Ability to restrict access to specific site sections

[mokimo]

Helix currently does not have any granular permissions for previewing & publishing. On adobe.com we have a bunch of authors responsible for their parts of the site and restricted Sharepoint access to only those parts of the site.

A special case: there might be changes that are previewed (hlx.page) but not published (hlx.live) - if an author would go to different parts of the site, that author could publish changes on any part of the site within a project.

I can think of this working in two ways:

• Enhancing the Admin API / Sidekick configs in a way to support granular permissions
• Using the new hlx5 configs to turn one project into multiple ones and give each business unit access to their specific part of the site.
• Any other/better ideas?

The full use-case can be found (non-open source on jira)

[mokimo]

@rofe any opinion on this? Snippet from the Jira:

Currently, there is no connection between the Franklin Sidekick and SharePoint. So, if I only have SharePoint access to edit/author pages in the bacom/certain-site-section path, I should only be able to "preview" and "publish" pages in that path.

[rofe]

Currently, there is no connection between the Franklin Sidekick and SharePoint. So, if I only have SharePoint access to edit/author pages in the bacom/certain-site-section path, I should only be able to "preview" and "publish" pages in that path.

The admin service uses a dedicated user (or app) to access SharePoint, there is currently no easy way to retrieve and reuse privileges of the Sidekick user, especially from a preview URL. Maybe a direct request to SP could be made from the service worker once the underlying edit URL is retrieved.

Taking a step back: Is this a real life issue in one or more projects, or more of a hypothetical concern?

cc @tripodsan @dylandepass

[mokimo]

Taking a step back: Is this a real life issue in one or more projects, or more of a hypothetical concern?

I anticipated this question & it was the first thing that I asked 😁 The stakeholder:

This is not a problem we're facing right now, but it's a problem we'd like to avoid having. This is to safeguard ourselves from anyone accidentally publishing content they should have no access publishing in the first place.

It's an interesting discussion though

[chrischrischris]

Reviving this thread. We are getting multiple asks to be able to restrict publish permissions for certain paths (not entire site). Is this something that the helix team is considering?
One example for this is there have been multiple times where authors for specific locales mistakenly publish content from other locales. Preview is not a concern for this use case.

cc @rofe @mokimo @tripodsan

[tripodsan]

no, not at the moment. we haven't heard this requirement from other customers yet.

[SatoshiInoue]

From a presale standpoint, being able to restrict publishing capability per folder is quite essential. For example, a global company's regional team in Singapore should be allowed to publish only pages under a folder '/en_SG'.

[rofe]

With Helix 5, the solution for this use case would be to create multiple sites using the same code repository, and each site can have both permission settings inherited from the org aas well as site-specific ones.