Control Users Publishing Options via Sitecore Security Policies
As with most go-lives a showstopper ticket comes in just as you feel like you can finally go live. Fortunately the issue came in didn’t require a new release only some digging around in Sitecore and learning about a lesser known feature
No option to Republish, Publish Subitems or Publish Relating Items
The issue itself was pretty simple; Content Editors, in both Publish Item and Publish Site windows, were unable to see the options to Republish, Publish subitems and Publish related items. Understandably a high priority issue.
The issue hadn’t been caught in QA as our accounts are Administrators and correctly display the options. So knowing Sitecore it was clearly a role(s) permissions issue so I dug into the decompiled Sitecore.Client dll to find out what was required.
In the BuildPublishTypes function, within the PublishForm class of the Sitecore.Shell.Applications.Dialogs.Publish namespace I found something, something that I knew must exist but didn’t know what it was,
dark matter Security Policy.
Sitecore Security Policy
Security Policy governs who can use various features within Sitecore. Opposed to managed individually, it is managed centrally via this Item.
The source of the issue is that the User, or rather their role(s), do not have Read access to the Security Policy Item in the Core database. In this case the Can Perform Republish Item,
There are a number of Policies for Publishing;
- Can Perform Incremental Publish – Control the option to publish only changed items
- Can Perform Republish – Control the option force publishing of Items, additional options to publish SubItems and Related items
- Can Perform Smart Publish – Control the option to publish differences between source and target database
- Can Publish Related Items – Control the ability to publish Items relating to the Item in Context
Policies aren’t limited to Publishing either. You can controls features of Logging into the Content Editor;
- Can Boost – Control the ability to temporarily boost the number of active users allowed in the Content Editor
- Can Kick – Use to prevent Users from kicking out others if the active users limit is reached
Features within the Experience Editor can be governed as well;
- Can Design – Control who can use the designing options
- Can Edit – Restrict who can use the Edit Options
- Can Select Placeholder Settings – Control who can choose placeholder settings of components
- Personalization – Control who can apply personalization rules to the Item, components etc
- Testing – Control who can initiate Multivariate Tests
- Keep lock after save – Give the option to keep the Item locked after the edit is saved
- Can Edit (navigation) – Control who can open the Item to edit in the Content Editor
Finally there are Policies for the Shell;
- Can Switch Databases – Control who has the ability to jump between web, master and core.
- Can Search – Control who can see the Search on the Start Bar
All useful things to consider especially for clients with large numbers of Content Editors. The Can Switch Databases can be really useful to allow some users to jump into the Web database to validate publishes.
The Solution – Applying Security Policies
The resolution to get the Republish, Publish Subitems and Publish Related Items is to give Read access to the Can Perform Republish Security Policy Item in the Core database.This is how all Security Policies can be applied.
Change to the Core database via the Desktop, open the Security Editor and select the Role you want to change.
There are two default publishing roles ‘sitecore\Sitecore Client Publishing’ and ‘sitecore\Sitecore Client Advanced Publishing‘ these are most likely the ones you will want to change unless you have custom roles or want to target a specific user.
With the Security Editor open navigate to the path ‘/sitecore/system/Settings/Security/Policies’ from there find the Items you want to change and tick Read access.
Read access granted to the Can Perform Republish the BuildPublishTypes method in the PublishForm class will detect the user has access to the Secure Policy and code will not add display:none the Republish Pane div (super secure!) and the Republish Options will display.
What about Publish Site buttons?
For now it appears controlling who can see the Publish Site button in the Ribbon and the Start Menu are not controlled via Security Policy. There are controlled by giving Read access to the Items to the following items in the Core database
- sitecore/Content/Applications/Content Editor/Menues/Publish/Publish site
- sitecore/Content/Document and Settings/All Users/Start Menu/Left/Publish site
And that’s it!
The principle of Security Policies make sense and could be easily implemented in your own custom code; hiding Member features behind a Read access check to an Item in the Core database.
Makes it considerably easier for Clients to govern who has access to what features, run promos where access to a premium service is free for a weekend or even trail features with an automated task to remove Read access after 30 days. Ah, the fun that is Sitecore.