Friday, October 3, 2008

CMS 6: Allow on User Overrides Deny on Role

OK, I suppose it could be fair to accuse me of being, perhaps, a tad bit on the quiet side with respect to my blog recently. Oh, all right, for the last year or so.

My apologizes.

I can give loads of excuses, but really, I just haven't had much to say. There are many excellent Sitecore bloggers who've done a much better job than I could at bringing forth interesting information.

Perhaps I could have mentioned that we have passed the 2000 certified developers mark (which happened a little while ago), but given that my last post mentioned that we had passed the 1000 mark, I was afraid that doing so would make my blog seem repetitive.

In any case, I do have a little tidbit today that I thought might interest some of you.

In Sitecore CMS 5, our security model had a simple rule:

Deny always overrides Allow

It was one of those simple, clean rules that's easy to explain, but that generally caught people off guard during training, when we asked new developers, "If Audrey is explicitly ALLOWED Write access to item X, but is also a member of the Author role, which is explicitly DENIED Write access to item X, do you think Audrey will be able to change the item or not?"

When you know the rule, the answer is simple, deny always overrides allow, therefore Audrey does not have Write access.

Alas, many people, perhaps even a majority of people, found this confusing. They thought that explicitly allowing Audrey Write access should override the denied access applied to a role.

Well, in Sitecore CMS 6, we've listened to these people and changed the rule. Sadly, this makes the rule a little more complex, but we think people will like it anyway. The rule is now:

Allow set on a User overrides Deny set on a Role, but Deny set on one Role will override Allow set on another Role.

It's still pretty simple, if you ask me.