问题
I have user roles that work as follows: Admin is a role in Manger which is a role in Logged in User. I want this to work this way so that if a user has an Admin role, then they will also have a Logged in User role. This reason for this is checks in the code. I don't really want to have to write something that incrementally checks each role to see if a user has access to something when I can just check if they are a Logged in User. Now I want to be able to apply security to sitecore items. The problem I'm having is that denial of access overrides access if both exist for a user. I could separate the roles and do incremental checks (or even nest them in the opposite way) but I want to know if there's a way to switch denial of access overriding access to be the opposite. I.e. if a Manager has access to an item but a Logged in User does not then user who is a Manager will be able to see the item (while inheriting the Logged in User role) but a user who is just a Logged in User will not.
回答1:
I assume you have the following role structure:
- Admin - is a member of...
- Manager - is a member of...
- Logged In User
You should very rarely deny access, as you have found out, since denial always overrides access no matter where the inheritance comes from. Instead, you should break inheritance for the Logged In User role, and then give Read access for your Manager role. Your Admin role will gain read access through inheritance since it is a member of Manager role.
Since you may have content which should only be accessible to Logged In Users, you should break inheritance on the sitecore\Everyone role as well, and give read access to your Logged In Users role.
Logged In User Role:
Manager Role: - is a member of Logged In User
Admin Role: is a member of Manager
来源:https://stackoverflow.com/questions/26979521/sitecore-role-security-make-access-overriding-deny