In all my years working with Umbraco I've had very little need to configure granular permissions on individual nodes but have a project that has been around for many years which is a multi-site installation with a diverse and growing team of editors.
As a simplified example, there is a User Group called Publishers and those users can publish any node except for Container. The problem lies in the fact that removing the Publish permissions on Container then removes publish permissions on all descendants of that node too. So, I thought, Adding explicit Publish permissions on the Home node would break the inheritance and override the removal of publish rights on the Container but it does not!
Any ideas on how this can be achieved in the UI? I know I can handle the publish event and cancel it if the user is not in the required user group but this takes control out of the hands of the admins and it should really be achievable in the UI.
Am I missing something? Any other ideas on how to achieve this?
The permissions on Umbraco are really basic and in my opinion one of the few major flaws and downsides in Umbraco. If Umbraco wants to be serious and grow into the enterprise CMS they want to be, they should really improve in this.
Because I'm thinking about creating a package for better permissions I recently checked how the current functionality works. As far as I can tell, it's this:
The start node obviously tells the user group what part of the tree is visible.
You set access rights on a user role. Those are the general rights, like: can you delete, can you publish. These access rights are saved at the role leven.
You can set individual access rights on a certain node. These access rights apply only to this node and completely override the 'general' access rights on the user role.
So there is no inheritance, you only have the option to override the general rules on a node level. There is also no way to revoke or apply 'deny' rights once it's been given by using inheritance. It's also not possible to say something like: don't allow this node to be deleted, but it's ok for it's children.
So to come back to your example: setting explicit rights on the home node will ONLY apply to the home node. All nodes that have nothing explicitly set will have the general access rights.
It's odd though that removing the publishing rights from a specific node would cause the child node also not to be publishable, because that doesn't agree with what I just said ;) Not sure how to fix that to be honest.
Remove publish permissions for user group on parent node but allow on all descendants
In all my years working with Umbraco I've had very little need to configure granular permissions on individual nodes but have a project that has been around for many years which is a multi-site installation with a diverse and growing team of editors.
Take the following example:
As a simplified example, there is a User Group called
Publishersand those users can publish any node except forContainer. The problem lies in the fact that removing the Publish permissions onContainerthen removes publish permissions on all descendants of that node too. So, I thought, Adding explicit Publish permissions on theHomenode would break the inheritance and override the removal of publish rights on theContainerbut it does not!Any ideas on how this can be achieved in the UI? I know I can handle the publish event and cancel it if the user is not in the required user group but this takes control out of the hands of the admins and it should really be achievable in the UI.
Am I missing something? Any other ideas on how to achieve this?
The permissions on Umbraco are really basic and in my opinion one of the few major flaws and downsides in Umbraco. If Umbraco wants to be serious and grow into the enterprise CMS they want to be, they should really improve in this.
Because I'm thinking about creating a package for better permissions I recently checked how the current functionality works. As far as I can tell, it's this:
The start node obviously tells the user group what part of the tree is visible.
You set access rights on a user role. Those are the general rights, like: can you delete, can you publish. These access rights are saved at the role leven.
You can set individual access rights on a certain node. These access rights apply only to this node and completely override the 'general' access rights on the user role.
So there is no inheritance, you only have the option to override the general rules on a node level. There is also no way to revoke or apply 'deny' rights once it's been given by using inheritance. It's also not possible to say something like: don't allow this node to be deleted, but it's ok for it's children.
So to come back to your example: setting explicit rights on the home node will ONLY apply to the home node. All nodes that have nothing explicitly set will have the general access rights.
It's odd though that removing the publishing rights from a specific node would cause the child node also not to be publishable, because that doesn't agree with what I just said ;) Not sure how to fix that to be honest.
It does indeed seem quite messy, counter-intuitive and inconsistent. Thanks for the detailed response and your observations.
is working on a reply...