Permissions and resource groups

Support
1

On an existing MODX 3 site, I am trying to create user groups, that only have available a few resources.

Group 1) access to only 2 collections in context “web”

Group 2) access to only to context “web-en”

Group 3) access to all contexts and all resources

I’ve implemented the following way:

  1. Resource groups:
    1. Resource group “AllDocs” in which there are all resources in all contexts
    2. Resource group “Editor” which is assigned to the two collections that are for group 1
  2. Permissions for group 3
    1. in contexts, all contexts with access policy content editor + mgr
    2. in resource groups, AllDocs with access policy Resource for mgr
  3. Permissions for group 2
    1. in contexts, content editor policy for mgr and “web-en”
    2. in resource groups, AllDocs with access policy Resource for mgr
  4. Permissions for group 1
    1. in contexts, content editor policy for mgr and “web”
    2. in resource groups, Group1 with access policy Resource for mgr

I believe the issue is the following: if I grant them membership in Group1 - this works ok. But when I make them member of Group2, they receive the AllDocs access policy from that group and automatically see all resources in the context “web”.

Does anyone know what is a good way to approach this? I tried to explain it as clear as I could, but it still seems confusing to me :smiley:

2

Excavator, are you trying to limit ‘mgr’ access to specific user groups? Or are you talking front end visibility?

In this post, @smashingred has an answer from a few years back which might help with the issue if related to manager editing access. How to narrow editing resources roles by context - #2 by smashingred

3

It’s confusing to me too, but see if this helps:

If you create a context access ACL entry connecting all groups but group 2 to to the web context, it should hide it from group2, as long as there is no Context access ACL entry connecting them to the web context.

Things are hidden from a user when they (the things) are connected to a user group that the user is not a member of. There’s a 50-minute video here on how MODX security permissions work.