Page tree
Skip to end of metadata
Go to start of metadata

This unit takes a quick look at the security basics of Magnolia. Includes a video on adding new users.

 Provisioning pressure

Who

Whilst ramping-up its existing publication pipeline, a large print and online magazine publishing company is increasing its workforce. Some of the new hires will be working on multiple magazines. Existing staff are being assigned new roles and tasks.

Issue

Under the guidance of senior project managers, human resources has prepared a detailed document that specifies the exact tasks, magazines and pages that each new hire and repositioned staff member will be working on. Management insists that the provisioning process must be completed by the end of the week.

Solution

  • The company is using the multisite functionality in Magnolia Enterprise Edition (pro) to host numerous online magazines. 
  • The administrator uses the Security app to configure the necessary roles and access control lists - adding each new hire as required and changing the ACLs for existing staff.
  •  As access to the system is based on urls, staff can only access those urls for which they have been granted permission.

Outcome 

Tasks complete, the administrator sends a each user an email featuring a personalized login name and password - together with a request to change their password on logging in. On logging in, the users find that that have access to precisely those website - and in some cases, pages of a site that they are required to work on. 

Security app

Basic security settings are handled by powerful Security app.

Users

Magnolia CMS has two different user types.

  1. Users -  A user is a standard Magnolia account. Users are generally editors and publishers.
  2. System users -  Out-of-the-box Magnolia is configured with two system users:

  • Superuser is a standard administrator account with full access to Magnolia CMS.
  • Anonymous usually has read-only access to public instances of Magnolia. (If no successful login is registered, the anonymous user is used.)

What is a group?

Users with similar privileges are organized into groups. Permissions granted to a group are inherited by user in the group. A group can have any number of groups and any number of roles assigned to it. You can create groups as required.

What is a role?

A user's role contains the access rights settings in form of ACLs. A role reflects the actions and activities associated with a user. For example, an editor will not need many of the privileges associated with being an administrator. Users can have multiple roles and you create roles as required.

How do I add a new user to the system?

Access to content in Magnolia is controlled through Users, Groups and Roles - accessed via the Security app.

App security

Can security restrictions be applied to apps?

Yes. As part of your provisioning process you can use ACLs to determine what apps are available to users. See

Further security measures can be implemented at an app level in the Configuration app.

See 3.3 A lot more about apps & http://documentation.magnolia-cms.com/display/DOCS/App+permissions.

System security

What kinds of security checks are performed by the system when a user tries to log in?

The system performs two checks;

  1. URL
    The most basic check the system performs is that someone has access to a particular URL.

  2. Filter chain
  • Content based security is defined per workspace.

  • Content security and acls are checked in the filter chain, after determining which workspace and what path within need to be accessed(Is the user allowed to access form website the path /demo-project? Is the user allowed to access in the dam/assets workspace allowed to access /marketing/images? etc.)

IP and HTTP method configuration provides the ability to configure the IP addresses.

Learn more

Next

The next modules teaches you how to set up a Magnolia CMS project using recommended technologies.

  • No labels

5 Comments

  1. Cheng: http://wiki.magnolia-cms.com/display/~cheng.hu/MyCar+Practice+Project+Evaluation

    How to manage security in detail?

    How to translate common high level security roles into JCR and URL permissions from scratch?
    When is it appropriate to reuse built in roles and groups?
    How to configure security access for apps?
    How to configure security access for workflows so that only one role can publish and only another role can approve or reject?
    What are the security precedence rules when the lengths of the paths are the same for JCR and URL?
  2. 2 Security 3qs

    1 What security entities do you configure with the Security app (m)
    1. (thumbs up) Users, Groups, Roles
    2. (thumbs down) Users, Groups, Commands
    3. (thumbs down) Users, Groups, Requests
    2 In which security entity are the access control lists (ACL) defined ? (A bit too specific perhaps?). What Security entity do you use to define a new set of system access restrictions (ACLs)? 
    1. (thumbs up) Roles
    2. (thumbs down) Users
    3. (thumbs down) Groups
  3. Documentation doesn't have a single place that describes the 2-tier security check (url, content). But here's the URI security filter https://documentation.magnolia-cms.com/display/DOCS/Filters#Filters-URIsecurity
    And here's the Content security filter https://documentation.magnolia-cms.com/display/DOCS/Filters#Filters-Contentsecurity

    • It is only checked if the URL requested is allowed for the user to access.

    • No matter what would be fatch in the end, if content would eb render, a servlet would be reahced, or even a redirect to another system

    • It just checks: Is the user allowed to access this URL.

    • I MUST never access content, because its located before the cache filter.

    • Content
  4. 2 Security 3qs

    1 What security entities do you configure with the Security app (m)
    1. (thumbs up) Users, Groups, Roles
    2. (thumbs down) Users, Groups, Commands
    3. (thumbs down) Users, Groups, Requests
    2 In which security entity are the access control lists (ACL) defined ? (A bit too specific perhaps?). What Security entity do you use to define a new set of system access restrictions (ACLs)? 
    1. (thumbs up) Roles
    2. (thumbs down) Users
    3. (thumbs down) Groups

    (Comment Christian: I think not, or at least the question as you write it is in my understanding open, all of the entities are used to manage ACLs, users&groups implicit, and roles explicit.
    What I wanted to ask is in which is the explicit definition of ACLs done. Every dev should know that. Probably better wording possible thean mine, but it must be clear that it is about: "Where do you add a specific ACL".) OK!

    3  What two security checks does Magnolia perform when a user accesses the system?   What security access checks does Magnolia perform when a user accesses the system?  Need to quality this question.  Not in Academy. Need to go to: 
    1. (thumbs up) URL & Content based security checks.
    2. (thumbs down) Submission & Receiving based security checks.
    3. (thumbs down) http & https protocol header flags.

    (Comment Christian: Still input needed besides the one given in Hipchat?) ALL GOOD.