Sitecore Security and Workflow

3
votes

The way we have our security setup in Sitecore, we have departmental roles that, through inheritance, define security on specific site sections. For instance, role "A" has write access to a section of the site, while role "B" has write access to a different section.

Let's say we then have a workflow we need to attach to these content items. We have specific "Functional" roles, like "Author" or "Approver". Authors submit content to be approved after they draft it, approvers can't touch it until it reaches the approval state and so on and so forth. If I need to "Author" content, I have to have roles "A" and "Author", or "B" and "Author."

This works well except for when people need specific roles for a department. If I need to "Author" "A" content, and "Approve" "B" content, I have to have roles: "A" "B" "Author" "Approver." The problem is that there's no way to tell the system that they need to be prohibited from "Authoring" "B" content, or vice versa.

It seems like the only way around this is to have "A Dept Author" and "B Dept Author", etc. roles, but it seems like as the number of departments and functions increases, this will become a maintenance nightmare. What is Sitecore best practices regarding this seemingly common situation?

Thanks.

Edit: We are using the latest rev. of Sitecore 6.4.

2
workflowsitecoresitecore6
So you are saying that as a user, I may be able to author content for the marketing dept, but not approve it, and approve content for the sales dept, but not author it?nickwesselman
I don't make the requirements, I just implement them. :) But, yes, exactly.raynjamin

2 Answers

0
votes

Sitecore supports subroles ('roles within a role') however, this is not something you can set through the UI.

You can set this through the DB Browser Admin Page (/sitecore/admin/dbbrowser.aspx) - however, if you wanted some user-friendly way of setting this, you may want to build your own control to be accessed through the Sitecore UI.

This should allow you to create a hierarchy of roles, such as 

Author
-- Dept A
-- Dept B

Approver
-- Dept A
-- Dept B
0
votes

Not sure I would classify this as a common scenario. My first reaction is to encourage your customer/user to simplify the workflow process. Overly complex workflows will discourage your users and impede adoption.

That said, what about using cloning to create workflows for each site section, which you can individually apply security to? You are right though that this could require larger numbers of roles. Roles-in-roles could help there but in the end you are trying to model some rather complex rules, not sure you are going to avoid complexity in your solution.