User roles and access

User roles and access - WCM

Roles can be assigned at the library level, and also assigned on individual items.

Assign access to items

There are two methods used to assign roles to access controls on items:

Selecting users or groups directly in the access section of an item.

Allow assigned roles to be inherited from parent items up to and including the library. Access roles are inherited in the following hierarchies:

Library/site area/content item
Library/taxonomy/category
Library/folder/component
Library/folder/authoring template
Library/folder/presentation template
Library/workflow
Library/workflow stage
Library/workflow action

We can stop inheritance at any point in an inheritance hierarchy. For example, we could allow inheritance down to a site area, but assign access roles manually for each content item under that site area.
Inheritance from a library is based on the role assigned to the overall library, not on the role assigned to specific item types. For example, we may not have access to the presentation template view on a library, but if we inherit the role of editor to a presentation template, we will be able to view and edit that presentation template from the All Items view.
Inheritance does not apply to draft items.

By default, inheritance is enabled for all roles and items.

Item security settings

Section Details
User Defined If the item is not participating in a workflow, the user can edit access under user-defined.
Workflow Defined If an item is participating in a workflow, user-defined option does not appear, and the workflow settings are displayed. This cannot be edited. Workflow-defined access is set in workflow stages.
Published items and workflow defined item security:

If we grant a user editor access to an item in a workflow stage that uses a publish action, then those users are able to edit the published item directly. No draft is created. The same is true for administrator defined security when applied to published items.

If we grant a user manager access to an item in a workflow stage that uses a publish action, then those users are able to edit and delete the published item directly. No draft is created. The same is true for administrator defined security when applied to published items.

If we grant a user approve access to an item in a workflow stage that uses a publish action, then those users are able to create drafts of the published item.

Administrator Defined Administrators can edit user access to an item at any time by changing the administrator defined settings.
Inheritance We can also choose to inherit access assigned in the current web content library, or from an item's parent. Inheritance for all user roles are enabled by default.

How security is set

When a new item is created, the creator is automatically given manager access to the item. Additional user and group security can be added in the user-defined and system defined settings.
If an item is participating in a workflow, the creator is given manager access to the item only in the first workflow stage. As the item progresses through a workflow, the item security is determined by the combined workflow and system defined security.

Security level No workflow 1st workflow stage Additional workflow stages
User User defined
Administrator defined
Inherited Administrator defined
Workflow defined

Administrator defined
Workflow defined
Contributor User defined
Administrator defined
Inherited Administrator defined
Workflow defined or inherited Administrator defined
Workflow defined or inherited
Editor User defined
Administrator defined
Inherited Administrator defined
Workflow defined or inherited Administrator defined
Workflow defined or inherited
Manager User defined
Administrator defined
Inherited Administrator defined
Workflow defined or inherited Administrator defined
Workflow defined or inherited
Approve Not applicable. Workflow defined or inherited Workflow defined or inherited
Administrator Users assigned administrator role to a library automatically inherit all administration access down to the item-level. It cannot be turned off. Users assigned the administrator role to a library automatically inherit all administration access down to the item-level. It cannot be turned off. Users assigned the administrator role to a library automatically inherit all administration access down to the item-level. It cannot be turned off.

Delete items:
When a new item is created, the creator can also delete the item. If an item is participating in a workflow, the creator can only delete the item in the first workflow stage.

Assign access to different types of users or groups

When accessing a website or rendering portlet, users login as either anonymous users, or authenticated portal users.
The following user and groups can be used to grant access to items.

User or group Details
anonymous portal user Grant access to anonymous users
[all users] Grant access to all users, anonymous and authenticated.
[all authenticated portal users] Grant access to all authenticated users.
[all portal user groups] Grant access to all user groups.
[creator] Grant access to the creator of the item.
[authors] Grant access to users who have been selected as an "author" of the item.
[owners] Grant access to users who have been selected as an "owner" of the item.

The access required to view a rendered item

To view an item on a rendered page, we need the following:

At least user access to the presentation template used to display the current content item.

At least user access to every item in the path to the current content item:

library/site area/content item

We need at least user access to every item in the path to any elements or components referenced in the presentation template:

library/folder/component
library/element
library/site area/element
library/site area/content item/element

These paths do not need to be the same as the path to the current content item.

There must be a valid template map.

wcm.path.traversal.security

Rendered item behavior will vary depending on how specified the wcm.path.traversal.security property in the WCM WCMConfigService service. If the property is not specified, the default value is false.
If false:

Menus will display content regardless of whether a user has access to all site areas in the content path.

Navigators will not display site areas a user does not have access to, but can show content under these site areas in specific circumstances such as within breadcrumb navigators.

URLs are only checked for content access, not site area access.

If true:

Menus and navigators will not display content under secure site areas if the user does not have access to all site areas in the content path.

Directly accessing content under secure site areas using a URL will fail if the user does not have access to all site areas in the content path.

Rendering performance will be slower if set to true.

Minimum access required for access to user interface buttons

If we have enabled inheritance at the library level, the library access level is, by default, inherited at the item level. For example, if inheritance is enabled, giving a user "Editor" access to a library will automatically assign Editor access to new items the user creates

Actions Minimum item access Minimum role access to library resources Minimum library access Item status
Add or move children Contributor Editor access to the library resource type. Contributor
Add or remove child links Contributor Editor access to the library resource type. Contributor
Add or remove workflows Manager When first created, we require manager access to the library resource in any library. Once saved, we require manager access to both the item and library resource in the library the item is stored in. Contributor
Apply authoring template Contributor Editor access to the authoring template library resource. Contributor
Approve Approver
Administrator Editor access to the library resource type. Contributor
Approve Project Approver Not required. Contributor
Batch-edit access controls Editor Editor access to the library resource type. Contributor
Cancel draft Manager Editor access to the library resource type. Contributor
Copy Contributor Editor access to the library resource type. Contributor
Create draft Manager
Approver Editor access to the library resource type. Contributor Only published or expired items.
Delete Manager Editor access to the library resource type. Contributor
Edit Editor Editor access to the library resource type. Contributor
Link to Contributor
Approver Editor access to the library resource type. Contributor
Manage elements Editor Editor access to the library resource type. Contributor
Move Editor Editor access to the library resource type. Contributor
Next Stage Approver Editor access to the library resource type. Contributor
Preview item and view rendered item User
Approver Not required. Contributor
Process now Administrator Not required. Contributor
Purge Manager Not required. Manager
Read User
Approver Not required. Contributor
Reference User
Approver Not required. Contributor
Reject Approver
Administrator Editor access to the library resource type. Contributor
Reject Project Approver Not required. Contributor
Restart workflow Manager
Approver Editor access to the library resource type. Contributor Only published or expired items.
Restore Editor Editor access to the library resource type. Contributor
Save version Editor Editor access to the library resource type. Contributor
Show hidden fields Administrator Not required. Contributor
Submit for review(Workflows) Approver Editor access to the library resource type. Contributor
Submit for review(Projects) Editor Editor access to the library resource type. Contributor Only when a project is in an active state.
System security Administrator Not required. Contributor
Unlock Manager Not required. Manager
View references User
Approver Not required. Contributor
View versions User
Approver Not required. Contributor
Withdraw approval Approver Not required. Contributor Only when a project is in the review state.
Only when Joint Approval is selected.
Withdraw from review Approver Not required. Contributor Only when a project is in the review state.

The ability to create new items is set at the library level, not item level. We must have at least contributor access to a library and editor access to an item-type to create a new item. For access to create any item type, we can also create folders and projects.
We can choose to hide selected buttons on content item forms when creating an authoring template. This means a user may not have access to all buttons on a content item form regardless of their role. Administrators can choose to display hidden buttons if required.
Use profiling to personalize a site is different from using security to limit what items a user can access. In a profile based personalized site, although a user may not be able to access all the pages using personalized menus, they may still be able to access other pages using navigators, or by searching for content. In a secured site, a user can only view items they have been granted access to.

Parent Users, Groups and Roles
Related:

Set service configuration properties

Section	Details
User Defined	If the item is not participating in a workflow, the user can edit access under user-defined.
Workflow Defined	If an item is participating in a workflow, user-defined option does not appear, and the workflow settings are displayed. This cannot be edited. Workflow-defined access is set in workflow stages. Published items and workflow defined item security: If we grant a user editor access to an item in a workflow stage that uses a publish action, then those users are able to edit the published item directly. No draft is created. The same is true for administrator defined security when applied to published items. If we grant a user manager access to an item in a workflow stage that uses a publish action, then those users are able to edit and delete the published item directly. No draft is created. The same is true for administrator defined security when applied to published items. If we grant a user approve access to an item in a workflow stage that uses a publish action, then those users are able to create drafts of the published item.
Administrator Defined	Administrators can edit user access to an item at any time by changing the administrator defined settings.
Inheritance	We can also choose to inherit access assigned in the current web content library, or from an item's parent. Inheritance for all user roles are enabled by default.

Security level	No workflow	1st workflow stage	Additional workflow stages
User	User defined Administrator defined Inherited	Administrator defined Workflow defined	Administrator defined Workflow defined
Contributor	User defined Administrator defined Inherited	Administrator defined Workflow defined or inherited	Administrator defined Workflow defined or inherited
Editor	User defined Administrator defined Inherited	Administrator defined Workflow defined or inherited	Administrator defined Workflow defined or inherited
Manager	User defined Administrator defined Inherited	Administrator defined Workflow defined or inherited	Administrator defined Workflow defined or inherited
Approve	Not applicable.	Workflow defined or inherited	Workflow defined or inherited
Administrator	Users assigned administrator role to a library automatically inherit all administration access down to the item-level. It cannot be turned off.	Users assigned the administrator role to a library automatically inherit all administration access down to the item-level. It cannot be turned off.	Users assigned the administrator role to a library automatically inherit all administration access down to the item-level. It cannot be turned off.

User or group	Details
anonymous portal user	Grant access to anonymous users
[all users]	Grant access to all users, anonymous and authenticated.
[all authenticated portal users]	Grant access to all authenticated users.
[all portal user groups]	Grant access to all user groups.
[creator]	Grant access to the creator of the item.
[authors]	Grant access to users who have been selected as an "author" of the item.
[owners]	Grant access to users who have been selected as an "owner" of the item.

Actions	Minimum item access	Minimum role access to library resources	Minimum library access	Item status
Add or move children	Contributor	Editor access to the library resource type.	Contributor
Add or remove child links	Contributor	Editor access to the library resource type.	Contributor
Add or remove workflows	Manager	When first created, we require manager access to the library resource in any library. Once saved, we require manager access to both the item and library resource in the library the item is stored in.	Contributor
Apply authoring template	Contributor	Editor access to the authoring template library resource.	Contributor
Approve	Approver Administrator	Editor access to the library resource type.	Contributor
Approve Project	Approver	Not required.	Contributor
Batch-edit access controls	Editor	Editor access to the library resource type.	Contributor
Cancel draft	Manager	Editor access to the library resource type.	Contributor
Copy	Contributor	Editor access to the library resource type.	Contributor
Create draft	Manager Approver	Editor access to the library resource type.	Contributor	Only published or expired items.
Delete	Manager	Editor access to the library resource type.	Contributor
Edit	Editor	Editor access to the library resource type.	Contributor
Link to	Contributor Approver	Editor access to the library resource type.	Contributor
Manage elements	Editor	Editor access to the library resource type.	Contributor
Move	Editor	Editor access to the library resource type.	Contributor
Next Stage	Approver	Editor access to the library resource type.	Contributor
Preview item and view rendered item	User Approver	Not required.	Contributor
Process now	Administrator	Not required.	Contributor
Purge	Manager	Not required.	Manager
Read	User Approver	Not required.	Contributor
Reference	User Approver	Not required.	Contributor
Reject	Approver Administrator	Editor access to the library resource type.	Contributor
Reject Project	Approver	Not required.	Contributor
Restart workflow	Manager Approver	Editor access to the library resource type.	Contributor	Only published or expired items.
Restore	Editor	Editor access to the library resource type.	Contributor
Save version	Editor	Editor access to the library resource type.	Contributor
Show hidden fields	Administrator	Not required.	Contributor
Submit for review(Workflows)	Approver	Editor access to the library resource type.	Contributor
Submit for review(Projects)	Editor	Editor access to the library resource type.	Contributor	Only when a project is in an active state.
System security	Administrator	Not required.	Contributor
Unlock	Manager	Not required.	Manager
View references	User Approver	Not required.	Contributor
View versions	User Approver	Not required.	Contributor
Withdraw approval	Approver	Not required.	Contributor	Only when a project is in the review state. Only when Joint Approval is selected.
Withdraw from review	Approver	Not required.	Contributor	Only when a project is in the review state.