Proposal : Change default access to PowerShell Reports menu #1284
Description
Proposal
Change security role requirement for the PowerShell Reports menu.
- Current role -
sitecore\Sitecore Client Maintaining- Gives the user access to template editing features and reporting tools (Log Viewer). This role is intended for Sitecore super-users and developers.
- Proposed role -
sitecore\Sitecore Client Authoring- Gives the user access to basic item editing features and reporting tools (Scan for Broken Links). The role is intended for client users to allow access to basic authoring features.
Why make a change?
After a new installation, an Admin is required to perform one of two steps:
- Configure a different role on the PowerShell Reports menu item to allow management with a lesser privileged account.
- Configure users/roles to elevate consumers of the reports into the higher privileged account.
I'm a fan of the common-sense approach to least privileges access. Adding users to sitecore\Sitecore Client Maintaining means they can access features that you would not normally want them to see/use. I can't imagine wanting users to create new templates in production or view error logs.
What concerns should I have?
Once the role is replaced users would be able to see any custom reports contained within your script library where no rules are configured. You'll want to add rules to the reports to ensure they are visible for the right audience. Here is the default set of reports available to authors.
References