Access Control Lists

Hi there!
I am trying to figure out how I can protect certain resources from deletion :wink:
My clients are very creative and I need to kind of restrict them a little hehe
I have been trying to create a Resource Group and add the resources to it. But I haven’t managed to set it right yet… you know some nice tutorials maybe? I will look through the documentation again, but I find it hard to get a hang of it.


Hi @RandomKangeroo,
You need deeper understanding of ACL’s, old forum can be very helpful here, f.e.

1 Like

thanks I will look through it

Im actually having a similar issue like in the link you send.
Did this:

  1. So I created a user-group, called admin, and added client-user as “member” to it.
  2. I then created an access policy called “admin content editor” and gave it rights to delete stuff.
  3. Then in “context access” I gave web and mgr this content editor access policy with a minimal user role of “member”.
  4. Created a resource group called “Admin Editor”
  5. Within the admin usergoup I changed Resource Group acccess by adding “Admin Editor” with an access policy of “load, view, list” and min user role of member.

Consequence: The client can delete all he likes (even if a resoruce is part of resoruce group “Admin Editor”)
–> When I turn it around (so I change Context Access to policy “load, list, view” and in Resource Group access to “Resource”), then the client cannot remove anything at all.

I guess I miss something really easy right?

Imo, it’s usually easier to apply permissions if you put people with different access needs in different user groups. It makes it a lot simpler understand and to diagnose problems.

Once the user has been removed from the group you’re in and put in another group, you can change the policy in the ACL entry that lets that group use the Manager.

Duplicate the Administrator policy, and in that duplicate policy, uncheck all the delete_*** permissions. Also uncheck access_permissions (so they can’t change their own security level and yours). Uncheck any other permissions you don’t want them to have.

Then use that policy in the Context Access ACL entry for that user group for the ‘mgr’ context.

That will prevent them from deleting anything anywhere in the Manager without needing resource groups.

1 Like