Planning Access and Workflow
When setting up your website in OU Campus, it's recommended to have a plan before configuring access settings and workflows. Establishing an organized system at the start makes it easier to manage users and groups later on, and ensures all users have the access to content they need.
Some key points to keep in mind:
- Access is given to groups, not individuals (though a group can contain only one person).
- Only one group can have access to an item at a time, but users can be in multiple groups, and a single group can have access to multiple items.
- Users can't access items inside a folder if they can't access the folder itself, unless logging into a page via DirectEdit.
Therefore, the best approach to take towards configuring access settings is a "top-down" one. Start with more generalized permissions, and then get more specific as you get closer to the content. For example, a site might allow access to a group of twenty users, a folder within the site might allow access to a group of ten, a page within the folder a group of five, and so forth.
Remember that only Level 10 users can create users and groups, and that all Level 9 and Level 10 users ignore group access settings, giving them access to everything on the site. Groups can also be set to bypass approval.
The basic steps are:
- Define the workflow architecture.
- Create users in the system.
- Set approvers for users who need them.
- Add users to groups.
- Set site, publish targets, folder, page, asset, and user access settings. Groups can be assigned to settings at multiple levels and enforced according to precedence.
- Set groups on editable regions in page templates, page properties, and template control files.
- Train users on the workflow process.
The most efficient way to plan your groups is to have them mimic your file structure. Custom reports are very useful for planning this. Run the reports for "Directories" and "Pages," export to CSV, and then conflate the results to get an overview of your site structure. Once you have your pages, you can then plan who needs to go where.
From here, you can then make groups that match up with the file structure (an "English" group, a "Science" group, etc.). You can then decide who should be in which group based on which folders they need to access.
After defining which users should have access to the pages and directories, sort by the Access column in order to see how many groupings of users there are. This helps determine how many groups are needed and which users need to be in those groups. Following the same steps for publishers helps identify any additional groups that may be needed.
Once groups have been created and assigned, re-run the reports. Make sure the checkboxes for access, publishers, and approvers are selected. Compare the report with your CSV to make sure everything's been set up correctly. A Groups or Users custom report can also be run.
The system is designed with the flexibility to allow multiple levels of review and multiple potential approvers. Via the interaction of access settings at different levels, a user can pass through multiple workflow processes.
In the second path, the user edits pages in a folder that has its own approver assigned. Therefore, those pages must go to the folder approver for publication.
In the third path, the user belongs to the "Bypass Approval Group" of the folder. Thus they can publish pages in that folder without needing the approval of another user.
Users in approver roles can also have approvers of their own, meaning that once a page is submitted to them, they must submit it to another user instead of publishing it. Any level user in the system can be assigned as an approver.
A frequent scenario is to create Level 0 users as approvers. Level 0 is unique among user levels as it includes very few permissions other than publishing. If changes need to take place, the Level 0 user needs to send the page back to the original user to have the edits completed.
Users who haven't been properly informed of their permissions can mistake lack of access for an error. If they attempt to log into a page they don't have access to, they see the following error message:
If a user isn't in a group that has access to a folder, they can't open that folder in the file structure. This applies even if there are pages in the folder that the user can access.
Custom toolbars can also be configured and assigned to users, folders, and pages, meaning that some standard options may not be available to users. Additionally, not every user is allowed access to editing source code. Permission to edit source code may be granted to users Levels 1 through 8, but it is turned off by default.
While editing pages, users might want to insert a link to a file they can't access, but can't view the file (or folder) in the file chooser. However, if they have access to the production server, they can link to the file there instead. Switch the server from "Staging" to "Production" in the top right-hand corner of the file chooser and find the page they want to link to. The link is inserted as normal, using a dependency tag.
Many administrators restrict access to the
_resources folder to "Admin Only." However, if applied recursively, this means that users without access can't see template thumbnails when creating new content, as those are stored within
_resources. Change the access group to the folder that holds those images to "Everyone"; as long as the
_resources folder is still set to "Admin Only," users still can't navigate to it.
If users have permission to publish but they still can't, check the production server settings for your site. This panel controls access to the production server for your site, which is where publication takes place. The "Available To" setting specifically controls who can publish. By default, it is set to "(Administrators Only)," but other available options are "Everyone" and any groups that have been configured for the site.
If you would like multiple users to have publish capabilities in different folders in the site, the recommended action is to configure the "Available To" setting so that the group "Everyone" can publish, and then restrict publish options to specific groups on a folder-by-folder basis. The other option is to have a designated group of users who can publish pages, and then configure every other user to have an enforced approver who is a member of that group.