In case you run several websites in one Sitecore instance and need to distinguish users between those different sites here’s what we did.
On the one hand you need to distinguish users between sites, so one user has only access to the sites he gets permission to. On the other hand you may have different types of users (different functional permissions).
Let’s say we have 4 Websites.
And you have the requirement to a certain group of users following rights:
As you also have to maintain the different users you want to work with roles and not assign rights directly to users. Also you want to keep amount of roles to a minimum.
Concept 1: Creating one role per access and functionality (combined) (8 roles total)
Example: DE Content Editor Basic; DE Content Editor Advanced, NL Content Editor Basic, NL Content Editor Advanced,...
Concept 2: Creating separate roles and aggregate (14 roles total)
Example: Content Editor Basic; Content Editor Advanced, DE, NL, DE Content Editor Basic; DE Content Editor Advanced, NL Content Editor Basic, NL Content Editor Advanced,...
Concept 3: Creating one role per access and one role per functionality (separated) (6 roles)
Example: Content Editor Basic; Content Editor Advanced, DE, NL, ...
So we decided for Concept 3, having a separate role for access and functionality. This is the easiest Management and also acceptable to assign 2 roles to a user. The mentioned disadvantage can be solved with having 2 users.
Environment: I’m showing this within a clean Sitecore 8.1 update 3 instance with Powershell module and SXA installed. Basically all I show can be done also in lower Sitecore versions (e.g. 7.2) and SXA and powershell module are not really used, but you will see that I organized the Sites in a Tenant. But you don’t have to use tenant.
I will create 3 users as example:
Following Steps are explained in below chapters:
1.1 Create Tenant using insert options from Content Item in Content Editor.
1.2 Giving the Tenant an Name. As they group my local MyBusiness Sites I call it “MyBusiness” ;-)
1.3 after Pessing the "OK" Button a script is creating all the necessary items. This may take a few minutes. If yu see below screen all is done successfully.
2.1 Create a site using the insert options from the tenant item.
2.2 Fill in your Site name (How the Site Item will be named), the Host (how you want to call the site later through browser), virtual folder, and Language. if the needed language is not available, create one first through the control panel. Note: When using SXA Theme this can cause issues. This bug is promised to be fixed in SXA Version 1.6
Just to know, on features tab, you could select features that will be available or will not be available on your site. Default is all available.
On the Theme Tab you can directly create a new theme that you will later use to change styling on the site. I recommend to direclty create a theme here. Otherwise only the default themes are available. Wireframe Theme will be preselected. In any case, this is not important for the roles ;-) Note: When using SXA themes don't use dashes in the theme name. Switching the theme in experience editor is not working up to SXA version 1.5. It is promised by Sitecore to have that fixed in SXA version 1.6.
On the Grid Tab, you can choose the css library providing the grid. I chose "Bootstrap", but his is also not relevant for the roles creation.
2.3 Repeat the site creation steps for all the sites you need.
I will create a dutch Test User upfront so I can test my Role directly. If you remember I wanted to create a couple of users for several test cases.
I will now create only Ruud as a dutch user. The other users can be created in the same way.
3.1 Open User Manager from Launchpad
3.2 Hit the "New" Button in the upper left corner to create a new user
3.3 Fill in the user attributes. Make sure that the email is valid as this will be also used for Forgotten Password functionality. When you are finished, hit the "Next" button.
3.4 As the roles to be assigned are not yet created, click the "Close" Button.
3.5 Repeat those steps to create the users you need.
As Access Roles we wanted to create one role per site. As I created 4 sites:
I will also create 4 roles.
4.1 Open Roles Manager from Launchpad
4.2 Create a new Role
4.3 Create a Role Name. If you will have several tenants and Sites you might want to think about a naming convention so you role names can stay unique.
I selected the sitecore Domain (default). I'm not very used to the domain concept in Sitecore, but I think you can also create a domain per tenant and structure your roles this way. Not sure what happens to the role inheritance.
We wanted to create two functional roles:
As the Editor Advanced should have the same rights like the Editor Basic we create Editor Basic first to inherit this Role to the Editor Advanced role.
5.1.1 Open Role Manager from Launch Pad (see 4.1)
5.1.2 Press new button (see 4.1)
5.1.3 Type in Role Name e.g. "MyBusiness Editor Basic" and press "OK" Button.
5.1.4 Search and select your newly created role
5.1.5 Click the "Member of" button to add Sitecore standard roles to your new role.
5.1.6 In the "Member of" dialog click the "Add" button to select and add roles.
5.1.7 In the "Add an Account" dialog search for "Author" and Double Click "sitecore\Author" (Sitecore standard authoring role)
5.2.8 Back in the "Member of" dialog you can hit the "Close" button
You have created now the Role "MyBusiness Editor Basic" with the capabilities to login, create, update delete content and items in the media library.
5.2.1 Open Role Manager from Launch Pad (see 4.1) - if not still open
5.2.2 Press new button (see 4.1)
5.2.3 Type in Role Name e.g. "MyBusiness Editor Advanced" and press "OK" Button.
5.2.4 Search and select your newly created role
5.2.5 Click the "Member of" button to add Sitecore standard roles to your new role.
5.2.6 In the "Member of" dialog click the "Add" button to select and add roles.
5.2.7 In the "Add an Account" dialog search for "MyBusiness Editor Basic" and Double Click "sitecore\MyBusiness Editor Basic" (Newly created Basic Editor Role)
5.2.8 Back in the "Member of" dialog click again the "Add" button to add a further role.
5.2.9 In the "Add an Account" dialog search for "Publish" and double click the "sitecore\Sitecore Client Publishing" role.
5.2.10 Back in the "Member of" dialog you can hit the "Close" button
You have created now the Role "MyBusiness Editor Advanced" with the
Please Note: Why am I wrapping Sitecore standard roles into custom roles? This may look weird and in the case we are building it does not make a difference. But while time passes by there will be additional requirements for the editors to be able to do this and that, or to restrict access. This way you can easily adjust the group of people foreseen in your organisation without changing hundreds of users.
Now that we have at least Ruud as a User and the Functional Role "MyBusiness Editor Advanced" and Access Role "MyBusinessInNetherlands NL" we can assign the role to the user so we can login to sitecore with the user Ruud in a separate anonymous browser window in parallel to check the changes we will do next in the Security editor (see Chapter 6). By the way, the changes applied in the Security Editor are immediatelly valid in the User Session of Ruud.
6.1 Open User Manager From Launchpad (see 3.1)
6.2 Search your user e.g. "Ruud"
6.3 Double Click User to open "Edit User" Screen
6.4 Switch to "Member of" Tab and hit the "Edit" button
6.5 Search the role you want to assign e.g. "MyBusinessInNetherlands NL" and double click the role. It should be shown on the right side as "Selected Role". Afterwards click the "OK" button. Once you are back in the "Edit User" screen Click also there the "OK" button.
6.6 Also assign the created functional role e.g. "MyBusiness Editor Advanced" to the user e.g. "Ruud". This is necessary as you cannot login to Sitecore without functional roles.
6.7.Repeat those steps if you have created other users and roles you want to assign.
7.1 Open Role Manager from Launchpad
7.2 Click New Button and enter Role Name e.g. "Language nl NL". I don't give the prefix of the Tenant as I can reuse this role for any tenant and any site.
7.3 Click "OK" to confirm.
7.4 Select your new created Language Role. If it is not shown in the Roles Window, search for it. Once selected Open the security Editor.
7.5. In the Security Editor Navigate to: "System -->Languages"
7.6 Select the "Languages" item and open the Assign Dialog
7.7 In the "Assign Security Rights" dialog allow inhertiance for the item and deny inheritance for descendants
7.8 Click OK to confirm. You have now denied all language versions
7.9 Navigate to "System --> Languages --> nl-NL" and open the "Assign" Dialog
7.10 In the "Assign Security Rights" dialog allow "Read" access for the item
7.11 Click OK to confirm. You have now granted back the right to work with dutch language versions.
7.12 Add this new created role to the Site Specific role "MyBusinessInNetherlands NL".
As I have created "Ruud" the dutch user already (see Chapter 3) and assigned the Dutch Access and functional role to him (see Chapter 6) I will login with that user in an anonymous browser window to see the results of the changes I do in the Security editor.
In Security Editor you can see and edit the rights on items for a particular role or user. It is best practice to not assign rights directly to users to keep the system maintainable and be able to pass same set of rights also to other users.
So once you select the an Account (User or Role) you can browse the item structure in content tree seeing all the access rights set.
The rights can have three states:
Right is not explicitly set. Therefore default is “access denied”
Right is explicitly granted.
Right is explicitly denied. Should be avoided.
Important to know. If you assign several roles to a user and those roles affect same items the security settings are summed up. A “deny” always wins against “granted” or “not selected”.
A “granted” always wins against “not selected”.
Not selected is only taken into account if it is not overwritten by other rights.
To assign rights you have to select an item and hit the “Assign” Button in the ribbon.
For the selected Role on the selected item you can grant or deny rights on several levels e.g. Read, Write, Rename,…
Beside that you have to columns. Either you grant or deny rights to the item itself and/or to the descendant items.
Beside that you can break inheritance on the item or the descendants. And this is exactly what we have to do in order to grant and deny rights in a way so that they can be summed up with other roles.
So, let’s start…
8.1 Let's login with the account of Ruud and see what he sees at the moment (Ruud as assigned a the Role "MyBusinessinNetherlands NL" without any Rights set and the Role "MyBusiness Editor Advanced". After Login he sees the limited Launchpad.
In Content Editor, Ruud sees all Tenants and all sites but cannot add pages. This we will adjust now.
8.2 Search for your newly created Access role e.g. "MyBusinessInNetherlands NL", select it and open the security editor.
8.3 Security editor
After opening the Security Editor the Account you want to edit (Role: MyBusinessInNetherlands NL) should be preselected.
Now we need to make sure that a user with a certain role can only access certain things. So only content the user is meant to work on.
If I take a look on the tree the users for the dutch Site should only have access to:
But when combining a dutch and e.g. a german role, the user should have access to both.
8.4 MyBusiness Tenant
8.4.1 Select the Tenant Node "My Business" and click the "Assign" button in the ribbon.
8.4.2 Break the inheritance for descendants. This will control that you only see Sites below the tenant that you get granted.
8.4.3 If you have other Tenants created already Break the inheritance for the item and the descendants
Note: If you don't want to do that for each site access role you can also set those rights to a separate role (e.g. "MyBusiness Tenant Access") and inherit this role to the site access roles. In this example we don't do that.
If you check now what "Ruud" sees it should look like that.
8.6 MyBusinessInNetherlands-NL Site
Now we care about granting rights for the dutch Site.
8.6.1 Select the site "MyBusinessInNetherlands-NL" and click the "Assign" button. Enable the "Read" rights to the item and "Read", "Write", "Rename", "Create" and "Delete" rights to descendants.
8.7 Take away rights of things that are not necessary
Just in case you don't to delete the "Home" item below "Content" that is created on standard installation you can deny access to that one.
8.7.1 Therefore choose in the Security Editor the "Home" node and click the "Assign" button in the ribbon and deny read access to the item.
You can check now what "Ruud" sees.
This looks quite OK for now.
So the basic things you applied for the Access Role you can also apply for the Media Library. Break inheritance and allow Access for the Media Library Folder that should be used by the editors of the website.
The basic things you applied for the Access Role you can also apply for the Marketing Center. Break inheritance and allow Access for the Marketing Center Folder for each area (Goals etc) that should be used by the editors of the website. Please note that the Marketing Center faces some issues when dividing it for a separated multi site approach. Some areas do not provide Folder items that you can use for separation per site. Also the usage of Webforms for Marketers that let's you create goals out of the wizard does not consider multi site support. It will create goals in the root node of the Goals.
Now if you created below users accordingly with the respective roles you can check if they work out correctly.
User Name: Moritz
Purpose: Editor Basic on MyBusinessInGermany.de
User Name: Stefan
Purpose: Editor Advanced on MyBusinessInGermany.de
User Name: Ruud
Purpose: Editor Advanced on MyBusinessInNetherlands.nl
User Name: Razvan
Purpose: Editor Advanced on MyBusinessInRomania.ro
User Name: Klara
Purpose: Editor Advanced on MyBusinessInGermany.de and MyBusinessInAustria.at
User Name: Paula
Purpose: Editor Advanced on MyBusinessInGermany.de and Editor Basic on MyBusinessInAustria.at (will fail by design ;-) )
In SXA you can create also Roles per Site and Tenant using an out of the box script. It is using basically Concept 1 (see above). This is fine if you run single indepent sites. If you runs several sites with the same purpose but e.g. different geographically located than the described concept is better maintainable. That's why I described this way.
Further more SXA comes with some roles in the SXA Domain. If you want your editors use the Toolbox provided with SXA you have to assign the SXA/Author role to your Functional role. Not sure if a deviding with publishing rights is than possible.
Roles Multisite SXA