I've created a situation where authors are running into permission issues when trying to move pages under certain conditions.
To manage access, I set up group ACLs that limit author permissions to specific content paths, allowing them to only edit, publish, and perform similar actions within their designated regions. This was achieved by denying jcr:write and crx:replicate at the /content level, while allowing these permissions for their specific regional content paths.
This setup works well until an author needs to move or rename a page within their accessible top-level path. If that page only has references within the author's regions they have access to, the move operation works fine. If that page does have references outside the region they can access, it triggers a "request to move" operation. This happens because the move process attempts to update the references through unpublishing and publishing, which they cannot perform outside of their region. I understand why this is occurring.
While I have some ideas for workarounds, I wanted to check if there’s a simpler solution that I might be overlooking. Please let me know if you need any further details.
Views
Replies
Total Likes
Hi @mmasonWD
The simplest solution would be to give your authors a reference report.
Best part is this will remain disjoint from your current ACL permissions and authors can make use of reference report to identify references before attempting a move so they can either remove or manually adjust references within their permissions.
However this will increase overhead but would help without change current ACL permissions.
Using the report authors can manually update references within their allowed region or request assistance for references outside their control.
Thanks for the suggestion, but I am hoping for a solution that does not require additional assistance from an admin or another user. While this is a good suggestion, we have almost 40 authors and over 3500 pages, so not too feasible for our situation. I wasn't sure if there was some Access Control Entry that could be added/edited that I am overlooking that could solve this issue.
If you only want to use ACL to achieve the same then one thing you can do is assign specific permissions to a user group that are required for moving pages with references to other non accessible regions, that is I think jcr:write and jcr:modifyProperties permissions for the content path root.
Then you can assign this group temporarily to a regional author group and remove the group when the moving is done.
This can be done using a simple installable permissions package.
If I understand you correctly, this would only solve the issue temporarily for a selected span of time, and not a permanent solution moving forward when authors may need to move pages at any given date. Part of the "move" operation also includes the crx:replicate privilege that must exist as part of publishing/unpublishing references upon move.
I am beginning to think my request is not possible given how I currently have managed author access to specific regions. I may have to completely rethink our strategy here.
Yes , given that you are looking for a permanent solve, you will have to rethink ACL division and hierarchy.
@mmasonWD Did you find the suggestion helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!
Views
Replies
Total Likes
Unfortunately there is no correct answer here as it seems the route I was attempting to take and the specific outcomes I needed are not possible.
Views
Replies
Total Likes
Views
Likes
Replies