User roles and access

Different users will have a different access to items and functions in your system depending on the role they have been assigned. Roles can be assigned at the library level, and also assigned on individual items.

Assigning access to items

There are two methods used to assign roles to access controls on items:
  • Selecting users or groups directly in the access section of an item.
  • Allowing assigned roles to be inherited from parent items up to and including the library. Access roles are inherited in the following hierarchies:
    • Library/site area/content item
    • Library/taxonomy/category
    • Library/folder/component
    • Library/folder/authoring template
    • Library/folder/presentation template
    • Library/workflow
    • Library/workflow stage
    • Library/workflow action

    You can stop inheritance at any point in an inheritance hierarchy. For example, you could allow inheritance down to a site area, but assign access roles manually for each content item under that site area.

    Inheritance from a library is based on the role assigned to the overall library, not on the role assigned to specific item types. For example, you may not have access to the presentation template view on a library, but if you inherit the role of editor to a presentation template, you will be able to view and edit that presentation template from the All Items view.

    Inheritance does not apply to draft items.

Note: By default, inheritance is enabled for all roles and items.

Viewing an item's security settings

The following sections are displayed on the security section of each item.

Table 1. Security settings
Section Details
User Defined If the item is not participating in a workflow, the user can edit access under user-defined.
Workflow If an item is participating in a workflow, then the user-defined option does not appear and the workflow settings are displayed. This cannot be edited. Workflow-defined access is set in workflow stages.
Published items and workflow defined item security:
  • If you grant a user editor access to an item in a workflow stage that uses a publish action, then those users are able to edit the published item directly. No draft is created. The same is true for administrator defined security when applied to published items.
  • If you grant a user manager access to an item in a workflow stage that uses a publish action, then those users are able to edit and delete the published item directly. No draft is created. The same is true for administrator defined security when applied to published items.
  • If you grant a user approve access to an item in a workflow stage that uses a publish action, then those users are able to create drafts of the published item.
Administrator Defined Administrators can edit user access to an item at any time by changing the administrator defined settings.
Inheritance You can also choose to inherit access assigned in the current web content library, or from an item's parent. Inheritance for all user roles are enabled by default.

How security is set

When a new item is created, the creator is automatically given manager access to the item. Additional user and group security can be added in the user-defined and system defined settings.

If an item is participating in a workflow, the creator is given manager access to the item only in the first workflow stage. As the item progresses through a workflow, the item security is determined by the combined workflow and system defined security.

Table 2. Security matrix
Security level No workflow 1st workflow stage Additional workflow stages
User
  • User defined
  • Administrator defined
  • Inherited
  • Administrator defined
  • Workflow defined
  • Administrator defined
  • Workflow defined
Contributor
  • User defined
  • Administrator defined
  • Inherited
  • Administrator defined
  • Workflow defined or inherited
  • Administrator defined
  • Workflow defined or inherited
Editor
  • User defined
  • Administrator defined
  • Inherited
  • Administrator defined
  • Workflow defined or inherited
  • Administrator defined
  • Workflow defined or inherited
Manager
  • User defined
  • Administrator defined
  • Inherited
  • Administrator defined
  • Workflow defined or inherited
  • Administrator defined
  • Workflow defined or inherited
Approve Not applicable.
  • Workflow defined or inherited
  • Workflow defined or inherited
Administrator If you have been assigned the administrator role to a library, you automatically inherit all administration access down to the item-level. It cannot be turned off. If you have been assigned the administrator role to a library, you automatically inherit all administration access down to the item-level. It cannot be turned off. If you have been assigned the administrator role to a library, you automatically inherit all administration access down to the item-level. It cannot be turned off.
Deleting items:

When a new item is created, the creator can also delete the item. If an item is participating in a workflow, the creator can only delete the item in the first workflow stage.

Assigning access to different types of users or groups

When accessing a website or rendering portlet, users login as either anonymous users, or authenticated portal users.

The following user and groups can be used to grant access to items.

Table 3. Users and groups
User or group Details
anonymous portal user Select this user to grant access to anonymous users
[all users] Select this group to grant access to all users, anonymous and authenticated.
[all authenticated portal users] Select this group to grant access to all authenticated users.
[all portal user groups] Select this group to grant access to all user groups.
[creator] Select this to grant access to the creator of the item.
[authors] Select this to grant access to users who have been selected as an "author" of the item.
[owners] Select this to grant access to users who have been selected as an "owner" of the item.

The access required to view a rendered item

To view an item on a rendered page, you need the following:
  1. You need at least user access to the presentation template used to display the current content item.
  2. You need at least user access to every item in the path to the current content item:
    • library/site area/content item
  3. You need at least user access to every item in the path to any elements or components referenced in the presentation template:
    • library/folder/component
    • library/element
    • library/site area/element
    • library/site area/content item/element
    These paths do not need to be the same as the path to the current content item.
  4. There must be a valid template map.
The "wcm.path.traversal.security" setting:

Rendered item behavior will vary depending on how you specify the wcm.path.traversal.security property in the WCM WCMConfigService service. If the property is not specified, the default value is false.

If set to false:
  • Menus will display content regardless of whether a user has access to all site areas in the content path.
  • Navigators will not display site areas a user does not have access to, but can show content under these site areas in specific circumstances such as within breadcrumb navigators.
  • URLs are only checked for content access, not site area access.
If set to true:
  • Menus and navigators will not display content under secure site areas if the user does not have access to all site areas in the content path.
  • Directly accessing content under secure site areas using a URL will fail if the user does not have access to all site areas in the content path.
Rendering performance will be slower if set to true.

Button access

You assign item-level access by assigning users and groups different roles for each item. The role you assign determines what actions a user has access to for each item. The following table describes the minimum access required for access to each button in the user interface. If you have enabled inheritance at the library level, the library access level is inherited by item level access by default. For example, giving a user editor access to a library will automatically be applied to new items they create if inheritance is enabled.
Table 4. Item access controls
Actions Minimum item access Minimum role access to library resources Minimum library access Item status
Add or move children Contributor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Add or remove child links Contributor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Add or remove workflows Manager access or higher. When first created, you require manager access to the library resource in any library. Once saved, you require manager access to both the item and library resource in the library the item is stored in. Contributor access or higher.  
Apply authoring template Contributor access or higher. Editor access or higher to the authoring template library resource. Contributor access or higher.  
Approve Approver or administrator. Editor access or higher to the library resource type. Contributor access or higher.  
Approve Project Approver. Not required. Contributor access or higher.  
Batch-edit access controls Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Cancel draft Manager access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Copy Contributor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Create draft Manager access or higher, or approver access. Editor access or higher to the library resource type. Contributor access or higher. Only published or expired items.
Delete Manager access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Edit Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Link to Contributor access or higher, or approver access. Editor access or higher to the library resource type. Contributor access or higher.  
Manage elements Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Move Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Next Stage Approver access. Editor access or higher to the library resource type. Contributor access or higher.  
Preview item and view rendered item User access or higher, or approver access. Not required. Contributor access or higher.  
Process now Administrator access Not required. Contributor access or higher.  
Purge Manager access or higher. Not required. Manager access or higher.  
Read User access or higher, or approver access. Not required. Contributor access or higher.  
Reference User access or higher, or approver access. Not required. Contributor access or higher.  
Reject Approver or administrator access. Editor access or higher to the library resource type. Contributor access or higher.  
Reject Project Approver. Not required. Contributor access or higher.  
Restart workflow Manager access or higher, or approver access. Editor access or higher to the library resource type. Contributor access or higher. Only published or expired items.
Restore Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Save version Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher.  
Show hidden fields Administrator access Not required. Contributor access or higher.  
Submit for review(Workflows) Approver access. Editor access or higher to the library resource type. Contributor access or higher.  
Submit for review(Projects) Editor access or higher. Editor access or higher to the library resource type. Contributor access or higher. Only when a project is in an active state.
System security Administrator access Not required. Contributor access or higher.  
Unlock Manager access or higher. Not required. Manager access or higher.  
View references User access or higher, or approver access. Not required. Contributor access or higher.  
View versions User access or higher, or approver access. Not required. Contributor access or higher.  
Withdraw approval Approver. Not required. Contributor access or higher. Only when a project is in the review state.

Only when Joint Approval is selected.

Withdraw from review Approver. Not required. Contributor access or higher. Only when a project is in the review state.
Creating new items:

The ability to create new items is set at the library level, not item level. You must have at least contributor access to a library and editor access to an item-type to create a new item. If you have access to create any item type, you can also create folders and projects.

Button access on content items:

You can choose to hide selected buttons on content item forms when creating an authoring template. This means a user may not have access to all buttons on a content item form regardless of their role. Administrators can choose to display hidden buttons if required.

Profiling versus security:

Using profiling to personalize a site is different from using security to limit what items a user can access. In a profile based personalized site, although a user may not be able to access all the pages using personalized menus, they may still be able to access other pages by using navigators, or by searching for content. In a secured site, a user can only view items that they have been granted access to.