Security

Security in the Percussion CMS is about managing who has access to create and edit which content.  Since Percussion was designed to manage public facing websites, content in the system is able to be viewed by all users of the system. While you can control who can edit or publish content, you cannot control who can view content.  Also, for assets in the system, you cannot limit who can use them in a page. Once, for example, a image has been uploaded to the CMS, any user will be able to include that image in the Rich Text content.

But while Percussion does have a spirit of openness, there is a great ability to control who can edit content, who can approve it and who can publish it. This provides a governance layer that can prevent, for example, the wrong image from being used in a blog post.

Site Governance

There are two ways of managing security and permissions in Percussion.  The first is through workflow. Using workflow you can establish which roles can perform which actions at each step of your content governance process.  See Managing Workflow for more information. 

The second is to configure site and folder properties. These permissions limit who is allowed to edit content based on where it resides in the CMS.  

As you establish your governance process, it will be important that you have these two techniques in sync with one another. For example, let's say you want your organizations privacy policy on your website and there are few people who should have access to edit it.  One way would be to limit it by configuring a workflow that controls who can edit and approve this page based on role.  Another way would be to limit access to the content by configuring the folder permissions so that only specifically identified users could edit the page.  If you implemented both, you could end up in a scenario where your governance is in conflict. If a new legal editor joined the organization, if you added her to the role that can edit the page, but neglected to update the folder security, she could be prevented (improperly) from editing that content. 

It is recommended that you use either workflow or folder permissions in order to prevent this type of conflict. 

Modifying Site Permissions 

Site Permissions allow you to limit the users who have access to edit content on a given site. Two permissions are available for sites:

  • Read - View pages and folders, but not modify, add, move or remove them. No access to folder properties. 
  • Write - Modify, add, move, and remove pages, assets, and subfolders.

If you change the Site Permission to Read, you then must identify those users who have Write access. To change a site's properties, open the site in the Navigation Manager and click the Edit icon on the root of the site.

Modifying Section Permissions

Section Permissions are like Site Permissions, but they allow you to limit access to a specific section of the site.  As with Site Permissions you can change the default permission to Read and then identify specific users who have access to edit the content in that Section. 

Note: Section Permissions do not cascade downward.  If you change the default Permission to Read, the subordinate sections or folders below that Section will not inherit the permission of the parent.  

Modifying Folder Permissions

Folder permissions differ slightly from sites and sections. In addition to Read and Write permissions, there is an Admin permission.  As with section permissions, folder permissions do not cascade downward.  If you change the default permission to Read, the subordinate folders will not inherit the permission of the parent.

  • Read - Use pages, assets, and subfolders, but not modify, add, move or remove them. No access to folder properties. 
  • Write - Modify, add, move, and remove pages, assets, and subfolders, but not move or remove the folder. No access to folder properties.
  • Admin - Full ability to modify, add, move, and remove pages, assets, and subfolders as well as ability to move, delete or modify the folder. 

Note: There are certain Percussion system folders that Admin users do not have access to modify, including: 

  • //Asset/uploads
  • //Asset/uploads/images
  • //Asset/uploads/files

Potential Folder Security Conflicts

If you are establishing folder security for sites and assets, it is possible to create conflicts. For example, let's say you have an News and Events folder where named users can create new event pages. Those pages typically include a company disclaimer paragraph that has been stored as a shared asset.  The folder where that shared asset is stored is limited to only being edited by an administrator. At the beginning of 2015, a user creates a new event, drags in the company disclaimer but notices that is has a 2014 date in it.  That user would not be able to edit that asset to update the date because it is a shared asset stored in a folder separate from the page.  As you create your governance process, look for those circumstances that could result in conflict.

 

Leave a comment

*
*