Rework the Umbraco User and Group access rights to support more complex scenario's

[Luuk1983]

In my opinion, the current Umbraco access rights system is one of the major weaknesses of Umbraco when it comes to growing to larger sites with more editors. I think the current implementation is extremely limited and doesn't allow for complex access rights management. Comparing Umbraco to Sitecore, I like Umbraco way better and it does a lot of things right. But I really miss the access control system for users as implemented in Sitecore.

The current way the access rights work in Umbraco (correct me if I'm wrong) is this:

• On a role, you define the default access rights for that role (like: allowed to delete, allowed to publish etc)
• On a per-node basis you can override this default.
• If you give a user multiple groups, it will add up all the access rights.
• The start nodes are unflexible because it only applies on a single node and it's descendants.

This is very limited:

• Groups can only give a user more rights, never less.
• There is no inheritance of access rights for descendants of a node (I'll give an example below)
• Can cannot set individual access rights on a user anymore and need to use groups. Although it's arguably better to only set rights on groups, it's not flexible if you need to make a change for one specific user.

Consider a few scenario's:

I want an editor to be able to edit all content on the site, but only be able to delete news articles that are below a news overview node. In Umbraco, I would disable delete on the group for that editor, but now I need to enable delete for each individual news article. And that's a problem, because new news articles get created all the time.

In Sitecore, you can set access rights on a node and on descendants of that node seperately:

This can be done for a group, or on a user, it doesn't matter. This way I can set the a deny delete on the news overview, but an allow delete on it's descendants. And because these rules are inherited, they apply to all descendants, unless specified differently.

And because you can set both denies and allows, it's possible to create roles that would take away rights. For instance, I NEVER want the homepage node to be delete by anyone. So in Sitecore you have a role 'Sitecore Client users' that every editor for the backoffice has. This role only has a number of deny rules, for instance that you cannot rename and delete the homepage:

In Sitecore, an explicit deny has priority over any implicit or explicit allow, so effectively, this role makes sure that the homepage can never be renamed or deleted, even of a different role says so.

In Sitecore, the 'read' rights also determine if the node is visible on the tree, or if a user can actually create a page based on a content type. This is way more flexible than the 'start node' approach of Umbraco. You can use the read rights for multiple things.

What is also nice in Sitecore is the Access viewer, where you can see what the effective rights are for a role of a specific user. If a user has multiple roles it will also tell you WHY a certain access right is the way it is, from what role it comes from and from what node it's inherited. For example:

If you're still reading: thank you for the interrest you have in this matter :). I'm not here to bash Umbraco, but like I said, the access rights system really is way too limited. I understand that it's hard to change everything at once. I think it would already help a lot if inheritance was implemented. Anyway, if you need or want more info, I'm happy to discuss :)