I’m experimenting with what each role can and cannot do. So I logged into the Workbench as an Author with no other permissions (a member of one community) and was able to successfully add and delete templates and slots from other communities. Is this the expected behavior?
Michael,
The ability to create, modify, and delete design objects in the Workbench is controlled by the Design Access properties in the Object ACL (right-click on the object and from the popup menu, choose Security). Design access uses the Default ACL unless you specify a different access for the Role/User. (Communities control runtime access, not design access.)
For more about this subject, in the Workbench Help, see “Maintaining Object Access” in the Rhythmyx Workbench Help.
RLJII
You may also want to open your Server Admin Tool, click on the Security Tab, then click on the Server ACL sub tab, and review what roles/usrers have what access.
Communities have no effect in the workbench, they only affect visibility of objects seen through other interfaces such as the CX. Within the workbench, roles and user names control access and permissions of design objects.
Thanks. I’m figuring out how to do this.
Because we’re so decentralized, we need to give some access to the Workbench so that webmasters can design templates for their own sites. The Workbench’s Default ACLs give complete permissions to everyone who logs in, presumably because only admins would ever need to do so.
Is there a place I can globally change default ACLs? Eventually I want our system administrators to have full permissions, webmasters to be able to read/write but not delete or modify ACLs, and Default to have read only access - in case a stray author or artist manages to log in. I could do this individually for every item in the Workbench, but obviously… I don’t want to.
You can change the default acls assigned to newly created objects. This is configured in the Windows->Preferences->Rhythmyx->Security. Whatever is configured in this ACL will be used when objects are first created.
Unfortunately, there is no easy way to modify all existing acls to have a defined policy.
As mentioned by vtdarrell, you control who can login to the workbench in the server administrator. You can easily configure it so Artists and Authors cannot access the workbench.
I posed this same issue to Percussion and this is the official response:
Following up with you from our conversation last week where you advised me of a concern you have with regard to Login and Access to the Rhythmyx workbench. Access to the Workbench can be allowed/denied from the User Administration console. In the case that you want to yo deny an end-user’s access to the Workbench (i.e. have their login/password fail in the Workbench), simply uncheck their “Design Access”.
This setting is found in the Server Admin > Security tab >Server ACL tab. After making the setting change access by all accounts other than the Admin role (which is what we wanted) to the workbench stopped.
I neglected to note that a bug keeps Paul’s advice from working right now - new items don’t necessary use the default ACLs. According to Tech Support:
This issue has been reviewed and slated to be fixed in a future release of the Product. The current recommendation is to leave default ACL settings, and change the individual object ACL settings accordingly. The following number will help you to track the issue: RX-13570.
I discovered this by unchecking Modify ACL for Default and Admin, but checking it for a new role CMS-Admin. As I recall, I discovered that new items were created with ACLs that no role could modify, because CMS-Admin wasn’t one of the roles.