Restrict User to access/edit only one document and its children

[q2apro]

I need to give others access to my instance of EVO CMS. However, I have to prevent that they edit the main documents (pages). They should have their own document (and its children) to add their content and to edit.

Is that possible?

I could not find such an option in the setup of new users.

[pmfx]

Yes, it is definitely possible with User Groups (Users -> Manager Permissions).

[pmfx]

This should be helpful http://www.evolution-docs.com/documentation/administration/admin-users/admin-roles-and-groups Check "Document Groups" section there,

[q2apro]

It works. Thanks.

Mini Tutorial:

1. Under >System >User → set "Use access permissions" to YES.
2. Then go to >Users >Manager Permissions >TAB: User Groups and "Create a new User Group"
3. Then go to >Users >Manager Permissions >TAB: Resource Groups and "Create a new Resource Group"
4. Then go to >Users >Manager Permissions >TAB: User/Resource Group Links and combine those two.
5. Go to User > New Manager User > Create new "Manager User"
6. Activate group under TAB "Access Permissions"
7. Click on the document resource you want to allow access. Click there on "Access Permissions" and choose the Resource group.

I am still stuck, since now the user cannot access this document but all others, I will correct the above tutorial after i found out how to do that correctly.

Roles assign permissions - WHAT the user can do. User groups assign WHICH DOCUMENTS the user can work with, but he can only do what the role he was assigned to allows.

[q2apro]

Seems that EVO sets:

All Resource Groups (Public)

as default for each document...

That means, that you have to go over all protected documents and set the access permission to "Admin" (this group you have to create).

Why isn't the default "only admin" and then you create a new user group and assign it to the documents that they can access?!

[bossloper]

... correct, that is the way it is. There are no permission restrictions by default.

[q2apro]

Wouldn't make it sense to do it the other way around? Means: Create a new resource → and nobody can edit, until assigned.

As it is now: New resource → everybody can edit

PS1: I just realize that you need to create a separate group just to disallow access from anyone to a document resource.

PS2: It would be nice to have a default option, when enabling >System >User >Use access permissions, and there a choice: "all documents restricted" or "all documents public".

[pmfx]

@q2apro I like it public by default. Use Doc Manager module, to quickly update permissions of many resources.

[qcol]

I asked similiar question here: https://forums.modx.com/thread/103799/web-user-vs-manager-user-not-documented-well

The rights in evo are incredibly complicated, and I also think that by default access to all documents should be disabled - this is the case in all systems I know (it is anyway more logical and secure). Only in the next step should the Administrator consciously turn on the access to particular users.

[pmfx]

I completely disagree.

EVO permissions are extremely easy to understand and use. At least when compared to Revolution.

Why do you think access to all documents should be disabled by default? Sorry but it doesn't make sense and no system I know do that. Resources/Users Groups and Permissions are additional feature used when project needs it therefore all documents are public on both ends by default.

If you want to restrict Manager resources to Admins only, make sure they are, before creating non-admin users. At least root resources. You should be able to easily perform bulk actions using Doc Manager module. Simple as that.

[bossloper]

I agree with @pmfx on this, particularly where Revo permissions are concerned :-)

If you want to lock down all resources to admins: 1) Under Manager access permissions: Create a 'user group' (e.g. admins_only) and 'resource group' (e.g. admins_only_resource) then link them together. 2) Give your admin manager(s) that 'user group' e.g. admins_only permission. 3) In Doc Manager (Doc Permissions tab) select the doc group, in the range set 0** and submit. All resources will now be locked down... assuming no other permissions applied.

@pmfx - one thing that might help is to rename references for the manager 'user groups' to 'manager user groups'? It has always been slightly confusing that throughout Modx/Evo, Frontend users are 'Web users' but historically backend managers are just 'users'... would be more explicit if everywhere as 'manager users'.... as we now have on the top dropdown menu.

[pmfx]

@bossloper yes, I agree. "User groups" should be "Manager user groups" etc.

[q2apro]

Is there any way to hide the protected documents from the restricted user group?

Now they still show up to the restricted users: