Member | Add" and "Member | View". A department in this context may have more resources included, that require separate permissions. Django allows to extend Objects with custom Permissions.
Second, inheritance. Do I understand you want to have individual Groups being member of other groups? Then this is something Django would require you to implement yourself.
However, should you be looking for a really more complex authentication solution, it may be worthwhile to integrate with 3rd party services through, e.g. django-allauth. There are sure more/other solutions, just to throw in one name.

Sitecore Workbox

I am trying to setup some RSS feeds for our editors, so they can see items in certain workflows. We have three workflows; draft, awaiting approval and approved. However, in workbox we can only see awaiting approval and approved.
What would be the reason for this? I have the correct workflow ticked 'standard workflow'.
This is Sitecore 7.
From what I understood, you have a workflow called Standard Workflow and it has 3 states: "Draft", "Awaiting Approval" and "Approved". And in your workbox, you can only see "Awaiting Approval" and "Approved" states.
Workbox only shows states for which user can execute any command. So e.g. if there is Approve command in Awaiting Approval state and your user has appropriate access rights which allows you to execute that command, then you will see Awaiting Approval state in your workbox. If user cannot execute ANY command in particular state, this state is hidden from the workbox.

Approver doesn't see Approval state items in Sitecore Workflow

I want to test out the Sample Workflow in Sitecore 8. This is what I have done so far:
Insert the sample workflow in the standard values of the template
Created two test users: Test Editor and Test Approver
Created two roles: SubmitionRole and ApprovalRole
In Security Editor I assigned Read, Write access including the 3 workflow rights to the Draft state for the SubmitionRole role and assigned this role to Test Editor
In Security Editor I assigned Read, Write access including the 3 workflow rights to Awaiting Approval and and Approved states for the ApprovalRole role and assigned this role to Test Approver
Then I created an item from that template with the Test Editor and the item went into the Draft state. So I submitted the item in the Workbox.
Now when I log in with the Test Approver, there's nothing in the Workbox. I can see the Workflow and its Approval State in the Workbox, but there's nothing inside it. As admin I can see the item waiting in the Approval state.
Here is a screenshot of the Access Viewer for the Test Approver:
What am I missing here?
Ensure that your user/role has language read and write access to the relevant item languages located under /sitecore/system/Language. The Language Read and Language Write are a separate set of fields which you can expose in the Security Editor by selecting them from the "Columns" option. The content approval role needs both Language Read and Language Write on the relevant language items:
You don't need to assign Write access to the workflow state items (Awaiting Approval and Approved). This means that ApprovalRole is allowed to edit those items, not items in that state.
What you need to set is:
Workflow State Write for the Awaiting Approval state (controls whether or not a user can update items which are currently associated with a specific workflow state)
Workflow Command Execute for the commands below Awaiting Approval state which should be allowed for the role (controls whether or not a user is shown specific workflow commands)
Write access to the item itself (the one that was submitted from the Draft state to the Awaiting Approval state).
And that should be it.
.

How to deal with deep level granularization with XACML in enterprise application

I am using IS WSO2 for authorization with XACML. I am am able to achieve authorization for static resource. But I am not sure with the design when it comes to granularization.
Example : if I have method like getCarDetails(Object User) where I should get only those cars which are assigned to this particular user, then how to deal this with XACMl?
Wso2 provides support for PIP where we can use custom classes which can fetch data from database. But I am not sure if we should either make copy of original database at PDP side or give the original database to PIP to get updated with live data.
Because Cars would be dynamic for the application eg. currently 10 cars assigned to user Alice. suddenly supervisor add 20 more car in his list which will be in application level database. Then how these other 20 cars will be automatically assigned in policy at PDP level until it also have this latest information.
I may making some mistake in understanding. But I am not sure how to deal with this as in whole application we can have lots of this kind of complex scenario where some times we will get data for one user from more than 4 or 5 tables then how to handle that scenario?
Your question is a great and the answer will highlight the key benefits of XACML and externalized authorization as a whole.
In XACML, you define generic, global rules, about what is allowed and what isn't using what I would call high-level attributes e.g. attributes of the vehicle (in your case) or the user (role, department, ...)
For instance a simple rule could be (using the ALFA syntax):
policy viewCars{
target clause actionId=="view" and resourceType=="car"
apply firstApplicable
rule allowSameRegion{
permit
condition user.region==car.region
}
}
Both the user's region and the car's region are maintained inside the application's database. The values are read using a PIP or Policy Information Point (details here).
In your example, you talk about direct assignment, i.e. a user has been directly assigned to a vehicle. In that case, the rule would become:
policy viewCars{
target clause actionId=="view" and resourceType=="car"
apply firstApplicable
rule allowAssignedVehicle{
permit
condition user.employeeId==car.assignedUser
}
}
This means that the assigned user information must be kept somewhere, in the application database, a CSV file, a web service, or another source of information. It means that from a management perspective, an administrator would add / remove vehicles from a user's assigned list (or perhaps the other way around: add / remove assigned users from a vehicle's assigned user list).
The XACML rule itself will not change. If the supervisor adds 20 more cars to the employee's list (maintained in the application-level database), then the PDP will be able to use that information via the PIP and access will be granted or denied accordingly.
The key benefit of XACML is that you could add a second rule that would state a supervisor can see the cars he/she is assigned to (the normal rule) as well as the cars assigned to his/her subordinates (a new proxy-delegate rule).
This diagram, taken from the Axiomatics blog, summarizes the XACML flow:
HTH, let me know if you have further questions. You can download ALFA here and you can watch tutorials here.

Sitecore allow role to publish content in specific areas only

I am trying to create a role within Sitecore which can publish content, but only within a specific area(s) of the site. I've added the standard Sitecore\Client Publishing role to my role, but I can't see how to prevent the role from being able to publish all areas of the site. I've looked at the Security editor and the Access viewer, but setting the write access of the sections only seems to affect the ability to edit those sections and has no effect on the ability to publish on those sections.
Workflow is the typical way this is handled. Giving roles access to approve (this could be called 'publish') content of certain sections of the content tree will be the best way to achieve what you are describing. Combine this with an auto-publish action to make it more user friendly.
One thing to keep in mind though using this method is referenced items (images from media library the content may be using for example). Take a look at the 'Publishing Spider' module on the shared source library http://trac.sitecore.net/PublishingSpider
EDIT: Update
I recently discovered this setting in the web.config: "Publishing.CheckSecurity". If set to true, this setting will only publish items if the user has read + write on the item and will only remove items from the web DB if the user has delete permissions.
I had a similar situation once and I created roles per section which only had read and write to that section and no where else (let say 'editor section 1') and another role which only had publishing permission for that section (let say 'publisher section 1'). Then added 'editor section 1' role to 'publisher section 1' role which gives you the role for publishing only specific section.
You do not need multiple workflows, same workflow with multiple roles can also achieve this goal
Answer to this is to set Publishing.CheckSecurity to true
You need to find this code inside web
<!-- PUBLISHING SECURITY
Check security rights when publishing?
When CheckSecurity=true, Read rights are required for all source items. When it is
determined that an item should be updated or created in the target database,
Write right is required on the source item. If it is determined that the item
should be deleted from target database, Delete right is required on the target item.
In summary, only the Read, Write and Delete rights are used. All other rights are ignored.
Default value: false
-->
<setting name="Publishing.CheckSecurity" value="false" />
Set the value="true"
But again you have to govern the security tightly, and assign user role properly. Failed to
do so you will experience buggy publishing.
Hope that will help