Hi @pw-formatd,
there is already a topic about this here: Multisite capabilities of Neos
Here is what i used to handle multisite policies (policy.yaml of one Site package, needs to be done on all packages/sites and the role needs to be applied to the user):
privilegeTargets:
# Resitrict access to site (1/2)
'Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\EntityPrivilege':
'Vendor.Package:Site.Site1':
matcher: 'isType("Neos\Neos\Domain\Model\Site") && property("nodeName") == "site1-root-name"'
# Resitrict access to site (2/2)
'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
'Vendor.Package:Nodes.Site1':
matcher: 'isDescendantNodeOf("/sites/site1-root-name")'
# Restrict access to a specific page (also in NodeTreePrivilege)
'Vendor.Package:Page.SomePage':
matcher: 'isDescendantNodeOf("8aeb4ff4-f5c3-4586-857f-d287a060205a")'
roles:
# Grant non-authenticated users permission to site
'Neos.Flow:Anonymous':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
# Grant administrators permission to site & nodes
'Neos.Neos:Administrator':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
-
privilegeTarget: 'Vendor.Package:Nodes.Site1'
permission: GRANT
# Grant site role access to "this" site and nodes
'Vendor.Package:Site1':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
-
privilegeTarget: 'Vendor.Package:Nodes.Site1'
permission: GRANT
# Give access to specific page (Only allows access to the subtree of that node
# instead of the whole tree of that site).
# Gives basic access to the site + access to edit the nodetree below that page
'Vendor.Package:AccessSomePage':
privileges:
-
privilegeTarget: 'Vendor.Package:Site.Site1'
permission: GRANT
-
privilegeTarget: 'Vendor.Package:Page.SomePage'
permission: GRANT