Permissions & Access Management for Backend Users

Hi @pw-formatd,

there is already a topic about this here: Multisite capabilities of Neos

Here is what i used to handle multisite policies (policy.yaml of one Site package, needs to be done on all packages/sites and the role needs to be applied to the user):

privilegeTargets:
  # Resitrict access to site (1/2)
  'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
    'Vendor.Package:Site.Site1':
      matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "site1-root-name"'

  # Resitrict access to site (2/2)
  'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
    'Vendor.Package:Nodes.Site1':
      matcher: 'isDescendantNodeOf("/sites/site1-root-name")'

    # Restrict access to a specific page (also in NodeTreePrivilege)
    'Vendor.Package:Page.SomePage':
      matcher: 'isDescendantNodeOf("8aeb4ff4-f5c3-4586-857f-d287a060205a")'


roles:
  # Grant non-authenticated users permission to site
  'Neos.Flow:Anonymous':
    privileges:
      -
        privilegeTarget: 'Vendor.Package:Site.Site1'
        permission: GRANT

  # Grant administrators permission to site & nodes
  'Neos.Neos:Administrator':
    privileges:
      -
        privilegeTarget: 'Vendor.Package:Site.Site1'
        permission: GRANT
      -
        privilegeTarget: 'Vendor.Package:Nodes.Site1'
        permission: GRANT

  # Grant site role access to "this" site and nodes
  'Vendor.Package:Site1':
    privileges:
    -
      privilegeTarget: 'Vendor.Package:Site.Site1'
      permission: GRANT
    -
      privilegeTarget: 'Vendor.Package:Nodes.Site1'
      permission: GRANT


  # Give access to specific page (Only allows access to the subtree of that node
  # instead of the whole tree of that site).
  # Gives basic access to the site + access to edit the nodetree below that page
  'Vendor.Package:AccessSomePage':
    privileges:
      -
        privilegeTarget: 'Vendor.Package:Site.Site1'
        permission: GRANT
      -
        privilegeTarget: 'Vendor.Package:Page.SomePage'
        permission: GRANT