Sitecore Role that can only see one workflow

1
votes

I need to allow a set of users to have access to just one node in the content tree and just one workflow. To then it should look as if the Sitecore server only contains that one website.

It looks as if the "everyone" role having read permission all through the tree is forcing me to explicitly deny write access on the other nodes in the content tree and the other workflows.

However, if I do that the explicit denial carries to the other users through inheritance.

I have roles like this:

  • First Site Editor
    • All workflows denied but one
    • All content nodes denied but one
  • Second Site Editor
    • All workflows denied but one
    • All content nodes denied but one
  • Super Awesome Role
    • Contains "First Site Editor" role to gain it's rights.
    • Contains "First Site Editor" role to gain it's rights.

What do I do? Am I forced to edit the "Everyone" role? I'd prefer not to since I would be compelled to do a ton of testing to make sure my edits did not affect another group unintentionally.

2
sitecore

2 Answers

1
votes

There are 2 things to keep in mind when it comes to workflow and what users have access to. First of all, a user must have write access on the item to be able to execute workflow commands on the item. it at all. even see it in their workbox. That's just for editing at all and that's just basic security stuff. What is less known is this: if an item is in a workflow, a user must also have Workflow State access rights for the workflow states themselves.

So if an item is in workflow state "Waiting for Approval" with 2 choices.. Approve and Deny, you would need to set that role or user to have Workflow State Write (and optionally Delete) on the "Waiting for Approval" workflow state item. Then in order for them to see and be able to do the Approve or Deny action, you need to give them Workflow State Execute rights for the actions you want them to be able to see. If they don't have all those accesses set, the workflow command will not even appear to the user.

1
votes

I think you can deny read access to descendants of the content node then explicitly set read access to the single descendant node of the content item that you want to show them.

E.g.

  • content [deny descendant read access]
    • site1
    • site2 [allow read access to this item and sub-items]
    • site3

If this does not work (I didn't try it myself) let me know and I'll circle back to it.