Author: Eriksson Joakim, Teknikhuset AB.

Published: 2003-01-31

Applies to: Content Studio ver. 3.2 +

Type: How to

Symptoms

Many customers would like parts of their sites to be protected from access from anonymous users on the Internet. In the same time they like most parts to be open.
By default the Everyone group is given browse permission on the site root. That means that everyone has browse in every part of the web. You simply cannot deny the Everyone group since that would include every user

More information

In the site root add the ANONYMOUS LOGON group and give it browse permission. This will give Internet access to the whole site. Also add the Users group and set browse permission to this group. This will give all logged in users access to CS provided that they are a member of this group. Sometimes local accounts are not included in this group but all domain users are. After confirming that all users that can log in are members of this group you can remove the Everyone group from the site root. Sometimes you would like only a limited number of network users to be able to access parts of your site. In that case you should not add the Users group to the site root but directly to parts of the site where they should have access (ex. a unit).
For each part of your web that should be protected deny the ANONYMOUS LOGON the browse permission. This will effectively protect this part from Internet access but logged on users can access the documents since they are not denied. By creating a number of different groups each one representing a use-case and add these groups where the should be effectively you can have very fine grained access control on your web site. Remember though that any permission defined on a higher level is inherited down in the web tree and currently Content Studio cannot protect parts of the site from receive permissions from parent folders.

In Content Studio version 4.0 and later the security system has been improved radically. From that release you have the possibility to stop the flow of inherited permissions at any time thus enhancing the possibilities of setting fine-grained access control to certain points in Content Studio. In this release its is better to stop the inheritance at a certain folder and set the new needed permissions to prevent unauthorized users from accessing the data at that point.