New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Role/User based restriction for user access to endpoints #715

Closed
AdamNaj opened this Issue Oct 13, 2016 · 2 comments

Comments

Projects
None yet
2 participants
@AdamNaj
Member

AdamNaj commented Oct 13, 2016

new setup for services with role authorization:

<configuration xmlns:patch="http://www.sitecore.net/xmlconfig/">
  <sitecore>
    <powershell>
      <services>
        <restfulv1 enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <!-- Uncomment to enable anonymous users to access restful apis from the "web" database -->
            <!--add Permission="Allow" IdentityType="User" Identity="extranet\Anonymous" /-->
            <add Permission="Allow" IdentityType="User" Identity="sitecore\admin" />
          </authorization>
        </restfulv1>
        <restfulv2 enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <!-- Uncomment to enable anonymous users to access restful apis from the "web" database -->
            <!--add Permission="Allow" IdentityType="User" Identity="extranet\Anonymous" /-->
            <add Permission="Allow" IdentityType="User" Identity="sitecore\admin" />
          </authorization>
        </restfulv2>
        <remoting enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <!-- example to disable specific user from an endpoint: -->
            <!--add Permission="Deny" IdentityType="User" Identity="sitecore\admin" /-->
          </authorization>
        </remoting>
        <fileDownload enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </fileDownload>
        <fileUpload enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Developer" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </fileUpload>
        <mediaDownload enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Developer" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </mediaDownload>
        <mediaUpload enabled="false">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Developer" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </mediaUpload>
        <handleDownload enabled="true">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Client" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\PowerShell Extensions Remoting" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Developer" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </handleDownload>
        <client enabled="true">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Sitecore Client Developing" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Developer" />
            <!-- "Magic" role that catches all users in Sitecore with Administrator privileges --> 
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </client>
        <runner enabled="true">
          <authorization>
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Client" />
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\Developer" />
            <!-- "Magic" role that catches all users in Sitecore with Administrator privileges --> 
            <add Permission="Allow" IdentityType="Role" Identity="sitecore\IsAdministrator" />
          </authorization>
        </runner>
      </services>
    </powershell>
  </sitecore>
</configuration>

@AdamNaj AdamNaj added this to the 4.2 milestone Oct 13, 2016

@AdamNaj AdamNaj self-assigned this Oct 13, 2016

AdamNaj added a commit that referenced this issue Oct 13, 2016

@AdamNaj

This comment has been minimized.

Member

AdamNaj commented Oct 16, 2016

Implemented

@michaellwest

This comment has been minimized.

Member

michaellwest commented Oct 17, 2016

Does this require sitecore\admin to be added to the new group?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment