Pyramid drives access to functions, content and data through a user-role based model - as described in the application security overview. The Roles Panel in the content manager is the means through which both authorized users and admins can assign access rights for content.
- For details on assigning role based access to data see the Materialized Manager tools for end-users or the Data source Manager for administrators.
Accessing Role Settings for Content
The option to see the roles panel is ONLY available on public domain content since a user has full access to their own personal content, and the access rights for workgroup domain content is hard coded based on role membership.(See Folders for more details).
Using the Role Switches
Within the roles panel, the user can see the list of relevant roles and their different access rights on the item (yellow box above). When a role check is made, the flag is stored in the repository immediately - there is no save or apply button.
- READ Access - this means users within these roles can open the content and interact with it, but they CANNOT SAVE changes made to it.
- WRITE Access - this means the users within these roles can open the content and they CAN SAVE changes made to it. By definition, if the role has write access they also have read access.
- MANAGE Access - this means the user within these roles have the right to change the access settings of their own role and those of other roles for the chosen content item.
Access to these switches is governed by whether the pro user has management rights on the item (or folder). Admins have access to all options for all relevant roles regardless of role membership. Further, a content item owner (red arrow above) has the right to open, edit and change the content as well unless specifically denied by admins.
In a multitenant deployment, the roles and access are limited to the current tenant only unless cross tenant content has been enabled.
Other Panel Functions
To accelerate the process of making changes, users can use the "All" switches (yellow boxes above) to turn on role access down or across roles. If the role list is large, users can use the alpha search or text search functions to filter the role listing (orange arrow above).
In the roles panel for folders, and extra "propagate" button is available (green arrow below), allowing users to push the folder's role access settings down to all its subordinate content items and folders with a single click.
Accessing Roles via Save
Apart from setting role access to public content via the content manager views, users can also set role access rights when saving content. When saving content in the public domain, the user is given the choice to inherit the parent folder's security or to set custom access. See Saving content for more details.
The user-role model described above assumes a classic multi-tenant approach: users, content and data within a tenancy cannot be accessed by other users in another tenancy. However, this can be extended with "Cross Tenancy" options.
- Cross Tenant Roles allows roles to contain users from outside their domain / tenancy.
- Cross Tenant Content allows content to be accessible from other tenants
- Click here for more details on Cross Tenant Options