Sitecore Policies and how to Show or Hide Publish Options for Users

Control Users Publishing Options via Sitecore Security Policies

As with most go-lives a showstopper ticket comes in just as you feel like you can finally go live. Fortunately the issue came in didn’t require a new release only some digging around in Sitecore and learning about a lesser known feature

No option to Republish, Publish Subitems or Publish Relating Items

The issue itself was pretty simple; Content Editors, in both Publish Item and Publish Site windows, were unable to see the options to Republish, Publish subitems and Publish related items. Understandably a high priority issue.

Sitecore Publish Publish Subitems missing

The issue hadn’t been caught in QA as our accounts are Administrators and correctly display the options. So knowing Sitecore it was clearly a role(s) permissions issue so I dug into the decompiled Sitecore.Client dll to find out what was required.

In the BuildPublishTypes function, within the PublishForm class of the Sitecore.Shell.Applications.Dialogs.Publish namespace I found something, something that I knew must exist but didn’t know what it was, dark matter Security Policy.

Sitecore Security Policy

Security Policy governs who can use various features within Sitecore. Opposed to managed individually, it is managed centrally via this Item.

The source of the issue is that the User, or rather their role(s), do not have Read access to the Security Policy Item in the Core database. In this case the Can Perform Republish Item,

There are a number of Policies for Publishing;

  • Can Perform Incremental Publish – Control the option to publish only changed items
  • Can Perform Republish – Control the option force publishing of Items, additional options to publish SubItems and Related items
  • Can Perform Smart Publish – Control the option to publish differences between source and target database
  • Can Publish Related Items – Control the ability to publish Items relating to the Item in Context

Policies aren’t limited to Publishing either. You can controls features of Logging into the Content Editor;

  • Can Boost – Control the ability to temporarily boost the number of active users allowed in the Content Editor
  • Can Kick – Use to prevent Users from kicking out others if the active users limit is reached

Features within the Experience Editor can be governed as well;

  • Can Design – Control who can use the designing options
  • Can Edit – Restrict who can use the Edit Options
  • Can Select Placeholder Settings – Control who can choose placeholder settings of components
  • Personalization – Control who can apply personalization rules to the Item, components etc
  • Testing – Control who can initiate Multivariate Tests
  • Keep lock after save – Give the option to keep the Item locked after the edit is saved
  • Can Edit (navigation) –  Control who can open the Item to edit in the Content Editor

Finally there are Policies for the Shell;

  • Can Switch Databases – Control who has the ability to jump between web, master and core.
  • Can Search – Control who can see the Search on the Start Bar

All useful things to consider especially for clients with large numbers of Content Editors. The Can Switch Databases can be really useful to allow some users to jump into the Web database to validate publishes.

The Solution – Applying Security Policies

The resolution to get the Republish, Publish Subitems and Publish Related Items is to give Read access to the Can Perform Republish Security Policy Item in the Core database.This is how all Security Policies can be applied.

Change to the Core database via the Desktop, open the Security Editor and select the Role you want to change.

There are two default publishing roles sitecore\Sitecore Client Publishing’ and sitecore\Sitecore Client Advanced Publishing‘ these are most likely the ones you will want to change unless you have custom roles or want to target a specific user.

With the Security Editor open navigate to the path ‘/sitecore/system/Settings/Security/Policies’ from there find the Items you want to change and tick Read access.

Publish Policy Security Editor

Read access granted to the Can Perform Republish the BuildPublishTypes method in the PublishForm class will detect the user has access to the Secure Policy and code will not add display:none the Republish Pane div (super secure!) and the Republish Options will display.

Sitecore Publish Window

What about Publish Site buttons?

For now it appears controlling who can see the Publish Site button in the Ribbon and the Start Menu are not controlled via Security Policy. There are controlled by giving Read access to the Items to the following items in the Core database

  • sitecore/Content/Applications/Content Editor/Menues/Publish/Publish site
  • sitecore/Content/Document and Settings/All Users/Start Menu/Left/Publish site

And that’s it!

The principle of Security Policies make sense and could be easily implemented in your own custom code; hiding Member features behind a Read access check to an Item in the Core database.

Makes it considerably easier for Clients to govern who has access to what features, run promos where access to a premium service is free for a weekend or even trail features with an automated task to remove Read access after 30 days. Ah, the fun that is Sitecore.

Advertisements

5 thoughts on “Sitecore Policies and how to Show or Hide Publish Options for Users

  1. Does anyone have a suggestion for how to hide republish and smart publish options on the full site publish dialog? Too often we have admins performing the incremental publish and accidentally do a full republish which for our site takes hours. Note that the admins need republish and smart publish on the publish item dialog.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s