Roles and Rights
Role is a system-wide permission, given to a user directly.
Right is an object-related permission. A user gets a right not directly, but related to some particular object or object group.
To enable your user to do something with AxCMS you have to supply them with Roles and/or Rights. Roles and Rights authorize users to perform some actions in AxCMS or to do something with objects in AxCMS (Pages, Documents, etc.). The same also holds for the Live System application.
Information about how to assign roles and rights via AxCMS can be found here: Permission assignment.
Roles and Rights are not hardcoded into AxCMS.net, but rather an intermediate concept of a CheckPoint is used. A CheckPoint is a guard in code, which protects particular functions. Depending on the user-permissions he either passes through the CheckPoint and can use the function in question or not (a error occurs). There are 100+ CheckPoints in AxCMS.net.
You can think of the CheckPoints as small locks distributed through AxCMS.net and of the Roles/Rights as keys. Every key can open some set of locks. Every lock can be opened by some keys. Every user possesses some subset of keys and therefore can open some particular locks.
The following CheckPoint types are provided in AxCMS.net:
- AxCheckPoint - simple CheckPoint; checks only if the user has appropriate role assigned;
- AxElementCheckPoint - checks the access to the element through roles and rights assigned to the user;
- AxCategoryCheckPoint - checks roles and if the user has needed right for given category;
- AxCategorySubTreeCheckPoint - extends AxCategoryCheckPoint; checks if the user has the right somewhere in the tree from the defined root category;
- AllowedInGeneralCheckPoint - checks if the user is allowed in general.
Which key opens which lock is defined through a PermissionMatrix. Below you see a section of a PermissionMatrix.
You will find Permission Matrix in AxCMS.net 6.0 and above under Components\Security\PermissionMatrix.xls. For the previous versions consult Axinom.
Some CheckPoints only work with Roles (Simple CheckPoints, marked yellow in the matrix), because they do not apply to any particular object (e.g. CheckPoints, protecting New-operations or Overview-Pages). Other CheckPoints do apply to particular objects (Element CheckPoints). Such CheckPoints can be used either with Roles or with Rights.
(Standard) Permission Tree
Not every single category serves as a permission-category. System Administrator has to decide, which subtree fulfills this task. Only categories from this tree are shown in the "Edit rights"-Dialog (see above). The default behaviour of AxCMS.net is to use Navigation (predefined node ID=6) as a standard permission tree. Administrator can change it to any other node.
Caution: If you change this value in a running system, user rights seems to be disappeared. The assignments are still in place, but they don't serves as rights anymore.
If an object in Management System is not assigned to any permission-category at all, no user gets access to it (through the standard permissions; read below about special permissions and owner permissions).
Special Permission Tree
The standard permission tree is sufficient in most cases. But at some point you will find, that one object needs other permissions, as its place in the standard tree implies. For example, one page should be editable by everybody, in spite of it is under the root of its owning department. Or, on the contrary, a page should not be visible even to the employees of the owning department. Or you just want to set the rights explicitly for particular users. In such cases you will use the Special Permission Tree.
Special Permission Tree is another node, configured by an Administrator, which affects the rights. If an object is assigned to any category under special permissions, its standard assignments are ignored and the rights are set according to the special permissions. This way special permissions override the standard permissions.
Switching from standard to special permissions
If you have a page, which uses standard permissions and want to give it special permissions, a comfortable way exists. Go to the "Edit Page" dialog and under "Security" click "Create new special category". A new category "For page [PageName]" is created under Special Permissions and existing user-assignments are copied to it. Then you can assign it to your page with one click and then start giving rights for this special category to your users. If you don't do it, the page has the same permissions, as it was under standard permissions (a snapshot).
To switch back to standard categories, just remove all assignments of a page under special tree and re-assign it again under standard tree, if previously removed. You can also delete unused special categories.
An author (creator) of an object can be granted more rights as any other user for his objects (e.g. a user can edit objects, assigned to him through the standard permissions, but also edit & publish his own objects). Creator Permissions enable this. There is a Creator-category. Any user can get rights for this category exactly the same way, rights on other categories are given (User Profile / Administrate Rights ...). Every page is implicitly considered to be in the Creator-category, but only for the user, who created it.
Creator Permissions always add-up to the other permissions a user has (standard & special).