How to secure an entire branch in a Sitecore content tree?

Question

I have a section of my content tree which I would like to deny ALL permissions to except for specific roles. This seems like a really obvious task to perform, and yet I don't see an example of it in the Security Administrator's Cookbook and I can't figure out an easy way to do it using the security tools. I must be missing something obvious... ???

Say I have this:

sitecore
-content
  -branchA
  -branchB

Everything I created in the content tree is readable by extranet\Anonymous by default. But even when I click on the "Require Login" on the security ribbon, all users still have read access, they just have to log in. I want to make branchB readable by ONLY sitecore\SomeRole members. How is this done?

Answer 1

Ok, follow this guideline.

Let's say we have sitecore\SomeRole and a content tree like this:

Home
  branchA
    itemA1
  branchB
    itemB1

We'd like to deny acccess to branchB and all its descendants for everyone, except for SomeRole.

First off, in Security Editor select Home node, choose sitecore\Everyone role and set the following permissions:

alt text http://img822.imageshack.us/img822/7172/sitecoreeveryonepermiss.png

Now check the access in AccessViewer - that's what we need:

alt text http://img532.imageshack.us/img532/3512/sitecoreeveryoneaccess.png

Let's allow branchB for SomeRole. Go back to Security Editor and explicitly allow permissions for SomeRole:

alt text http://img80.imageshack.us/img80/120/sitecoresomerolepermiss.png

And check this in AccessViewer again:

alt text http://img27.imageshack.us/img27/9584/sitecoresomeroleaccess.png

Hope this answers your question. Beware that Sitecore versions prior to 6.2.X have an issue: AccessViewer doesn't refresh correctly after permissions are set. Kill aspnetwp (w3wp) to fix this.

Answer 2

It sounds like your problem is that you're allowing the extranet\Anonymous user to have read access too far up in the tree. Remove the access grant at the top level (don't deny it, just remove it) and grant it wherever you really need it (like at branchA).