Resource Groups in MODx Revolution...

@rprovo8: The reason u would not be able to see the page on the front end is because u are not allowing the user to view the document in the "web" context. U just want to stop them getting to it in the mgr context, so try adjust the permissions for web.

A wizard....a great idea, but I would imagine a nightmare to implement!

Hello-

In trying to hide/restrict access to the Home page from the content editor, I tried adjusting the ’web’ in Context Access and Resource Group Access as suggested but once I moved the Home page over to the Developer Resources group the page is inaccessible to web users. Even tried deleting ’web’.

Still trying to figure it out...

All you should need (or want) is a Resource Group Access ACL entry linking the resource group containing the home page and the Administrator user group with a minimum role of admin Super User and a context of mgr. That won’t affect the front end. You’ll be updating the Administrator user group to get there. Delete any Resource Group Access ACL entries relating to that resource group that have a context of web.

Quote from: BobRay at Apr 04, 2011, 11:47 PM

All you should need (or want) is a Resource Group Access ACL entry linking the resource group containing the home page and the Administrator user group with a minimum role of admin Super User and a context of mgr. That won’t affect the front end. You’ll be updating the Administrator user group to get there. Delete any Resource Group Access ACL entries relating to that resource group that have a context of web.

BobRay....your approaching 10k replies. U do know SMF has a 10k limit...at which point u are banned from the forums for good

Quote from: jusmeig at Apr 06, 2011, 12:59 PM

BobRay....your approaching 10k replies. U do know SMF has a 10k limit...at which point u are banned from the forums for good

Excellent. Then I can retire and start sleeping more than 4 hour per night.

Quote from: rprovo8 at Mar 29, 2011, 02:39 PM

Quote from: jusmeig at Jan 07, 2011, 10:41 AM

Quote from: BobRay at Jan 07, 2011, 07:05 AM

Bear in mind that tree_root_id doesn’t really protect the resources. It’s fine for naive users who can be trusted, but if a user can guess the correct URL for editing a resource in the Manager, they can still do it.

Yeah I don’t think I’m going to do that.
OK so I think I got it working after much toil, blow by blow account below.

1. I created a new Resource Group called "Developer Resources".
2. To this I added all the resources with snippets that I wanted to hide from my client.
3. I now created a new Role in Security -> Access Controls -> Roles [I called it "Editor" and gave it a priv of 1]
4. I created a new User Group called "Client Editor" in Security -> Access Controls -> User Groups
5. I now created a new User in Security -> Manage Users -> Add User. I added this user to the user group "Client Editor" with a Role of "Editor"
6. I now edited the User Group called "Client Editor" created in step 4.
7. In Users tab I added the user I created in step [5]
8. In Context Access I setup the following:
Context: mgr | Minimum Role: Editor | Access Policy: Content Editor (ensures this guy can login to manager)
Context: web | Minimum Role: Editor | Access Policy: Content Editor

9. In Resource Group Access I setup:
Resource Group: Developer Resources | Minimum Role: Editor | Access Policy: Load Only | Context: mgr (means this guys cannot see these docs in mgr context....which is what I want)
Resource Group: Developer Resources | Minimum Role: Editor | Access Policy: Load Only | Context: web

10. Save

Still with me....

11. Edit the Administrator User Group now.
12. In Resource Group Access add the following:
Resource Group: Developer Resources | Minimum Role: Super User | Access Policy: Resource | Context: mgr (means this guys can see these docs in mgr context, and still edit etc)
Resource Group: Developer Resources | Minimum Role: Super User| Access Policy: Resource | Context: web

13. Save and then Flush permissions.

DONE!! I now have an admin user who can see everything, and an Editor user who sees all documents but the ones I hide from them in my "Developer Resources" group.

I’m off to get a coffee
I think the thing that did not sit well in my head was the fact the admin can hide documents from themselves, this to me seems very odd (I am the admin after all) I make the rules!!!

Thanks guys for replying to this thread!

This worked great, but my content editors can’t insert or load images. They are using TinyMCE and I have the File Manager Path setup to: /assets/images.

I believe this worked before, did something change? How can I get them to be able to do so?

Thank you!

Just wanting to endorse Bob Ray's step by step guide to setting up a new content editor. For me, though, a different order of some of the steps seemed more natural. The oddest thing for me, is that you have to hide all of the resources first in one resource group, and then create another resource group with only the few resources that the new editor is going to have access to. Anyway, here is my edited version of Bob's advice (tested on Revolution 2.2):

You have a site with a lot of pages/resources and you want a new editor to have access only to a small number of them in the manager area ( with very limited permissions, so no access to the file and element trees, etc).

First put all resources in a group that the new editor will be excluded from:

1. Create a Resource Group (Security -> Resource Groups) called ForMyEyes.
2. Drag all resources at the root into that Resource Group (children are protected automatically)
3. Save.

Now create a resource group for the few resources the new editor will manage:

1. Create a new Resource Group called ForEditors.
2. Drag just the resources that the editors should see into the group.
3. Save.

Tie the ForMyEyes resource group to your admin user group (you are in it by default) so that only you can manage them:

1. Go to Security -> Access Controls -> User Groups tab.
2. Right-click on the "Administrator" group and select "Update User Group".
3. Click on the "Resource Group Access" tab.
4. Click on the "Add Resource Group" button.
5. Set the following:
Resource Group: ForMyEyes
Minimum Role:admin Super User
Policy: Resource
Context: mgr.
5. Save.
6. Click on the Save button at the upper right.

Create the User, Role and User Group for the content editor:

1. Create a User identity for the editor. Security -> Manage Users. Click New User and create and set name, password, email, active status.

2. Next create a role for the editor to play. Security -> Access Controls -> Roles. Create a new role (say, Editor) with an authority of, say, 30.

3. Users with roles also have to belong to groups, so create a user group for all future editors (even if there is only going to be one). Security -> Access Controls -> User Groups. Create new group called Editors.

4. The editor needs to be in that group, so (with the list of user groups visible) right-click the Editors group and select the option to add a user to the group. Choose the editor’s id and give her the role of Editor.

5. Now back to Security -> Access Controls to set the access policy for the new editor. Click the tab that says Access Policies. Have a look at the permissions for the Content Editor policy. If you are not happy with those permissions, duplicate the policy first (right-click it), give it a new name (say, Content Editor Lite) and then alter the permissions to suit.

Click Save.

6. Now we have to tie together the access policy, the role and the group. Get back to the list of user groups: Security -> Access Controls -> User Groups. Right click on the Editors group and select "Update Group”. Then click the Context Access tab. Click Add Context, and select the mgr (manager) context, select the Minimum Role: Editor, and choose the Access Policy: Content Editor Lite.

If you leave it there, the editor won’t see any resources in the Manager area when she logs in, so repeat the previous procedure by clicking Add Context and select the web context this time together with the same role and policy as before.

Click Save.

Give the Editors access to their resources:

1. Find the Resource Group Access tab for the Editors user group (Security -> Access Controls -> User Groups, then right-click the Editors user group to update it).
2. Click the "Add Resource Group" button.
3. Enter:
Resource Group: ForEditors
Minimum Role: Editors
Policy: Resource
Context: mgr.

Save.

Click on the Save button at the upper right.

Go to Security -> Flush Permissions.
Go to Site -> Clear Cache.

In a new browser log in with the Editor’s username and password. You should see only the resources that were put in the ForEditors resource group.

Nice explanation.


---------------------------------------------------------------------------------------------------------------
PLEASE, PLEASE specify the version of MODX you are using . . . PLEASE!
MODx info for everyone: http://bobsguides.com/modx.html