Thursday, March 29, 2007
EditMe provides the most powerful access controls in the business, but all this power comes with some complexity. This week's tip provides a thorough treatment of the mechanisms behind EditMe's access controls and a complete example of how the Groups and Policies features can be used in a real world scenario. Using these techniques may allow you to use your EditMe site in ways you had not imagined before.
Many wiki providers offer one or more levels of fixed access controls. These are predefined security settings that can be applied to one or more pages of a site. In EditMe, these are the six combinations of the three access settings (None, Read and Write) and three types of users (Public, Registered and Administrators).
Here are the six fixed access control combinations:
For those not familiar with EditMe: Public users are visitors to the site who have not identified themselves; Registered users are visitors who have created a login at the site; Administrators are site owners or users given Administrator access by site owners. These fixed settings can be applied at the site level to affect all pages, and at the individual page level to over-ride the site setting.
These fixed settings provide a useful set of access controls that meets most needs. But EditMe takes it a step further and allows site owners to create their own user types (called Groups) and access settings (called Policies). Together, these can be combined to create almost any access control configuration imaginable. Let's take a look at how they work.
User Groups provide containers for multiple users that share a particular security requirement. For example, if you use EditMe as a company Intranet, you may choose to create User Groups for each department: Human Resources, IT, and Sales. Once these groups are created, Administrators can use the User management section of Site Settings to add users to each group. Users can be members of multiple groups, too.
To manage Groups, log into your site as an Administrator and click Settings. Select Groups from the Access Control menu drop-down. Then click Add to create each group. You can specify the members of each group as you created it.
Besides the container aspect of Groups, they don't actually do anything. In order to make use of Groups in your site's access control configuration, you must combine them with Policies.
Policies extend EditMe's standard security capabilities by allowing site administrators to create custom security settings for individual or multiple User Groups. Once a policy is created, it can be specified as the default Security Policy for site-wide viewing and/or editing in the Site Security section of Site Settings, or as the policy for any individual page from the Security drop-down on any page editing screen.
As you create Policies, they will appear in addition to the six fixed access control settings discussed above - both on the site default settings page and individual pages that over-ride the default.
Extending the company intranet example started above, let's say you want to have sections for each department, and make each section read-only for everyone but the members of that department. You'll want to create three Policies named for each department: Human Resources, IT and Sales. Each of these policies should have "Edit" selected for the "Registered Permissions" option. Assuming your intranet is not publicly viewable, leave "None" specified for "Public Permissions". When creating each policy, select the corresponding Group that you created with the same name.
We now have three Groups corresponding to three Policies. To continue the company intranet example, we'll assume that your default access control setting on your site allows Registered users to view content but not edit it. If not, apply that setting now.
To put your new Policies to work on your site, start by creating three new pages linked from your site's home page. We'll assume for now that you'll keep the Home page to whatever default site setting you have selected. The idea is to create a secondary Home page for each department, and apply the corresponding security Policy to each department page. These steps will be the same for each Group/Policy combination - here are the steps for the Sales department.
That's it! Now members of the Sales department can edit the Sales home page, and members of other departments have whatever default policy you applied to the site. Presumably, they can see the content but cannot edit it. When a Registered user visits the Sales home page, EditMe checks to see if they're in the Sales group. If so, they are given Edit privileges. If not, EditMe delegates control to the default site security policy.
When creating a configuration like this, you'll typically want departmental users to be able to create new pages within their department, and have the appropriate department Policy applied to each new page. This can be accomplished with a feature called Sticky Page Security, and it effectively copies the security settings applied to the page previously viewed by a user to a new page they create. If you enable Sticky Page Security on your site and click the "New" link on the Sales home page, it will be created with the Sales Policy already applied. If you click "New" from the Human Resources page, it will apply that department's policy to the new page. This allows each department to grow their corresponding sections of the site and maintain Edit access only to the pages created from within their department section.
To enable Sticky Page Security, log in as an Administrator and go to your site's Site Settings > Access Controls > Site Security screen. Select "Sticky Page Security" in the Creating Pages section and save.
We hope this example-based introduction to Groups and Policies has proven helpful. Let us know what you think.