Developer forum

Forum » CMS - Standard features » New permissions model and inheritance

New permissions model and inheritance

E-mail notifications
Scott Forsyth Dynamicweb Employee
Scott Forsyth
Reply
Posted on 17/05/2019 18:14:16

Hello,

I have a content page structure like the following:

  • Internal Reports
    • Sales Reps
    • Management

On the Internal Reports folder, we have locked it down to people in the SalesReps and Management folders. We want both SalesReps and Management people to see the Sales Reps folder. But, we only want the management team to see the Management folder. And, we don't want customers to see the Internal Reports folder.

The problem is that if we grant SalesReps and Management permissions to the Internal Reports folder, we have to remove it again on the Management folder. But, the backend doesn't let us simply remove it. We have to set SalesReps with the None permission. The problem is that many people in management are both a manager and a sales rep. So, it's essentially blocking some management people from seeing the management folder because they, also as a sales rep, are denied access to the Management folder.

Is there a standard way to deal with this inheritance? Essentially, I would like to remove the SalesRep permission from the Management folder rather than denying permission. Or, set the permission on the Internal folder to not inherit to its children.

Thanks,

Scott


Replies

 
Alexey Tanchenko Dynamicweb Employee
Alexey Tanchenko
Posted on 29/05/2019 08:20:37
Reply
This post has been marked as an answer

Hello,

As per documentation you cannot interrupt permissions inheritance by removing them. You only can change the permission level for children objects.
Also if you set "None" permission level for some object (page, folder, area) it will have highest priority even if the user also have other access level (e.g. Edit) for the object which is set up on his another group.

To solve your issue you can create a new common user group e.g. "Employees" which is contain all users from "Sales Reps" and "Management" groups. Then you can exclude managers from "Sales Reps" group and your permissions set up should work as you expected.

BR Alexey.

Votes for this answer: 1
 
Scott Forsyth Dynamicweb Employee
Scott Forsyth
Posted on 30/05/2019 04:56:46
Reply

Hi Alexey,

Good idea! That sounds like the right solution for this. I do that.

Thanks,

Scott

 
Scott Forsyth Dynamicweb Employee
Scott Forsyth
Posted on 20/06/2019 17:14:32
Reply

Just an update on this, maybe for my own a sake in the future. When implementing it, I realized that we still have an inheritance issue. By granting a group permissions to the "Internal Reports" folder, the folders underneath are still granted access through inheritance.

So there are 3 options that I see:

  1. We have the reports live in a different folder that isn't directly under "Internal Reports" so that the Management report doesn't have any inherited permissions to worry about. It could be a more ugly URL, but it would work.
  2. Create a smart search for the Deny part (In Sales Reps group but not in Management Group). Add the deny permission on the report page.
  3. Have the platform support a remove inheritance option so that every folder can start fresh if it needs to.

#3 is ideal, but we'll need that in the platform. I implemented this using #2, so that worked for now.

Scott

 

You must be logged in to post in the forum