We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
MODX Community Forums Archive

Answered User access and permissions

    • 54304
    • 6 Posts
    scottmallinson Reply #1, 6 years, 9 months ago
    Hi everyone,

    I'm trying to understand user access and permissions but I'm finding it challenging. I've trawled these forums and read Bob's Guides to learn more about their relationships but I'm still not able to achieve what I'm hoping to do.

    In essence I want to have three user types:

    1. Administrator (default permissions are fine)
    2. Site Editor (access to all website content with ability to add, edit, delete etc. but not to admin functionality)
    3. Department Editor (access to a subset of website content with ability to add, edit, delete etc. but not to admin functionality)
    The roles will correspond to the following content:

    - Home
    - Departments
    - - Architecture
    - - - Page one
    - - - Page two
    - - Biological Sciences
    - - - Page one
    - - - Page two
    - News
    - - Article one
    - - Article two

    I would like many Department Editor user groups, e.g. Architecture Department Editors, Biological Sciences Department Editors etc. that would only oversee the content within their respective departments as well as being able to add, edit, delete etc. News articles.

    I have successfully followed the guidance for Limiting Manager Users to a Subset of Resources using User and Resource Groups at https://bobsguides.com/hiding-resources-in-the-manager.html for an Editor user, but when trying to create an Architecture Department Editor by creating a Resource Group that includes both the Architecture and News content as identified in the list above, the Architecture user is only able to access News in the manager.

    I'm using MODx Revolution 2.6.1-pl.

    Any help would be grately appreciated.

    Thanks.

    This question has been answered by BobRay. See the first response.

    [ed. note: scottmallinson last edited this post 6 years, 9 months ago.]
    • discuss.answer
      • 3749
      • 24,544 Posts
      BobRay Reply #2, 6 years, 9 months ago
      First, congratulations for planning your system ahead of time and explaining it so well.

      Here's my $.02:

      It's up to you whether you want to remove your User Groups and Resource groups (probably not necessary, though you might rename them to match the instructions below). I would definitely remove all your Resource Group Access ACL entries or they will be duplicated and you won't know which are which are yours and which were created from the instructions. Please read to the bottom before starting - especially the last two paragraphs at the end.

      1. Use the same role (Content Editor) for all users except the Administrator group. (The role won't actually do anything. All permissions will be controlled by User Group Membership -- which is much easier.)

      2. Duplicate the built-in Content Editor Policy Template (in case you end up modifying it) - call it "MyContentEditorPolicyTemplate."

      3. Create a new Policy called ContentEditorPolicy based on your MyContentEditorPolicyTemplate.

      4. Create a Resource Group containing all Resources on the site (call it AllDocs).

      5. Connect the AllDocs Resource Group to the Administrator User Group and the Site Editor User Group with two Context Access ACL entries with a context of 'mgr' and the Resource policy.

      6. Install the DefaultResourceGroup extra and set it up to put all new resources in the AllDocs Resource Group.

      At this point, nobody but the Admins and Site Editors can see or edit the docs.

      7. Go to Content -> Resource Groups (Users & User Groups tab).

      8. Create the following New Resource Groups.
      (I would *not* use the wizard here -- it will create more ACL entries than you need -- just fill in the Name and click on the "Save" button)

      Departments
      Architecture
      Biological Sciences
      News

      9. Using the tree *at the right*, drag the resources into the appropriate groups. The Departments Resource Group should contain all the Department folders and their descendants.

      10. Go to System (gear icon) Access Control Lists (Users & User Groups tab).

      11. Create new User Groups with the same names from step 8, but add Editor or Department Editor to the end of each one.

      For step 11, you should use the Wizard, unless your user groups already exist.
      Important: Make sure the context is always set to mgr!
      Make sure the Manager Policy is always set to MyContentEditorPolicy
      Do not give Department Editors access to the Departments group!

      List the resource groups that each user group should get access to. For each individual Department Editor (e.g., Architecture), it will be just the Architecture and News Resource Groups.

      Do *not* check "Create Parallel Resource Group" (you already created them).

      You can add the usernames if you're sure you know them.

      At this point, the Department Editors won't see their departments or their children.

      12. Create a Resource Group Access ACL entry for the Departments Resource Group and the Department Editors User Group with a context of mgr and a policy of "Load, List, and View". That will let those editors see all the departments in the tree, but they can only edit their own department and should see only its children.

      That should do it.
      ************************

      When you create a new user, just add them to the appropriate user group(s).

      When you create a new resource, just add it to the appropriate Resource Group(s) (On the Resource Groups tab). This should happen automatically for new Department folders and their descendants.

      There's kind of a catch here, but I don't see any easy way around it. The Department editors will see all the Departments in the tree and their descendants, but they will only be able to edit their own department's resources. The trouble is that new children inherit their parent's resource groups, so all new Departments will automatically become members of the Departments group and so will all their descendants. One solution would be to put only the Departments folder in the Departments Resource Group and then manually uncheck that Resource Group (on the Resource Group tab) when creating a new department folder (e.g. Architecture).

      It also possible to create a plugin so resources under a Department would not become members of the Departments group, but it would be tricky.










        Did I help you? Buy me a beer
        Get my Book: MODX:The Official Guide
        MODX info for everyone: http://bobsguides.com/modx.html
        My MODX Extras
        Bob's Guides is now hosted at A2 MODX Hosting
        • 54304
        • 6 Posts
        scottmallinson Reply #3, 6 years, 9 months ago
        Thanks @BobRay. That's been a great help and fixed my problem.

        The key part of the puzzle I think I was missing was in step 12 above: Create a Resource Group Access ACL entry for the Departments Resource Group and the Department Editors User Group with a context of mgr and a policy of "Load, List, and View". That will let those editors see all the departments in the tree, but they can only edit their own department and should see only its children.

        Thanks again.

          • 3749
          • 24,544 Posts
          BobRay Reply #4, 6 years, 9 months ago
          I'm glad you got it sorted. It's a common stumbling block that if you don't have some access to the parent folder, you can't see the children.
            Did I help you? Buy me a beer
            Get my Book: MODX:The Official Guide
            MODX info for everyone: http://bobsguides.com/modx.html
            My MODX Extras
            Bob's Guides is now hosted at A2 MODX Hosting