Tridion’s authorization model makes a useful distinction between what you are allowed to do (called ‘rights’) and where you are allowed to do it (‘permissions’). Let’s take a simple example, or rather two: John and Jane.
John works in public relations and handles the press area of the web site. Jane is a member of the web content management team. She is responsible for the rest of the site.
The authorization is set up so that John can create content and pages in his own section. He is also able to publish pages. He has no access to the rest of the site, except for read-only access to the root structure group and building blocks folders, because otherwise he wouldn’t be able to navigate to his own section.
Jane does not have access to the press area at all, but she can create content and pages in the rest of the site.
John and Jane have the same rights, but very different permissions.
This is a fairly typical situation, and it first glance it looks like there is no problem at all. John can do his thing inside the press area, but is unable to mess up the rest of the site because he has at most read-only access there. He couldn’t wreak havoc even if he wanted to, could he?
————————————————————————————————————
Well, yes he could. There is one thing John could do which would make Jane (and the rest of her team) very unhappy: he could unpublish the home page! This is the result of a small flaw in Tridion’s authorization model: publishing in Tridion is a right, while it should have been a permission!
There is no easy way around this, really. Someone with publishing rights, can exercise this right wherever he/she has read permission. We can revoke his publishing rights, of course, but since publishing is John’s job that is not really a solution. We cannot revoke his read permissions on the root structure group either, since that would block his access to his own ‘Press’ area, which lives inside the root structure group.
There are some work-arounds, none of them very good in my mind:
1. Set up workflow for Press content and let an automated activity publish the page.
This works, but it introduces workflow, which is like shooting with a bazooka at a mosquito.
2. Set up a separate publication for Press. This works because rights can be limited to certain publications (not structure groups). But again, it is a high-impact fix for a relatively simple problem.
I am busy working out a more elegant solution, but since this is such a common situation, I’m sure it exists already, somewhere out there. Tips anyone?