PowerShell Script For Creating Roles and Permission Part 2

Hello everyone, this is continuation of blog where we have seen how to create appropriate roles to manage content authoring more effectively. You can refer the part 1 of blog here

Now our focus will be on assigning the permissions to the roles which was created on previous blog.

Let's see the script that is required to update the permission.

       
$siteLanguages = @("en-IN")
$siteName = "IN"
$siteType = "External"
$Organization = "ABC"
$region = "Asia"
$rolePrefix = "$Organization $siteType $siteName"

$siteAccessRole = "$rolePrefix Access"
$siteAdminRole = "$rolePrefix Site Admin"
$contentAdminRole = "$rolePrefix Content Admin"
$contentContributorRole = "$rolePrefix Content Contributor"
$contentPublisherRole = "$rolePrefix Content Publisher"
$contentPreviewerRole = "$rolePrefix Content Previewer"

#Content
$regionPath = "/sitecore/content/$Organization $siteType/$region"
$sitePath = "$regionPath/$siteName"
$homePath = "$sitePath/Home"
$mediaPath = "$sitePath/Media"
$dataPath = "$sitePath/Data"
$presentationPath = "$sitePath/Presentation"
$dictionaryPath = "$sitePath/Dictionary"
$SettingsPath = "$sitePath/Settings"

#Media
$mediaTenantPath = "/sitecore/media library/Project/$Organization $siteType"
$mediaRegionPath = "$mediaTenantPath/$region"
$mediaSitePath = "$mediaRegionPath/$siteName"
$mediaSharedPath = "$mediaTenantPath/shared"
$mediaSystemPath = "/sitecore/media library/System"

#System
$publishingTarget = "/sitecore/system/Publishing targets/Edge"
$languages = "/sitecore/system/Languages"

#Access
$allowItemReadSiteAccess = New-ItemAcl -AccessRight item:read -PropagationType Entity -SecurityPermission AllowAccess -Identity $siteAccessRole
$denyInheritanceReadSiteAccess = New-ItemAcl -AccessRight item:read -PropagationType Descendants -SecurityPermission DenyAccess -Identity $siteAccessRole
$allowAnyReadSiteAccess = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAccessRole
$allowLanguageReadSiteAccess = New-ItemAcl -AccessRight language:read -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAccessRole

Get-Item -Path $regionPath | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $denyInheritanceReadSiteAccess -PassThru
Get-Item -Path $sitePath | Add-ItemAcl -AccessRules $allowAnyReadSiteAccess -PassThru
Get-Item -Path $mediaTenantPath | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $denyInheritanceReadSiteAccess -PassThru
Get-Item -Path $mediaRegionPath | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $denyInheritanceReadSiteAccess -PassThru
Get-Item -Path $mediaSitePath | Add-ItemAcl -AccessRules $allowAnyReadSiteAccess -PassThru
Get-Item -Path $mediaSharedPath | Add-ItemAcl -AccessRules $allowAnyReadSiteAccess -PassThru
Get-Item -Path $mediaSystemPath | Add-ItemAcl -AccessRules $allowAnyReadSiteAccess -PassThru

foreach ($language in $siteLanguages) {
    Get-Item -Path "$languages/$language" | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $allowLanguageReadSiteAccess -PassThru
}

#Site Admin
$allowAnyReadSiteAdmin = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAdminRole
$allowAnyWriteSiteAdmin = New-ItemAcl -AccessRight item:write -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAdminRole
$allowAnyRenameSiteAdmin = New-ItemAcl -AccessRight item:rename -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAdminRole
$allowAnyCreateSiteAdmin = New-ItemAcl -AccessRight item:create -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAdminRole
$allowAnyDeleteSiteAdmin = New-ItemAcl -AccessRight item:delete -PropagationType Any -SecurityPermission AllowAccess -Identity $siteAdminRole

Get-Item -Path $sitePath | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin, $allowAnyWriteSiteAdmin, $allowAnyRenameSiteAdmin, $allowAnyCreateSiteAdmin, $allowAnyDeleteSiteAdmin -PassThru
Get-Item -Path $presentationPath | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin, $allowAnyWriteSiteAdmin, $allowAnyRenameSiteAdmin, $allowAnyCreateSiteAdmin, $allowAnyDeleteSiteAdmin -PassThru
Get-Item -Path $dictionaryPath | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin, $allowAnyWriteSiteAdmin, $allowAnyRenameSiteAdmin, $allowAnyCreateSiteAdmin, $allowAnyDeleteSiteAdmin -PassThru
Get-Item -Path $settingsPath | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin, $allowAnyWriteSiteAdmin, $allowAnyRenameSiteAdmin, $allowAnyCreateSiteAdmin, $allowAnyDeleteSiteAdmin -PassThru
Get-Item -Path $mediaSitePath | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin, $allowAnyWriteSiteAdmin, $allowAnyRenameSiteAdmin, $allowAnyCreateSiteAdmin, $allowAnyDeleteSiteAdmin -PassThru
Get-Item -Path $mediaSharedPath | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin, $allowAnyWriteSiteAdmin, $allowAnyRenameSiteAdmin, $allowAnyCreateSiteAdmin, $allowAnyDeleteSiteAdmin -PassThru

#Content Admin
$allowAnyReadSiteAdmin = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $contentAdminRole
$allowDescendantsRenameContentAdmin = New-ItemAcl -AccessRight item:rename -PropagationType Descendants -SecurityPermission AllowAccess -Identity $contentAdminRole
$allowDescendantsDeleteContentAdmin = New-ItemAcl -AccessRight item:delete -PropagationType Descendants -SecurityPermission AllowAccess -Identity $contentAdminRole

Get-Item -Path $homePath | Add-ItemAcl -AccessRules $allowDescendantsRenameContentAdmin, $allowDescendantsDeleteContentAdmin -PassThru
Get-Item -Path $mediaPath | Add-ItemAcl -AccessRules $allowDescendantsRenameContentAdmin, $allowDescendantsDeleteContentAdmin -PassThru
Get-Item -Path $dataPath | Add-ItemAcl -AccessRules $allowDescendantsRenameContentAdmin, $allowDescendantsDeleteContentAdmin -PassThru
Get-Item -Path $mediaSitePath | Add-ItemAcl -AccessRules $allowDescendantsRenameContentAdmin, $allowDescendantsDeleteContentAdmin -PassThru
Get-Item -Path $mediaSharedPath | Add-ItemAcl -AccessRules $allowDescendantsRenameContentAdmin, $allowDescendantsDeleteContentAdmin -PassThru
Get-Item -Path $publishingTarget | Add-ItemAcl -AccessRules $allowAnyReadSiteAdmin -PassThru

#Content Contributor
$allowAnyReadContentContributor = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $contentContributorRole
$allowAnyWriteContentContributor = New-ItemAcl -AccessRight item:write -PropagationType Any -SecurityPermission AllowAccess -Identity $contentContributorRole
$allowAnyCreateContentContributor = New-ItemAcl -AccessRight item:create -PropagationType Any -SecurityPermission AllowAccess -Identity $contentContributorRole
$allowDescendantsCreateContentContributor = New-ItemAcl -AccessRight item:create -PropagationType Descendants -SecurityPermission AllowAccess -Identity $contentContributorRole
$allowLanguageWriteContentContributor = New-ItemAcl -AccessRight language:write -PropagationType Any -SecurityPermission AllowAccess -Identity $contentContributorRole

Get-Item -Path $homePath | Add-ItemAcl -AccessRules $allowAnyWriteContentContributor, $allowAnyCreateContentContributor -PassThru
Get-Item -Path $mediaPath | Add-ItemAcl -AccessRules $allowAnyWriteContentContributor, $allowAnyCreateContentContributor -PassThru
Get-Item -Path $dataPath | Add-ItemAcl -AccessRules $allowAnyWriteContentContributor, $allowDescendantsCreateContentContributor -PassThru
Get-Item -Path "$presentationPath/Partial Designs" | Add-ItemAcl -AccessRules $allowAnyWriteContentContributor, $allowDescendantsCreateContentContributor -PassThru
Get-Item -Path "$settingsPath/Redirects" | Add-ItemAcl -AccessRules $allowAnyReadContentContributor, $allowAnyWriteContentContributor, $allowDescendantsCreateContentContributor -PassThru
Get-Item -Path $mediaSitePath | Add-ItemAcl -AccessRules $allowAnyWriteContentContributor, $allowAnyCreateContentContributor -PassThru
Get-Item -Path $mediaSharedPath | Add-ItemAcl -AccessRules $allowAnyWriteContentContributor, $allowAnyCreateContentContributor -PassThru

foreach ($language in $siteLanguages) {
    Get-Item -Path "$languages/$language" | Add-ItemAcl -AccessRules $allowLanguageWriteContentContributor -PassThru
}

#Content Publisher
$allowAnyReadContentPublisher = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $contentPublisherRole

Get-Item -Path $publishingTarget | Add-ItemAcl -AccessRules $allowAnyReadContentPublisher -PassThru

#Content Previewer
$allowAnyReadContentContributor = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $contentPreviewerRole
$denyAnyWriteContentContributor = New-ItemAcl -AccessRight item:write -PropagationType Any -SecurityPermission DenyAccess -Identity $contentPreviewerRole
$denyAnyRenameContentContributor = New-ItemAcl -AccessRight item:rename -PropagationType Any -SecurityPermission DenyAccess -Identity $contentPreviewerRole
$denyAnyCreateContentContributor = New-ItemAcl -AccessRight item:create -PropagationType Any -SecurityPermission DenyAccess -Identity $contentPreviewerRole
$denyAnyDeleteContentContributor = New-ItemAcl -AccessRight item:delete -PropagationType Any -SecurityPermission DenyAccess -Identity $contentPreviewerRole
$denyAnyAdministerContentContributor = New-ItemAcl -AccessRight item:admin -PropagationType Any -SecurityPermission DenyAccess -Identity $contentPreviewerRole

Get-Item -Path $sitePath | Add-ItemAcl -AccessRules $denyAnyWriteContentContributor, $denyAnyRenameContentContributor, $denyAnyCreateContentContributor, $denyAnyDeleteContentContributor, $denyAnyAdministerContentContributor -PassThru
Get-Item -Path $homePath | Add-ItemAcl -AccessRules $allowAnyReadContentContributor -PassThru

Now, we will try to understand what exactly we are trying to perform.

This PowerShell script is designed to set up and manage roles and permissions for a Sitecore environment specific to the IN corporate site under the Asia region. Let’s break down the key components. Inital script is self explanatory where we are setting up environment variables, content path, Roles name defined in previous blog

Assigning Access Controls : The script proceeds to set access controls for various roles. For instance, the Site Access role is granted read access to specific paths, ensuring that users with this role can view but not modify content. Similarly, we have assigned the inheritance of the items as access denied for $siteAccessRole

       
$allowItemReadSiteAccess = New-ItemAcl -AccessRight item:read -PropagationType Entity -SecurityPermission AllowAccess -Identity $siteAccessRole

$denyInheritanceReadSiteAccess = New-ItemAcl -AccessRight item:read -PropagationType Descendants -SecurityPermission DenyAccess -Identity $siteAccessRole

We are assigning those access control to Item level accordingly.

       
Get-Item -Path $regionPath | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $denyInheritanceReadSiteAccess -PassThru
Get-Item -Path $sitePath | Add-ItemAcl -AccessRules $allowAnyReadSiteAccess -PassThru
Get-Item -Path $mediaTenantPath | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $denyInheritanceReadSiteAccess -PassThru

Language-Specific Access: This loop assigns read access to each language defined in $siteLanguages, ensuring that content is accessible across different language versions

       
foreach ($language in $siteLanguages) {
    Get-Item -Path "$languages/$language" | Add-ItemAcl -AccessRules $allowItemReadSiteAccess, $allowLanguageReadSiteAccess -PassThru
}

Customizing Permissions for Content Roles: The script also carefully manages permissions for content-related roles like Content Contributor and Content Publisher. These roles are given access tailored to their specific responsibilities, such as writing and publishing content

       
$allowAnyReadContentContributor = New-ItemAcl -AccessRight item:read -PropagationType Any -SecurityPermission AllowAccess -Identity $contentContributorRole
$allowAnyWriteContentContributor = New-ItemAcl -AccessRight item:write -PropagationType Any -SecurityPermission AllowAccess -Identity $contentContributorRole

Denying Unnecessary Permissions: Finally, for roles like Content Previewer, which should only have view access, the script explicitly denies unnecessary permissions:

       
$denyAnyWriteContentContributor = New-ItemAcl -AccessRight item:write -PropagationType Any -SecurityPermission DenyAccess -Identity $contentPreviewerRole

Thanks for reading!!!. Hope this blog would have clarified your concept. Stay tune for the next part where we will see how we can add this script as a part of site setup to reduce the manual effort to reduce time and improve efficiency.

You can check my other blogs too if interested. Blog Website

References:

  • https://doc.sitecorepowershell.com/appendix/security/new-itemacl
  • https://doc.sitecorepowershell.com/appendix/security/add-itemacl

Comments

Post a Comment

Popular posts from this blog

Sitecore XM Cloud Form Integration with Azure Function as Webhook

Image
Hello everyone, In this blog, we will see, how Azure Function can be used with Sitecore Forms. Before starting, I would request everyone to read my previous blog on XM Cloud Form as I am not going to go deep with how to create forms in XM Cloud. Creating Azure Function : Will serve as our Webhook Creating and Integrating Form : XM Cloud Form Creating An Azure Function I will not explain how you can create Azure Function with Http Trigger. You can check this youtube link here . Also in reference section, I will provide the link how you can connect and deploy your changes to azure function using Visual Studio. Azure Function Code : Its just a starter code which Azure function by default. Creating XM Cloud Form and Integrating with Azure Function Step 1 : Create a form from Form Editor and once form us published, you can see the below view in preview state. Here you can edit your form too. But it always recommended to use a version of that form as whatever changes is done will ...
Read more

Automate RSS Feed to Sitecore XM Cloud: Logic App, Next.js API & Authoring API Integration

Image
Hello everyone, In this blog, we will see a pratical use case of reading RSS feed and creating the respective items in Sitecore XM Cloud. To accomplish the task, we will use Logic App, an API created in Next JS and lastly calling the Authoring API to execute mutation query for Item Creation in Sitecore. Let's divide the process into 2 parts: Logic App : This will mostly focus on fetching the feed from RSS, performing transformation, storing the result in array of json object and pushing the data to next js api endpoint. Next JS API Development : This will take care of calling the authoring api of XM Cloud instance and performing the create item mutation query on the recieved data from Logic App. Logic App Azure Logic App is a cloud-based service provided by Microsoft Azure that allows you to automate workflows and integrate applications, data, services, and systems without writing complex code. It enables you to create automated workflows visually through...
Read more

Create and Fetch Content From Sitecore Content Hub One using GraphQL and React

Image
Hello everyone, In this blog, we will see overview of Sitecore Content Hub One product its benefits, features etc. This blog will walkthrough below listed points. Overview Features Content Hub One Dashboard Creating Taxonomy Creating Content Type Uploading New Media Creating Content Items From Content Type Getting GraphQL Token Creating Sample React Application To Read the Content from Content Hub One Overview Sitecore Content Hub One is a powerful platform. It is designed to centralize and streamline content creation, management, and distribution across various channels.Focuses on delivering content via APIs, enabling seamless integration with various front-end frameworks.Hosted in the cloud, offering scalability, automatic updates, and reduced infrastructure management.Provides flexible APIs and SDKs for developers to integrate and build custom solutions efficiently. Features Headless Content Management : Allows content to be delivered via APIs to any front-end or platfor...
Read more