Hello everyone,
we have about 50 different websites in our Neos system which we want to restrict with policies. These websites belong to different business areas. The structure in a simplified version looks like this:
Business Area 1
- Site A
- Site B
Business Area 2
- Site C
- Site D
… and so on.
There are 2 main roles in our system:
- Internal users should be able to edit all websites that belong to their business area and see all other websites outside of their business area as read-only.
Example: Edit all sites in Business Area 1 (Site A, Site B). Read-only all sites in Business Area 2 (Site C, Site D). - External users don’t get whole business areas. They should only be able to see and edit specific websites.
Example: Edit Site C. Every other site is not visible.
Currently our Policy.yaml looks like this:
Summary
privilegeTargets:
'Neos\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
'Project:SiteARead':
matcher: isDescendantNodeOf('/sites/site-a')
'Project:SiteBRead':
matcher: isDescendantNodeOf('/sites/site-b')
'Project:SiteCRead':
matcher: isDescendantNodeOf('/sites/site-c')
'Project:SiteDRead':
matcher: isDescendantNodeOf('/sites/site-d')
'Neos\ContentRepository\Security\Authorization\Privilege\Node\EditNodePrivilege':
'Project:SiteAEdit':
matcher: isDescendantNodeOf('/sites/site-a')
'Project:SiteBEdit':
matcher: isDescendantNodeOf('/sites/site-b')
'Project:SiteCEdit':
matcher: isDescendantNodeOf('/sites/site-c')
'Project:SiteDEdit':
matcher: isDescendantNodeOf('/sites/site-d')
roles:
'Project:SiteARead':
privileges:
-
privilegeTarget: 'Project:SiteARead'
permission: GRANT
'Project:SiteAEdit':
parentRoles: ['Project:SiteARead']
privileges:
-
privilegeTarget: 'Project:SiteAEdit'
permission: GRANT
'Project:SiteBRead':
privileges:
-
privilegeTarget: 'Project:SiteBRead'
permission: GRANT
'Project:SiteBEdit':
parentRoles: ['Project:SiteBRead']
privileges:
-
privilegeTarget: 'Project:SiteBEdit'
permission: GRANT
'Project:SiteCRead':
privileges:
-
privilegeTarget: 'Project:SiteCRead'
permission: GRANT
'Project:SiteCEdit':
parentRoles: ['Project:SiteCRead']
privileges:
-
privilegeTarget: 'Project:SiteCEdit'
permission: GRANT
'Project:SiteDRead':
privileges:
-
privilegeTarget: 'Project:SiteDRead'
permission: GRANT
'Project:SiteDEdit':
parentRoles: ['Project:SiteDRead']
privileges:
-
privilegeTarget: 'Project:SiteDEdit'
permission: GRANT
'Project:BusinessArea1Read':
parentRoles: [
'Project:SiteARead',
'Project:SiteBRead'
]
'Project:BusinessArea1Edit':
parentRoles: [
'Project:BusinessArea1Read',
'Project:SiteAEdit',
'Project:SiteBEdit'
]
'Project:BusinessArea2Read':
parentRoles: [
'Project:SiteCRead',
'Project:SiteDRead'
]
'Project:BusinessArea2Edit':
parentRoles: [
'Project:BusinessArea2Read',
'Project:SiteCEdit',
'Project:SiteDEdit'
]
'Project:AllRead':
parentRoles: [
'Project:BusinessArea1Read',
'Project:BusinessArea2Read'
]
'Project:AllEdit':
parentRoles: [
'Project:AllRead',
'Project:BusinessArea1Edit',
'Project:BusinessArea2Edit'
]
This policy works great for externals since we assign the specific site roles. The problem we have are the internal roles.
We are not able to show the sites read-only. They are either editable or not visible at all.
The ReadNodePrivilege is not recommended for use and doesn’t work anyway. As soon as we change one of the NodeTreePrivileges in the example above to ReadNodePrivilege, the whole site throws an error and doesn’t work anymore.
The NodeTreePrivilege extends the EditNodePrivilege so it already provides edit permissions. Making the site visible, but not editable works only if we grant the NodeTreePrivilege and deny the EditNodePrivilege. Denying privilegeTargets is not recommened for obvious reasons and it makes it harder for us to use the “big” roles like BusinessArea1Read or AllRead since DENY > GRANT.
I can only think of trying it with MethodPrivileges or writing a Flow Command which adds a bunch of specific site roles to users based on a given business area instead of writing big roles in the Policy.yaml.
Do you guys have any other ideas on how to tackle this problem?