Howto - Create policies in eZ publish
Posted November 19th, 2008 by adminThe inspiration for this howto - the handy website toolbar with quick access to create and edit functions does not appear for a default editor login. Why not?
Correcting this, and understanding policies, is primarily a case of understanding nomenclature, and knowing where to find the dialog boxes.
Accounts - every access to an eZ site requires an account.
Four user accounts are provided out of the box (OOTB) in a default eZ install.
An Anonymous Users account is provided to allow casual viewers “read” level access to site content via the “Anonymous” role.
Guest accounts are included, and provide access identical to Anonymous Users, by virtue of using the same role.
Editors and Administrator users are two more user groups defined in a default install. These use the Editor role and Administrator role giving progressively greater access to the site.
Roles - a policy or group of policies.
Policy - a defined level of access to the site contents
Each policy is defined by three parameters –
–module
–function
–limitation
The first two, module and function (of module) are tightly inter-related.
The third, limitation, can also be related to the first two, or have no relation to either of the first two. In the case where it is related, the class (article, blog, event, etc), section(any top level section), owner(any/self) and group(any/self) allow further restrictions. But limitations may also be totally unrelated to the first two, placing restrictions on complete section or subtrees. Subtree and sections are important to a basic understanding of eZ Publish, and well documented.
Module
What is a module? From the eZ documentation..
“A module offers an HTTP interface which can be used for web based interaction with eZ publish. For example, the content module provides an interface that makes it possible to use a web browser to manage actual content.”
To view a list of modules, login to the eZ admin interface. From there, go to the “User accounts” tab, click the “Roles and policies” link, the “edit” icon for the Administrator role, then the “New Policy” button which will present a drop down selector for modules. Whew, there must be an easier way somewhere. Maybe giving it away to soon, but near the bottom of this list of modules, notice a “websitetoolbar” module.
Function -
Possible functions depend upon what the developer put into the module. The “content” module has many functions available. The “RSS” module none. The interface while creating policies is self restricting. Only functions that are available for a given module are listed, and only after the module is chosen.
Limitation - means limitations on “Sections“, and “Subtrees“, site content in other words.
Limitations is where the site admin can get creative in restricting access to the site based upon login credentials.
Sections -
In the admin interface, go to “Setup->Sections” for a listing, note the similarities between this list and the tabs at the top of the page in the initial install.
”Setup->Sections->New section” to define new sections. The “Navigation part” in the drop down provides a list of the top level page tabs from the admin interface. The “Content Structure” listed in this drop down, is the site contents as displayed in the Content Structure tab. A newly created section is of no use when first created. All that has been accomplished is the definition of a starting point for browsing when the “Assign” button is clicked. An admin must click the “Assign” icon to the right of a newly minted section in the Sections list, which will open a browser view into the site structure for the chosen “Navigation part”. This allows selection and assignment of a specific sub-level of content as a limitation to be used in the creation of policies.
subtree - defined by the node structure of the site, used to restrict access for the OOTB “Editor” role to only content (node id=2) and media (node id=43). Verify node id’s by clicking the “Content structure”, then “Media Library” tabs, and locating the node id in the details pane of each. These subtrees are above the level of access that is available from the sections interface, because they are top level “Navigation part”s. Presumably that is the justification for working in subtree, versus the navigation part.
To summarize, User Accounts->Roles and policies is the location for creating new roles. If the desire in creating a new “Role” is to create a “Limitation” on some portion of site content, this “limitation” is created first, using Setup->Sections->New Section Then after this new section is created and appears in the list, click the “Assign” button to select a specific portion of the site to be included in that limitation.
Oh, and to allow editors access to the websitetoolbar –
In the admin interface, User accounts->Roles and policies->Editor Role click “Edit” icon->New Policy->Module dropdown and select “websitetoolbar”. Then click the button to “Grant access to all functions”
Now login as an editor, and you should see the toolbar appear. Easy when you understand it. But a bear to try to figure out when you don’t know if you should be looking in ini files, templates, db settings, or any of the myriad other locations that make up an eZ install.
Footnote–
It would be less confusing if eZ would streamline the use of the words “accounts” and “users” in the default installed interface for managing users and accounts. Using each word at most once, would convey more meaning.
Accounts tab, presents a list of Users. The listed users are Guests, Administrators, Editors, and Anonymous. All simple one word descriptions, no repetition.
Compare this to the current wording. A User Accounts tab which presents a list of Users. The users listed are Guest accounts, Administrator users, Editors, and Anonymous Users. Overuse of the terms and varying capitalization of “accounts” and “users” in the interface makes it clunky.
—More info——————————————————————————
Another take on the subject ..
A listing of default Roles listed in OOTB install, per user type, module-function-limitation
–Administrator
Policies - sitewide
–all modules-all functions-No limitations
–Editor
Policies - these policies are assigned to the 1/2 and 1/43 tree nodes, which is all published content and all media, within those nodes, no limitations
–content-all functions-no limitations
–user-login-no limitations
–ezdhtml-all functions - no limitations
–Anonymous
Policies-Click Anonymous link to get a listing of the 5 policies
–content-read-Section(Standard)
–content-pdf-Section(Standard)
–rss-feed-no limitations
–user-login-SiteAccess(ezflow_site)
–user-login-SiteAccess(eng)
******Administrator*Role*******************************
Module:
*
Function:
*
Function limitations
The function limitations of this policy cannot be edited. This is either because the function does not support limitations or because the function was assigned without limitations when the policy was created.
********************************************
Editor policies
There are two distinct “Editor” listings in the Assigned Roles panel for editor. One Role is limited to 1/2, the other to 1/43. The number 1 indicates site root, 2 is the Content node, 43 is the Media node. Users, Setup, and Webshop are additional second level nodes that are not accessible from an editor login OOTB.
The “Edit” button for 1/2, or 1/43 outputs..
****Editor*Role********************************
Policies
| Module | Function | Limitations | ||
| content | all functions | No limitations | ||
| user | login | No limitations | ||
| ezdhtml | all functions | No limitations |
*************************************************
The very simple * -(all)- policy for modules and functions in the Administrator role, has been changed in the Editor role. Editors are only allowed access to content, user, and ezdhtml modules. The details of each policy are examined and refined by clicking the Edit links. Drill down into the individual policies by clicking the edit links to the right of each policy.
Clicking the edit links reveals..
))))))))))))))))))))))))))))))))))))))))))))
Module:
content
Function:
*
Function limitations
The function limitations of this policy cannot be edited. This is either because the function does not support limitations or because the function was assigned without limitations when the policy was created.
))))))))))))))))))))))))))))))))))))))))))))
Module:
user
Function:
login
Function limitations
SiteAccess:
Any,ezflow_site,eng,ezflow_site_admin,iphone
))))))))))))))))))))))))))))))))))))))))))))
Module:
ezdhtml
Function:
*
Function limitations
The function limitations of this policy cannot be edited. This is either because the function does not support limitations or because the function was assigned without limitations when the policy was created.
))))))))))))))))))))))))))))))))))))))))))))
The “Edit” button output is identical for 1/2 and 1/43. Setting these “subtree” limitations can only be performed after a Role is created, then assigned, to a User group. In other words, create a role, create a group, only then may subtree or section limitations be applied. This pattern is enforced in the user interface. Subtree or Section limitations are assigned from the “User accounts->Roles and policies->Click Link for Role of interest” then look at the bottom of the page for “Assign with limitation button.
*****Anonymous*****************************
Name:
Anonymous
Policies [5]
| Module | Function | Limitation |
| content | read | Section( Standard ) |
| content | Section( Standard ) | |
| rss | feed | No limitations |
| user | login | SiteAccess( ezflow_site ) |
| user | login | SiteAccess( eng ) |
*************************************************
Clicking the edit button, pulls up an identical listing to the above, with edit buttons for each.
Clicking the edit button for Content
)))))))))))))))))))))))))))))))))))))))))))))))))))))))
Module:
content
Function:
read
Function limitations - selected items in bold
Class: –drop down selection–
AnyArticleArticle (main-page)Article (sub-page)BannerBlogBlog postCommentCommon ini settingsDocumentation pageEventEvent calendarFeedback formFileFishing ReportFlashFlash recorderFolderForumForum replyForum topicForumsFrontpageGalleryGlobal layoutImageInfoboxLinkMulticalendarPollProductQuicktimeReal videoTemplate lookUserUser groupVideo/Flash PlayerWindows media
Section: –drop down–
AnyDesignMediaSetupStandardUsers
Owner: –drop down–
AnySelf
Group:
AnySelf
Nodes [0]
The node list is empty.
Subtrees [0]
The subtree list is empty.
)))))))))))))))))))))))))))))))))))))))))))))))))))))))
Module:
content
Function
same as above
)))))))))))))))))))))))))))))))))))))))))))))))))))))))
Module:
rss
Function:
feed
Function limitations
The function limitations of this policy cannot be edited. This is either because the function does not support limitations or because the function was assigned without limitations when the policy was created.
)))))))))))))))))))))))))))))))))))))))))))))))))))))))
Module:
user
Function:
login
Function limitations
SiteAccess: –all siteaccesses listing only one selected
ezflow_site
)))))))))))))))))))))))))))))))))))))))))))))))))))))))
Module:
user
Function:
login
Function limitations
SiteAccess:–all siteaccesses listing, only one selected
eng
)))))))))))))))))))))))))))))))))))))))))))))))))))))))
Tags: eZ Publish, limitations, policies, users