I am trying to create a role within Sitecore which can publish content, but only within a specific area(s) of the site. I've added the standard Sitecore\Client Publishing role to my role, but I can't see how to prevent the role from being able to publish all areas of the site. I've looked at the Security editor and the Access viewer, but setting the write access of the sections only seems to affect the ability to edit those sections and has no effect on the ability to publish on those sections.
Workflow is the typical way this is handled. Giving roles access to approve (this could be called 'publish') content of certain sections of the content tree will be the best way to achieve what you are describing. Combine this with an auto-publish action to make it more user friendly.
One thing to keep in mind though using this method is referenced items (images from media library the content may be using for example). Take a look at the 'Publishing Spider' module on the shared source library http://trac.sitecore.net/PublishingSpider
EDIT: Update
I recently discovered this setting in the web.config: "Publishing.CheckSecurity". If set to true, this setting will only publish items if the user has read + write on the item and will only remove items from the web DB if the user has delete permissions.
I had a similar situation once and I created roles per section which only had read and write to that section and no where else (let say 'editor section 1') and another role which only had publishing permission for that section (let say 'publisher section 1'). Then added 'editor section 1' role to 'publisher section 1' role which gives you the role for publishing only specific section.
You do not need multiple workflows, same workflow with multiple roles can also achieve this goal
Answer to this is to set Publishing.CheckSecurity to true
You need to find this code inside web
<!-- PUBLISHING SECURITY
Check security rights when publishing?
When CheckSecurity=true, Read rights are required for all source items. When it is
determined that an item should be updated or created in the target database,
Write right is required on the source item. If it is determined that the item
should be deleted from target database, Delete right is required on the target item.
In summary, only the Read, Write and Delete rights are used. All other rights are ignored.
Default value: false
-->
<setting name="Publishing.CheckSecurity" value="false" />
Set the value="true"
But again you have to govern the security tightly, and assign user role properly. Failed to
do so you will experience buggy publishing.
Hope that will help
Related
It is my first expirience in Google Cloud Platform and I'm confused.
I've got an access to a resource:
xxx#gmail.com has granted you the following roles for resource resource_name(projects/project_name/datasets/ClientsExport/tables/resource_name) BigQuery Data Editor
But if I open BigQuery Data Editor, I don't see project_name and resource_name. Search by resource_name also returns no result.
Is it only access that I have in the project (I didn't get another accesses and mails).
Could you please help me with this? Maybe should I get some additional access to resource_name will be available? If is there another way to find the resource?
Thank you in advance!
In the message you have access to BigQuery data inside a table. You can query them from your project, you are autorised to access them (and to write also, because you are editor).
However, this table isn't in your project, it's in another project that's why you don't see it directly in the BigQuery console. In addition, you haven't the right to read the metadata (roles/bigquery.metadataViewer) on the dataset of the other project. Eventually, you can't also view the table schema in the console, but the bq CLI allow you to view it.
I had some discussions with Google BigQuery team about that (because I got the same issue in my company), and updates should happen by the end of the year (or soon in 2022) to fix this "view" issue in the console.
It looks like you have IAM permission to access a specific resource in BigQuery but cannot access it from the GUI.
Some reasons you may not see access on your GUI:
You have permission to interact with BigQuery but don't have access to any of the data.
You aren't a member of the organization which provided the resources and they have higher level permissions (on the org level) which prevents sharing of resources outside of the org.
Your access is restricted to the command line/app level. (If your account is a service account then this is likely the case.)
Is there any way to enforce the addition of labels while creating resources? If not, is there a way to automatically label resources when creating said resources in GCP?
My use case: I need this to investigate the price in Data Studio.
Thanks.
No, you can't enforce any one to put labels on resources on GCP (same for projects). BUT you can enforce TAG automatically by inheritance. (You can't oblige a user to use them, but, by default there is a tag).
The TAG are still in preview and were named "label next gen" during the Alpha period. So, you can use them like labels, but you can enforce authorization on them (who can up view/update/delete them). This feature is very interesting because today, anyone with admin/owner roles can update/change/delete labels and you lost the control and the monitoring of your resources.
You can also put IAM condition on them and enforce organization policies accordingly.
You can't enforce users to do so. However you can:
Create a log sink if a resource is created
Use that log sink to call a cloud function that will create an alert or give a default label
If you use infrastructure as code for example Terraform, you can put a CI/CD job that will check if a label is placed, and if not reject the PR.
I want to test out the Sample Workflow in Sitecore 8. This is what I have done so far:
Insert the sample workflow in the standard values of the template
Created two test users: Test Editor and Test Approver
Created two roles: SubmitionRole and ApprovalRole
In Security Editor I assigned Read, Write access including the 3 workflow rights to the Draft state for the SubmitionRole role and assigned this role to Test Editor
In Security Editor I assigned Read, Write access including the 3 workflow rights to Awaiting Approval and and Approved states for the ApprovalRole role and assigned this role to Test Approver
Then I created an item from that template with the Test Editor and the item went into the Draft state. So I submitted the item in the Workbox.
Now when I log in with the Test Approver, there's nothing in the Workbox. I can see the Workflow and its Approval State in the Workbox, but there's nothing inside it. As admin I can see the item waiting in the Approval state.
Here is a screenshot of the Access Viewer for the Test Approver:
What am I missing here?
Ensure that your user/role has language read and write access to the relevant item languages located under /sitecore/system/Language. The Language Read and Language Write are a separate set of fields which you can expose in the Security Editor by selecting them from the "Columns" option. The content approval role needs both Language Read and Language Write on the relevant language items:
You don't need to assign Write access to the workflow state items (Awaiting Approval and Approved). This means that ApprovalRole is allowed to edit those items, not items in that state.
What you need to set is:
Workflow State Write for the Awaiting Approval state (controls whether or not a user can update items which are currently associated with a specific workflow state)
Workflow Command Execute for the commands below Awaiting Approval state which should be allowed for the role (controls whether or not a user is shown specific workflow commands)
Write access to the item itself (the one that was submitted from the Draft state to the Awaiting Approval state).
And that should be it.
.
In my Sitecore workbox, there are several workflow states being displayed. (Draft, Awaiting, Approved)
How can I restrict acess only to one/few(Draft) workflow states for a particular role (e.g. Junior Manager) in Sitecore?
(I m using v6.5)
Yes, you can. To be able to see the various workflow states you'll need read access to that workflow state as well as write access to the item you want to approve/ reject.
From the Workflow Cookbook (chapter 3.1 and 3.2):
3.1The Content Editor and Workbox only displays workflow commands for
non-Administrator users when: The user has write access to the
associated item. and The user has write access to the command’s parent
workflow state. and The user has read access to the workflow command
itself.
3.2 Users who have read access to a workflow state can see that state in
their workbox as long as the state includes workflow commands for
which they have command execute access rights. If business
requirements state that a particular workflow state should be hidden
from a given set of users, you can restrict access to that state for
those users by: Hiding all the workflow commands in the state from the
users in question. or Explicitly hiding the workflow state itself from
the users in question. To explicitly hide a workflow state: Turn off
the inheritance access right for the workflow state item and do not
grant read access to the workflow state to the user and all the roles
assigned to the user. or Deny the user or one of the roles that the
user is assigned read access to the workflow state item.
We have different areas of our site that we have locked down to specific users. So for example, a user that is a member of the sitecore role 'UK_Editor' can see all other countries content (they only have read access). However, on the UK area they have full access.
The problem is, the user can still go to another Countries content, and the 'publish' button is still available.
Is there a way to restrict this?
Sitecore v: 6.5.0
You could test out enabling the Publishing.CheckSecurity config setting, should prevent users from being able to publish another sites content with the correct roles applied.
<!-- PUBLISHING SECURITY
Check security rights when publishing?
When CheckSecurity=true, Read rights are required for all source items. When it is
determined that an item should be updated or created in the target database,
Write right is required on the source item. If it is determined that the item
should be deleted from target database, Delete right is required on the target item.
In summary, only the Read, Write and Delete rights are used. All other rights are ignored.
Default value: false
-->
<setting name="Publishing.CheckSecurity" value="true" />
You might be able to override the QueryState of the PublishItem class (in Sitecore.Shell.Framework.Commands)
Read this question for a bit more information.
You'll need to return CommandState.Hidden if you want the button to be hidden. You'll need to think of something smart to make sure they can all publish the content in their language, but not in someone elses.
[edit]
It might be possible to do something like if (Sitecore.Context.User.IsInRole('sitecore\englisheditor') && context.Items[0].Language == Sitecore.Data.Managers.GetLanguage('en')) {return base.QueryState(context)}
Otherwise you can return CommandState.Hidden. I'm not entirely sure about the second part of the if statement though.
Take a look at the following blog post, it describes how to security control the UI items associated with publishing in the core database.
http://www.cognifide.com/blogs/sitecore/why-and-how-hide-publish-site-buttons-in-sitecore/