The access settings in OU Campus provide control for functionality found throughout the system. Examples of access settings include defining which users can edit a specific page, binary file, directory, or asset. Access settings can also be assigned to users; for example, a toolbar or an approver can be assigned to a user. When access settings overlap, the order of precedence determines the access setting that is used; a setting that is closer to the content overrides others. Understanding the access settings and how settings closer to the content take precedence can be very helpful in configuring a site in order to provide the appropriate access to content for specific groups of users.
Access settings can be assigned to:
- Editable regions
- Binary files
- Publish targets
- RSS feeds
- Facebook Pages (as used within OU Campus)
- Twitter Accounts (as used within OU Campus)
Generally, access settings that can be modified include:
- Access Group
- Enforce Approver
- Bypass Approval
- Template Group
- RSS Feed
- URL Type
- Exclude from Search
- Exclude from Sitemap
- Directory Variables
Additional settings that involve access to content are:
- Available To (available in various locations, including the production server for a site, Facebook page, Twitter account, etc.)
- Local Assets Group (Specifies a group that can access assets only on the site on which the setting is configured)
- Lock to Site (available for assets)
- Admin Access Only (Add-Ons)
Permissions for Access Settings
Level 8: Can change who has access to the directory, page, binary file, or asset to any group to which he or she belongs.
Level 9: Can change who can access the directory, page, binary file, or asset to any currently defined group.
Level 10: Can change who can access the directory, page, binary file, or asset, as well as modify the other site access settings and directory variables, including those belonging to the site.
Access settings can be changed non-recursively or recursively at the site and directory levels.
When modifications are made non-recursively, the change is applied to new items created going forward. When changes are made recursively the settings are changed for all existing items (files within the directory, the directory, the subdirectories, and any relevant items contained within) and anything created going forward.
Otherwise, newly created directories and pages inherit settings from the parent by default if no specific assignments have been made.
To make non-recursive changes, choose the option "Apply All Settings to The Root Folder Only." The second option is "Apply Selected Settings to All Existing Files and Folders In The Site." Recursive modifications can be applied selectively, and once this option is chosen, the additional checkboxes are shown in order to apply selective recursive modifications.
Recursive modifications are made to all items regardless of status, such as being checked-out by another user or being in workflow. Once the permissions have been set, the items retain their status, such as being checked-out or in workflow.
Since recursive modifications change the setting for anything existing, it is advised that this option should not be used without careful consideration after the initial site, directory, and page configuration is completed. This action cannot be undone. Newly created directories, pages, and content will also inherit these settings.
Changes to directory variables cannot be made recursively, as all items are set to inherit, and when recursion is selected, will not be available.
When it is necessary to change some access settings recursively and some access settings non-recursively, two separate saves are required. In other words, first make the non-recursive changes and press save, and then with another edit select the checkboxes for the recursive modifications, as once the global checkbox is used for initiating recursive selections, then any edits within the modal before pressing save are not committed.
Setting Access Settings Recursively
- Select Access from the Pages list view > Edit menu, or from the Properties menu on the actions toolbar.
- From the Access Settings modal, select: Apply Selected Settings to All Existing Files and Folders In The Site.
- Select the checkbox for the setting to change.
- Select the new group from the drop-down or click the new option for the access setting.
- Click Save when finished making changes to commit all changes.
This assigns the selected access setting to every file and directory within the current directory (or within a site), no matter how many nested directories there are within. Be sure to consider any access settings that may have already been made before making recursive modifications, since this recursive action overwrites all previously assigned access settings to them.
Warning: There is no undo for settings changed recursively.
The access setting for Extensions can be used to allow or disallow a specific set of extensions for a site or directory. This can be used, for example, to prevent users from uploading image files in a directory they shouldn't. Level 10 administrator authority is required in order to configure the Extensions setting at the site or directory level.
The best practice for security concerns is to allow only specified file types, rather than trying to disallow all unwanted files. For example, a whitelist that only allows jpg, png, gif, pdf, doc, and docx files would be preferred over a blacklist that disallows exe, com, bat, sh, mp3, mp4, and mov files.
This example specifies disallowing file extensions throughout the site level with the changes applied recursively.
- In Setup > Sites, hover over Edit and select Site Access.
- Under Recursive Modification, select the option for Apply Selected Settings to This Folder and All Enclosed Files and Folders. This will change the settings for all directories, subdirectories, and files that
exist in the site, so use caution.
- Select the checkbox next to to Extensions. The ensures that recursive changes are only applied to the selected items, in this
case, file extensions.
- Select the option for Disallow Only These Extensions.
- Enter the allowed extensions into the field without a period, and separate them with a comma. Spaces are allowed when defining extensions, and it is not case sensitive. For example: bmp, gif, jpg, jpeg, png, tif
- Save the changes.
This prevents users from erroneously uploading binary files into directories that contain PCF files. Binary files, under normal circumstances, should be uploaded into their own folders. In order to re-enable the uploading of binary files into certain directories, the next step is to allow certain file extensions at the directory level.
Allowing Files at the Directory Level
After changing the settings at the site level, navigate to each directory that should allow specific extensions, and recursively update the settings for that directory.
Note: Not all disallowed extensions need to be allowed. Include only the desired extensions for that directory. For example, an images folder can be set to override the site setting by allowing commonly used image extensions:
Any files that are now uploaded, including those uploaded via Zip Import, will honor these settings by either allowing or disallowing the file extensions to be uploaded.
Note: The Extensions field will also apply to files that are created from a New Page Wizard, such as a PCF or an INC/SSI include file. Make sure these extensions are added to the list of allowed extensions if webpages or new sections are to be created inside that directory.
The URL Type setting behaves like all other access settings and can be set for a page, folder, or recursively for a whole folder structure. However, if a page has a URL Type value of "inherit," the value stored in the site record is used.
The value of URL Type is used by two things: Dependency Manager and the WYSIWYG Editor. While the WYSIWYG can use all three possible values, Dependency Manager does not output page relative URLs (it will output root relative URLs if page relative is selected). Second, when creating a new file, the value is copied from the enclosing folder. If the value of the folder is "inherit," the value of the new file will be "inherit."
Manually inserted links in this context can be internal (i.e., links that begin with the site's HTTP Root value) and external (i.e., sites that do not). In the case of internal links, the WYSIWYG honors the access setting and converts the link to whatever the administrator has set the URL Type to. In the case of external links, the WYSIWYG Editor does not alter the link.
Internal links are converted to the appropriate URL type specified at the page level, or if the URL type is set to inherit from site settings, then that value is used.
There are three URL Type settings that can be specified:
- Absolute: An absolute URL identifies a resource independently of its context. Absolute URLs typically take the form http://www.domain.com/directory/page.html.
- Root-Relative: This specifies a URL relative to the root website, the www.domain.com. A root-relative URL takes the form of /directory/page.html, and simply appends itself onto the root domain name.
- Page-Relative: A page-relative URL performs the same action as a root-relative URL, but this time in relation to the page that the URL is on. They can be used to move up directories from the page by adding "../" to the front of the URL.