Permission questions

I have a few questions about user/permission management:

  • Why is everybody given write permission on a new section (or asset)? Isn’t it more secure to start out with only read permission and give users permission as they need it?

  • Who is allowed to create assets?

  • Does an Editor inherently have the rights of a Contributor, or do I have to specifically assign both roles to an Editor/Contributor?

  • On that same vein, Can I define one user to be just a Contributor for one section, but an Editor for another section?

  • Can I define an Editor/Contributor relationship for a given section? For example, Dr. Dean is the Editor and main Contributor for the School of Business section. Let’s say he hires a student named Jack to work on some web pages. Can I make it so that Dr. Dean is the primary Editor for any of Jack’s edits and additions, or will all editors and admins see Jack’s changes and approve or deny them before Dr. Dean gets a chance to see them?

  • On that same vein, is it possible to create a workflow so that Jack’s contributions first go through Dr. Dean, then through an Admin before they’re published live?

Honestly I think the Contributor and Editor roles should be defined on the Section, not the user… and the Admin role should be assigned to a user.

We start with relatively open permissions in terms of creation of new content because CM1 relies on the workflow approval process to keep content from ever going live . In products that don’t have much workflow to stop something from going live, they tend to put the limits up front on the ability to create at all.

  • yes by default anyone can create a new page in a section, but that page cannot go live. Also that page will be stripped out of any link lists and even removed from direct inline links unless/until the page is approved for publishing by an Editor or Admin. Also, the default for any Section can be lowered to Read only, which locks out ALL Editors and Contributors alike, until they are added back by name with Write permissions.

  • anyone can create assets, but they cannot end up on the site unless and Editor or Admin approves them for use. The Editor or Admin users can either go to the asset directly to approve it, or they approve any page that the asset is on. Only Editors and Admins can approve pages for publication.

  • Editors already have the rights of a Contributor, and Admins already have all the rights of an Editor. It’s a build from Contributor to Editor to Admin

  • To make a user a editor for one section but not another you must do the following:
    i. Put anyone who ever can be an Editor anywhere in the Editor role
    ii. Go to the Section (or Folder) where you want to restrict some Editors and set it to Read only.
    iii Add back only the specific users you wish to have Editor rights for that section or folder.

  • there is no direct support for a person-to-person hierarchy relationship in workflow, but you could use folders to achieve something similar. as in:
    i. Put Dr. Dean in the Editor role
    ii. In the School of Business section, create a sub folder (which will not be part of the Nav because it’s just a folder) called “Jack”.** Set this folder to Read only.
    iii. Make Jack a Contributor
    iv. Give Jack and Dr. Dean Write access to the “Jack” folder.

Jack will be a Contributor, Dr. Dean will be an editor, but only the two of them will be able to do any of their Editor and Contributor functions for content in the Jack folder.

**A cleaner approach might be put the “Jack” folder in the Asset library and create pages using assets from this folder in the School of Business section. The folder security setting will still kick in on the content assets stored there, yet you would not need to “junk up” the School of Business section with folders that appear the actual Site structure.

  • Technically, all content needs to go from Contributor to Editor to Admin to go live. the folder approach above will help restrict the first part to a Jack to Dr. Dean only, but any Admin can do the final “publish” step. When an Editor hits “Publish” the content actually goes into a Pending state, allowing the Admin one last chance to preview it and modify it before he or she hits the Publish function to make it go Live.

  • if you set most sections/folders to read only, then you are effectively setting Write access to users on a folder by folder basis. I realize if this is your default for every folder/section, it can be tedious.

We can look at making some of these changes to user and workflow settings. It might just be we need to make them easier to set, or change the defaults, or add more types of roles. So far, no one else has raised this yet. Having some specific cases - as you have posted above - always helps.