Sitecore How Access Rights Affect Each Other

0
votes

for example, 2 extranet roles in sitecore Role1 and Role2 Role1 is block access to item, Role2 - allow access.

I need to have behavior that revers default sitecore behavior:

5.3 How Access Rights Affect Each Other In Sitecore, every user and role can be a member of several roles. When a security account has been assigned several roles, the access rights that the different roles possess are added together. The security account is therefore assigned the accumulated access rights of all the roles that it is a member of. However, if a security account is assigned two roles and one of the roles is denied a specific access right to an item and the other role is granted this access right to the same item, the access right is denied for this security account. In other words, deny always overrules grant when access rights are accumulated.

Is it possible to do via some sitecore settings or etc ?

Thanks.

1
securitysitecoresitecore6

1 Answers

3
votes

What is the behaviour you want then? If someone has both Role 1 and Role 2 - Do you want that person to have see it?

In that case you'll be better off removing inheritance on Role 1 in stead of denying access. Denying access basically tells Sitecore to start over from a specific point. Role 2 can then get the access again.

Have a read through this: Best Practices from TheClientView. The very first example sounds like what you're trying to achieve:

There is a role A that denies a write access to a “/home/contact us” item. There is a role B that allows write access to the item. There is a user AB that should have power of both roles A and B. But due to explicit deny permission on the item, the user won’t be able to get write access on it. When you break the security inheritance it sets permissions into default deny state, which could be overridden, by setting up explicit allow access on a role. But explicit deny access can never be overridden by explicit allow access.