Any way to transfer all permissions from one role to another? The Next CEO of Stack OverflowGet base or inherited roles from Role or User object

Proper way to express "He disappeared them"

How do I align (1) and (2)?

Won the lottery - how do I keep the money?

Where do students learn to solve polynomial equations these days?

Why is the US ranked as #45 in Press Freedom ratings, despite its extremely permissive free speech laws?

Running a General Election and the European Elections together

Can we say or write : "No, it'sn't"?

What connection does MS Office have to Netscape Navigator?

Is it my responsibility to learn a new technology in my own time my employer wants to implement?

Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?

Would a grinding machine be a simple and workable propulsion system for an interplanetary spacecraft?

Unclear about dynamic binding

What is meant by "large scale tonal organization?"

How to write a definition with variants?

Is micro rebar a better way to reinforce concrete than rebar?

A Man With a Stainless Steel Endoskeleton (like The Terminator) Fighting Cloaked Aliens Only He Can See

What happened in Rome, when the western empire "fell"?

The exact meaning of 'Mom made me a sandwich'

Is there a way to save my career from absolute disaster?

Do I need to write [sic] when a number is less than 10 but isn't written out?

Grabbing quick drinks

Does Germany produce more waste than the US?

How is this set of matrices closed under multiplication?

How to check if all elements of 1 list are in the *same quantity* and in any order, in the list2?



Any way to transfer all permissions from one role to another?



The Next CEO of Stack OverflowGet base or inherited roles from Role or User object










5















We are going to have to create new roles for new content sections and it would be very helpful if we could transfer role permssions so that we don't have to reassign permissions for all the folders to secondary roles for a particular section.
Just wondering if there's a way to copy permissiosn from one role to another and then build on that second role to make the additional permission tweaks, which would be a lot easier than replicating every single folder/item permissions in the new role...










share|improve this question






















  • Do you want to move permissions from Role A to Role B on particular items? So before the operation Role A has Read/Write and after only Role B has Read/Write? Or something more complex?

    – Marek Musielak
    2 days ago






  • 2





    You would need a script, since security permissions are written as strings to the relevant items. However you could make Role B a member of Role A for the same effect - using Sitecore's Roles-in-Roles feature.

    – Mark Cassidy
    2 days ago











  • @MarekMusielak, Role A has permissions for x number of items, at then end of the process Role A and Role B would have permissions on all those same items - the exact same permissions would be for each. Once that is done, I would then go into Role Manager and make some small alterations in Role B's permssions.

    – Levi Wallach
    2 days ago











  • @MarkCassidy, by script do you mean a sql script or powershell? I can't make Role B a member of role A becuase I would then have to overwrite a bunch of permissions for Role B. Basically Role A will have full access to some global level items as well as for sub items, Role B will have full permissions just for subitems, and just read access to global level items. So my thinking was copy the global permissions to B, then just remove all the write/delete/create permissions to the global items.

    – Levi Wallach
    2 days ago















5















We are going to have to create new roles for new content sections and it would be very helpful if we could transfer role permssions so that we don't have to reassign permissions for all the folders to secondary roles for a particular section.
Just wondering if there's a way to copy permissiosn from one role to another and then build on that second role to make the additional permission tweaks, which would be a lot easier than replicating every single folder/item permissions in the new role...










share|improve this question






















  • Do you want to move permissions from Role A to Role B on particular items? So before the operation Role A has Read/Write and after only Role B has Read/Write? Or something more complex?

    – Marek Musielak
    2 days ago






  • 2





    You would need a script, since security permissions are written as strings to the relevant items. However you could make Role B a member of Role A for the same effect - using Sitecore's Roles-in-Roles feature.

    – Mark Cassidy
    2 days ago











  • @MarekMusielak, Role A has permissions for x number of items, at then end of the process Role A and Role B would have permissions on all those same items - the exact same permissions would be for each. Once that is done, I would then go into Role Manager and make some small alterations in Role B's permssions.

    – Levi Wallach
    2 days ago











  • @MarkCassidy, by script do you mean a sql script or powershell? I can't make Role B a member of role A becuase I would then have to overwrite a bunch of permissions for Role B. Basically Role A will have full access to some global level items as well as for sub items, Role B will have full permissions just for subitems, and just read access to global level items. So my thinking was copy the global permissions to B, then just remove all the write/delete/create permissions to the global items.

    – Levi Wallach
    2 days ago













5












5








5








We are going to have to create new roles for new content sections and it would be very helpful if we could transfer role permssions so that we don't have to reassign permissions for all the folders to secondary roles for a particular section.
Just wondering if there's a way to copy permissiosn from one role to another and then build on that second role to make the additional permission tweaks, which would be a lot easier than replicating every single folder/item permissions in the new role...










share|improve this question














We are going to have to create new roles for new content sections and it would be very helpful if we could transfer role permssions so that we don't have to reassign permissions for all the folders to secondary roles for a particular section.
Just wondering if there's a way to copy permissiosn from one role to another and then build on that second role to make the additional permission tweaks, which would be a lot easier than replicating every single folder/item permissions in the new role...







permissions






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 2 days ago









Levi WallachLevi Wallach

1786




1786












  • Do you want to move permissions from Role A to Role B on particular items? So before the operation Role A has Read/Write and after only Role B has Read/Write? Or something more complex?

    – Marek Musielak
    2 days ago






  • 2





    You would need a script, since security permissions are written as strings to the relevant items. However you could make Role B a member of Role A for the same effect - using Sitecore's Roles-in-Roles feature.

    – Mark Cassidy
    2 days ago











  • @MarekMusielak, Role A has permissions for x number of items, at then end of the process Role A and Role B would have permissions on all those same items - the exact same permissions would be for each. Once that is done, I would then go into Role Manager and make some small alterations in Role B's permssions.

    – Levi Wallach
    2 days ago











  • @MarkCassidy, by script do you mean a sql script or powershell? I can't make Role B a member of role A becuase I would then have to overwrite a bunch of permissions for Role B. Basically Role A will have full access to some global level items as well as for sub items, Role B will have full permissions just for subitems, and just read access to global level items. So my thinking was copy the global permissions to B, then just remove all the write/delete/create permissions to the global items.

    – Levi Wallach
    2 days ago

















  • Do you want to move permissions from Role A to Role B on particular items? So before the operation Role A has Read/Write and after only Role B has Read/Write? Or something more complex?

    – Marek Musielak
    2 days ago






  • 2





    You would need a script, since security permissions are written as strings to the relevant items. However you could make Role B a member of Role A for the same effect - using Sitecore's Roles-in-Roles feature.

    – Mark Cassidy
    2 days ago











  • @MarekMusielak, Role A has permissions for x number of items, at then end of the process Role A and Role B would have permissions on all those same items - the exact same permissions would be for each. Once that is done, I would then go into Role Manager and make some small alterations in Role B's permssions.

    – Levi Wallach
    2 days ago











  • @MarkCassidy, by script do you mean a sql script or powershell? I can't make Role B a member of role A becuase I would then have to overwrite a bunch of permissions for Role B. Basically Role A will have full access to some global level items as well as for sub items, Role B will have full permissions just for subitems, and just read access to global level items. So my thinking was copy the global permissions to B, then just remove all the write/delete/create permissions to the global items.

    – Levi Wallach
    2 days ago
















Do you want to move permissions from Role A to Role B on particular items? So before the operation Role A has Read/Write and after only Role B has Read/Write? Or something more complex?

– Marek Musielak
2 days ago





Do you want to move permissions from Role A to Role B on particular items? So before the operation Role A has Read/Write and after only Role B has Read/Write? Or something more complex?

– Marek Musielak
2 days ago




2




2





You would need a script, since security permissions are written as strings to the relevant items. However you could make Role B a member of Role A for the same effect - using Sitecore's Roles-in-Roles feature.

– Mark Cassidy
2 days ago





You would need a script, since security permissions are written as strings to the relevant items. However you could make Role B a member of Role A for the same effect - using Sitecore's Roles-in-Roles feature.

– Mark Cassidy
2 days ago













@MarekMusielak, Role A has permissions for x number of items, at then end of the process Role A and Role B would have permissions on all those same items - the exact same permissions would be for each. Once that is done, I would then go into Role Manager and make some small alterations in Role B's permssions.

– Levi Wallach
2 days ago





@MarekMusielak, Role A has permissions for x number of items, at then end of the process Role A and Role B would have permissions on all those same items - the exact same permissions would be for each. Once that is done, I would then go into Role Manager and make some small alterations in Role B's permssions.

– Levi Wallach
2 days ago













@MarkCassidy, by script do you mean a sql script or powershell? I can't make Role B a member of role A becuase I would then have to overwrite a bunch of permissions for Role B. Basically Role A will have full access to some global level items as well as for sub items, Role B will have full permissions just for subitems, and just read access to global level items. So my thinking was copy the global permissions to B, then just remove all the write/delete/create permissions to the global items.

– Levi Wallach
2 days ago





@MarkCassidy, by script do you mean a sql script or powershell? I can't make Role B a member of role A becuase I would then have to overwrite a bunch of permissions for Role B. Basically Role A will have full access to some global level items as well as for sub items, Role B will have full permissions just for subitems, and just read access to global level items. So my thinking was copy the global permissions to B, then just remove all the write/delete/create permissions to the global items.

– Levi Wallach
2 days ago










2 Answers
2






active

oldest

votes


















5














I've written a powershell script which should do the magic for you. I suggest you backup your database before running it, just in case.



It searches for ar|ROLE_DOMAINROLE_NAME| string in __Security fields of all the items under the $root item, looks for the next role or user in the security, and duplicates that role access rights to the second role.



The script only takes into account access rights assigned to the role directly - it doesn't take into account access rights inherited from other roles.



#settings
$roleName = "sitecoreRoleA"
$newRoleName = "sitecoreRoleB"
$root = "110D559F-DEA5-42EA-9C1C-8A5DF7E70EF9"

$roleSecurityString = "ar|" + $roleName + "|"
$items = @(Get-Item -Path $root) + @(Get-ChildItem -Path $root -Recurse)
foreach ($item in $items)
if ($item["__Security"].Contains($roleSecurityString)) ar






share|improve this answer























  • I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

    – Pete Navarra
    2 days ago






  • 1





    Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

    – Marek Musielak
    2 days ago



















4














Use Role Inheritance



Your existing roles, which contain the shared access rules that are common among all of the secondary roles, should be members of the secondary roles.



Creating the Base Role



For example, let's say that your Base Role, we'll call it "Base Author" has access to all of the Media Libary, and all of your shared content. This will include all of the shared items and Sitecore default roles (as members) that are common among all of the secondary roles. So it might look something like this:



enter image description here



And in Security Editor:
enter image description here



Creating the Secondary Role



So for the purposes of this example, I'm going to call my role "Headmaster Editor". It's a member of the Base Author role.
enter image description here



In Security Editor:
enter image description here



Assign the Secondary Role only to a user:



Adding the secondary role inherits all of the other roles.
enter image description here



Magic Permission - Breaking Inheritance



Breaking the Inheritance of Descendants makes it possible to prevent any access to any content item UNLESS it has been given a Green Check mark in Security editor. Sitecore's role security is strict on "Red X's" for preventing access. Once a role has a Red X, it doesn't matter if other roles have Green Checkmarks, that user won't have access. So, instead of doling out Red X's, break the inheritance, and then only provide given access via Green Checkmarks. I do this by taking the sitecore/Author role, which is out of the box, and breaking the descendent inheritance on the /sitecore/content item.
enter image description here



Reviewing our Work



Base Author Role



You can see here that Base Author Role only has access to the items that we gave it above.
enter image description here



Headmaster Editor Role



But that the Headmaster Role has everything in the Base + Plus the content from the Headmaster Role.
enter image description here



In Summary



The art and magic of role permissions is to be as simple as possible. If you're checking boxes all over the place and using red x's all over the place, you're doing it wrong. Keep it simple.






share|improve this answer


















  • 1





    Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

    – Levi Wallach
    2 days ago











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "664"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsitecore.stackexchange.com%2fquestions%2f17766%2fany-way-to-transfer-all-permissions-from-one-role-to-another%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














I've written a powershell script which should do the magic for you. I suggest you backup your database before running it, just in case.



It searches for ar|ROLE_DOMAINROLE_NAME| string in __Security fields of all the items under the $root item, looks for the next role or user in the security, and duplicates that role access rights to the second role.



The script only takes into account access rights assigned to the role directly - it doesn't take into account access rights inherited from other roles.



#settings
$roleName = "sitecoreRoleA"
$newRoleName = "sitecoreRoleB"
$root = "110D559F-DEA5-42EA-9C1C-8A5DF7E70EF9"

$roleSecurityString = "ar|" + $roleName + "|"
$items = @(Get-Item -Path $root) + @(Get-ChildItem -Path $root -Recurse)
foreach ($item in $items)
if ($item["__Security"].Contains($roleSecurityString)) ar






share|improve this answer























  • I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

    – Pete Navarra
    2 days ago






  • 1





    Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

    – Marek Musielak
    2 days ago
















5














I've written a powershell script which should do the magic for you. I suggest you backup your database before running it, just in case.



It searches for ar|ROLE_DOMAINROLE_NAME| string in __Security fields of all the items under the $root item, looks for the next role or user in the security, and duplicates that role access rights to the second role.



The script only takes into account access rights assigned to the role directly - it doesn't take into account access rights inherited from other roles.



#settings
$roleName = "sitecoreRoleA"
$newRoleName = "sitecoreRoleB"
$root = "110D559F-DEA5-42EA-9C1C-8A5DF7E70EF9"

$roleSecurityString = "ar|" + $roleName + "|"
$items = @(Get-Item -Path $root) + @(Get-ChildItem -Path $root -Recurse)
foreach ($item in $items)
if ($item["__Security"].Contains($roleSecurityString)) ar






share|improve this answer























  • I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

    – Pete Navarra
    2 days ago






  • 1





    Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

    – Marek Musielak
    2 days ago














5












5








5







I've written a powershell script which should do the magic for you. I suggest you backup your database before running it, just in case.



It searches for ar|ROLE_DOMAINROLE_NAME| string in __Security fields of all the items under the $root item, looks for the next role or user in the security, and duplicates that role access rights to the second role.



The script only takes into account access rights assigned to the role directly - it doesn't take into account access rights inherited from other roles.



#settings
$roleName = "sitecoreRoleA"
$newRoleName = "sitecoreRoleB"
$root = "110D559F-DEA5-42EA-9C1C-8A5DF7E70EF9"

$roleSecurityString = "ar|" + $roleName + "|"
$items = @(Get-Item -Path $root) + @(Get-ChildItem -Path $root -Recurse)
foreach ($item in $items)
if ($item["__Security"].Contains($roleSecurityString)) ar






share|improve this answer













I've written a powershell script which should do the magic for you. I suggest you backup your database before running it, just in case.



It searches for ar|ROLE_DOMAINROLE_NAME| string in __Security fields of all the items under the $root item, looks for the next role or user in the security, and duplicates that role access rights to the second role.



The script only takes into account access rights assigned to the role directly - it doesn't take into account access rights inherited from other roles.



#settings
$roleName = "sitecoreRoleA"
$newRoleName = "sitecoreRoleB"
$root = "110D559F-DEA5-42EA-9C1C-8A5DF7E70EF9"

$roleSecurityString = "ar|" + $roleName + "|"
$items = @(Get-Item -Path $root) + @(Get-ChildItem -Path $root -Recurse)
foreach ($item in $items)
if ($item["__Security"].Contains($roleSecurityString)) ar







share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









Marek MusielakMarek Musielak

11.3k11136




11.3k11136












  • I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

    – Pete Navarra
    2 days ago






  • 1





    Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

    – Marek Musielak
    2 days ago


















  • I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

    – Pete Navarra
    2 days ago






  • 1





    Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

    – Marek Musielak
    2 days ago

















I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

– Pete Navarra
2 days ago





I do not disagree that Marek has provided a solution. However, I have a POV that this is an excessive amount of work indicating that roles were not setup correctly in the first place. While I have upvoted I think fixing the role strategy is a better approach.

– Pete Navarra
2 days ago




1




1





Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

– Marek Musielak
2 days ago






Pete I totally agree. Setting roles and access rights is not a 5 minutes task and should be planned properly. I think your answer describes what should have been done in the first place so +1 for you

– Marek Musielak
2 days ago












4














Use Role Inheritance



Your existing roles, which contain the shared access rules that are common among all of the secondary roles, should be members of the secondary roles.



Creating the Base Role



For example, let's say that your Base Role, we'll call it "Base Author" has access to all of the Media Libary, and all of your shared content. This will include all of the shared items and Sitecore default roles (as members) that are common among all of the secondary roles. So it might look something like this:



enter image description here



And in Security Editor:
enter image description here



Creating the Secondary Role



So for the purposes of this example, I'm going to call my role "Headmaster Editor". It's a member of the Base Author role.
enter image description here



In Security Editor:
enter image description here



Assign the Secondary Role only to a user:



Adding the secondary role inherits all of the other roles.
enter image description here



Magic Permission - Breaking Inheritance



Breaking the Inheritance of Descendants makes it possible to prevent any access to any content item UNLESS it has been given a Green Check mark in Security editor. Sitecore's role security is strict on "Red X's" for preventing access. Once a role has a Red X, it doesn't matter if other roles have Green Checkmarks, that user won't have access. So, instead of doling out Red X's, break the inheritance, and then only provide given access via Green Checkmarks. I do this by taking the sitecore/Author role, which is out of the box, and breaking the descendent inheritance on the /sitecore/content item.
enter image description here



Reviewing our Work



Base Author Role



You can see here that Base Author Role only has access to the items that we gave it above.
enter image description here



Headmaster Editor Role



But that the Headmaster Role has everything in the Base + Plus the content from the Headmaster Role.
enter image description here



In Summary



The art and magic of role permissions is to be as simple as possible. If you're checking boxes all over the place and using red x's all over the place, you're doing it wrong. Keep it simple.






share|improve this answer


















  • 1





    Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

    – Levi Wallach
    2 days ago















4














Use Role Inheritance



Your existing roles, which contain the shared access rules that are common among all of the secondary roles, should be members of the secondary roles.



Creating the Base Role



For example, let's say that your Base Role, we'll call it "Base Author" has access to all of the Media Libary, and all of your shared content. This will include all of the shared items and Sitecore default roles (as members) that are common among all of the secondary roles. So it might look something like this:



enter image description here



And in Security Editor:
enter image description here



Creating the Secondary Role



So for the purposes of this example, I'm going to call my role "Headmaster Editor". It's a member of the Base Author role.
enter image description here



In Security Editor:
enter image description here



Assign the Secondary Role only to a user:



Adding the secondary role inherits all of the other roles.
enter image description here



Magic Permission - Breaking Inheritance



Breaking the Inheritance of Descendants makes it possible to prevent any access to any content item UNLESS it has been given a Green Check mark in Security editor. Sitecore's role security is strict on "Red X's" for preventing access. Once a role has a Red X, it doesn't matter if other roles have Green Checkmarks, that user won't have access. So, instead of doling out Red X's, break the inheritance, and then only provide given access via Green Checkmarks. I do this by taking the sitecore/Author role, which is out of the box, and breaking the descendent inheritance on the /sitecore/content item.
enter image description here



Reviewing our Work



Base Author Role



You can see here that Base Author Role only has access to the items that we gave it above.
enter image description here



Headmaster Editor Role



But that the Headmaster Role has everything in the Base + Plus the content from the Headmaster Role.
enter image description here



In Summary



The art and magic of role permissions is to be as simple as possible. If you're checking boxes all over the place and using red x's all over the place, you're doing it wrong. Keep it simple.






share|improve this answer


















  • 1





    Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

    – Levi Wallach
    2 days ago













4












4








4







Use Role Inheritance



Your existing roles, which contain the shared access rules that are common among all of the secondary roles, should be members of the secondary roles.



Creating the Base Role



For example, let's say that your Base Role, we'll call it "Base Author" has access to all of the Media Libary, and all of your shared content. This will include all of the shared items and Sitecore default roles (as members) that are common among all of the secondary roles. So it might look something like this:



enter image description here



And in Security Editor:
enter image description here



Creating the Secondary Role



So for the purposes of this example, I'm going to call my role "Headmaster Editor". It's a member of the Base Author role.
enter image description here



In Security Editor:
enter image description here



Assign the Secondary Role only to a user:



Adding the secondary role inherits all of the other roles.
enter image description here



Magic Permission - Breaking Inheritance



Breaking the Inheritance of Descendants makes it possible to prevent any access to any content item UNLESS it has been given a Green Check mark in Security editor. Sitecore's role security is strict on "Red X's" for preventing access. Once a role has a Red X, it doesn't matter if other roles have Green Checkmarks, that user won't have access. So, instead of doling out Red X's, break the inheritance, and then only provide given access via Green Checkmarks. I do this by taking the sitecore/Author role, which is out of the box, and breaking the descendent inheritance on the /sitecore/content item.
enter image description here



Reviewing our Work



Base Author Role



You can see here that Base Author Role only has access to the items that we gave it above.
enter image description here



Headmaster Editor Role



But that the Headmaster Role has everything in the Base + Plus the content from the Headmaster Role.
enter image description here



In Summary



The art and magic of role permissions is to be as simple as possible. If you're checking boxes all over the place and using red x's all over the place, you're doing it wrong. Keep it simple.






share|improve this answer













Use Role Inheritance



Your existing roles, which contain the shared access rules that are common among all of the secondary roles, should be members of the secondary roles.



Creating the Base Role



For example, let's say that your Base Role, we'll call it "Base Author" has access to all of the Media Libary, and all of your shared content. This will include all of the shared items and Sitecore default roles (as members) that are common among all of the secondary roles. So it might look something like this:



enter image description here



And in Security Editor:
enter image description here



Creating the Secondary Role



So for the purposes of this example, I'm going to call my role "Headmaster Editor". It's a member of the Base Author role.
enter image description here



In Security Editor:
enter image description here



Assign the Secondary Role only to a user:



Adding the secondary role inherits all of the other roles.
enter image description here



Magic Permission - Breaking Inheritance



Breaking the Inheritance of Descendants makes it possible to prevent any access to any content item UNLESS it has been given a Green Check mark in Security editor. Sitecore's role security is strict on "Red X's" for preventing access. Once a role has a Red X, it doesn't matter if other roles have Green Checkmarks, that user won't have access. So, instead of doling out Red X's, break the inheritance, and then only provide given access via Green Checkmarks. I do this by taking the sitecore/Author role, which is out of the box, and breaking the descendent inheritance on the /sitecore/content item.
enter image description here



Reviewing our Work



Base Author Role



You can see here that Base Author Role only has access to the items that we gave it above.
enter image description here



Headmaster Editor Role



But that the Headmaster Role has everything in the Base + Plus the content from the Headmaster Role.
enter image description here



In Summary



The art and magic of role permissions is to be as simple as possible. If you're checking boxes all over the place and using red x's all over the place, you're doing it wrong. Keep it simple.







share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









Pete NavarraPete Navarra

11.3k2675




11.3k2675







  • 1





    Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

    – Levi Wallach
    2 days ago












  • 1





    Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

    – Levi Wallach
    2 days ago







1




1





Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

– Levi Wallach
2 days ago





Part of the issue is that the "base" user that I'm setting up has full access to most areas, whereas the secondary user would only have full access to certain subitems and only read access to the higher level items. I guess I'll have to play with the inheritance access right a little, maybe you are right in that this can be done fairly easily just with that... I do have a "Base" role that all users get which restrict inheritance rights on most items. Will see what I can do once I have the branch template working well...

– Levi Wallach
2 days ago

















draft saved

draft discarded
















































Thanks for contributing an answer to Sitecore Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsitecore.stackexchange.com%2fquestions%2f17766%2fany-way-to-transfer-all-permissions-from-one-role-to-another%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Sum ergo cogito? 1 nng

三茅街道4182Guuntc Dn precexpngmageondP