Control Site Access with Private Sharing

Consider using private sharing if:

• You prefer content and pages to be inaccessible by default; an access level or sharing rule must be applied to a content item or page for it to be accessible by anyone.
• You need to restrict access to content and pages on your live site as well as within OrchestraCMS.
• You need to be able to grant access to specific content templates within a content type.
• You already use private sharing in your Salesforce organization and have a role hierarchy established.(This is not required but reduces setup time.)
• You want to grant access to users based on Salesforce roles, public groups, or individual user records.

With private sharing, only one access level can be applied to a content item or page. However, access levels can be supplemented with manual sharing rules, but each manual sharing rule must be configured at the time it is applied.

If you are an administrator and you want to begin configuring one or more access control methods in OrchestraCMS, you should first have some basic knowledge about and creating content and pages.

Control access using private sharing

OrchestraCMS can integrate with the Salesforce private sharing model to control access to content and pages. When private sharing is configured in Salesforce and activated in OrchestraCMS, there are a few different ways that you can grant access to content and pages.

You can grant access to content and pages on your live intranet or portal site using one of the following methods:

• Access levels. Each content item and page can be assigned one access level, which specifies which users have access to the content item or page. You can create and configure as many access levels as required for your organization.

• Manual sharing to add visitors. Each content item and page can be manually shared with individual users or groups of users. This method is often used in conjunction with access levels to grant access in exceptional cases when the assigned access level does not provide access to all users that require it.

You can grant access to internal users who need to view or edit content and pages in OrchestraCMS using one or both of the following methods:

• Role hierarchy. A Salesforce role hierarchy can be used to automatically grant access to users higher in the role hierarchy than the user who created the content item or page. For example, you can use a role hierarchy to make sure that managers can always view and edit the content and pages that their subordinates create.

• Manual sharing to add collaborators. Each content item and page can be manually shared with internal users that need to collaborate on a specific content item or page. This method is often used in conjunction with a role hierarchy to grant access in exceptional cases when the role hierarchy does not provide access to all users that require it.

Enable and configure private sharing

There are two steps to enable private sharing:

1. Configure private sharing in Salesforce.
2. Activate private sharing in OrchestraCMS.

After these steps are completed, the default behavior is that content and pages—depending on whether you configure private sharing for one or both of these—are private and follow Salesforce private sharing rules.

Configure private sharing in Salesforce

The appropriate organization-wide sharing settings must be configured in Salesforce before you can use any of the granular access control features in OrchestraCMS.

To configure private sharing in Salesforce

1. In Salesforce Setup, under Security Controls, click Sharing Settings.
2. In the Organization-Wide Defaults area, click Edit.
3. Under Default Internal Access, select Private for the following objects:
   • Access Level Rule (required)
   • Content (to control access to content items)
   • Content Layout Instance (to control access to specific content templates—without this object set to Private, you can still control access to specific content types as long as the Content object is set to Private)
   • License Profile Sharing Restriction (to restrict who OrchestraCMS users can share with based on their OrchestraCMS profile)
   • Page (to control access to pages)
4. Click Save.

Activate private sharing in OrchestraCMS

After you have configured private sharing in Salesforce, you will need to activate private sharing in OrchestraCMS.

Activate access levels in OrchestraCMS

1. In OrchestraCMS Setup, under Site, click Details.
2. Click Edit.
3. Under Site Guest User, click Find User.
4. In the Find User dialog, select the current site’s guest user, and then click Select. If you have created multiple sites, there will be multiple users available to choose from. You need to select the user associated with the current site. For example, if the current site is Documentation, you should select Documentation Site Guest User.
5. Click Save.
6. In OrchestraCMS Setup, under Site, click Access Levels.
7. Click Activate.

After you activate access levels, all new content items and pages—if you have set both to private in the Salesforce organization-wide sharing settings—are not visible on your live site by default until an access level or manual sharing rule is assigned. Then, only users who are provided access will see it. Content and pages published before access levels were activated remain on your live site; if a new version is created, you will need to assign an access level or sharing rule if you want users to continue to see the content or page.

Access to content and pages will also be restricted within OrchestraCMS, and role hierarchy or manual sharing rules must be implemented to grant appropriate access to internal collaborators.

Grant access to content and pages on your live site

After private sharing is enabled, there are two ways that you can grant users access to content and pages on your live site:

• Create access levels and assign them to content items and pages
• Manually share content items and pages with specific profiles, roles, and groups
  • Access levels are usually the primary method for controlling content and page visibility. Manual sharing is used when you need to make a content item or page visible in exceptional cases when an access level does not provide the required access. This section describes both methods, and also covers the following items that require special consideration with regards to access control:
    • Custom content types
    • Master pages

Create and assign access levels

Each content item and page can be assigned one access level. An access level specifies which users have access to a piece of content or page. You can create and configure as many access levels as required for your organization.

Access level rules and the value created for that access level determine which content templates and pages users are allowed to view.

Value determines the inheritance hierarchy of an access level, with 0 being the highest level of access followed by 1, then 2, 3, and so on.

Let's say you have an Article content type with two templates associated with it (for example, one for the article summary and one for the article detail). You only want premium users to view the article detail, but you will allow standard users to view the article summary. You might name one access level "Premium" and give it a value of 0; and another access level named "Standard" that you will give a value of 1.

The "Premium" access level would need two rules defined: one for the content type "Article” with the content template “Detail”; and another for content type "Article” with the content template “Summary”. This would allow all users assigned to this access level to view both content templates.

The "Standard" access level would need one rule defined for the content type “Article” with content template “Summary”. These users would only view the Article Summary.

When you create a new article and want "Standard" users to view only the Summary while allowing "Premium" users to view both Summary and Detail, you would assign the access level “Standard” to the content.

Because the "Premium" access level is higher in the inheritance hierarchy with a value of 0 (over the "Standard" access level value of 1), "Premium" users would be able to view the content and also to view the Article Detail template as defined by the rule in the "Premium" access level.

If you were to assign the same content with the "Premium" access Level, only the "Premium" users would be able view the content. The "Standard" users would not be able to view the article at all.

You can avoid this inheritance hierarchy by selecting the checkbox to Prevent Level Inheritance.

As a best practice, you should plan your required access levels before building them in OrchestraCMS. Although it is possible to add and remove access levels, it is easier to make sure that your content and pages are assigned the correct access level if the list of access levels is mostly stable over time.

To create an access level

1. In OrchestraCMS Setup, under site, click Access Levels.
2. Click Add Level.
3. In the Add Access Level dialog, do the following:
   • In the Name box, enter a name that is used to label the access level. The name is what OrchestraCMS users will see when they need to select an access level for a content item or page.
   • In the Value box, enter a value to determine the placement of the access level in the access level hierarchy. The highest potential level of the hierarchy has a value of 0. Access Levels applied to content or pages are applied to all access levels higher in the hierarchy (if level inheritance is not disabled). For example, you could have an access level named “Premium User” with a value of 0 and an access level “Standard User” with a value of 1. Content with a Standard User access level applied will also be available to “Premium Users”. If you want each access level to be independent, you can disable access level inheritance (see below).
   • If you do not want the Value field to cause access rule inheritance as described above, click to select Prevent Level Inheritance.
4. Click OK.

You can also delete an access level if it is no longer required.

Delete an access level

• On the Access Levels page, click Delete next to the access level name.

After access levels are created, you will need to assign rules to the access levels. The rules are to specify the content and pages that users will see.

For example, you could have a custom content type called “Article”. The Document Style 1 content template could display the full article. The Small Block content template could display a summary. One access level rule could specify that one subset of users could only see the summary. Another access level rule could specify that a different subset of users could see both the full article and a summary.

You can add both content and page access rules as long as you have configured them for private sharing in Salesforce.

Add a content access rule to an access level

1. In OrchestraCMS Setup, under Site, click Access Levels.
2. On the Access Levels page, click Edit next to the name of the access level.
3. Under Content, click Add Rule.
4. Select the content type from the Content Type list.
5. Click to select the content template to which you want to provide access.

6. In Select Users/Groups, from the Search list, select how you want to add users to the access rule. For example, you can add users by his or her public group or role, or you can add individual users. Your selection determines what is populated in the Available list, and optionally, you can filter this list: enter a search term and click Find.
7. Select one or more groups, roles, or users to share with from the Available list, and then click Add.
8. Repeat steps 6 and 7 to add more groups, roles, and users as required.
9. Click Finish. Repeat procedure as required to add more content-level access rules to the access level.

Add a page access rule to an access level

1. In OrchestraCMS Setup, under Site, click Access Levels.
2. On the Access Levels page, click Edit next to the name of the access level.
3. Under Pages, click Add Rule.
4. In the Add Rule dialog, from the Search list, select how you want to add users to the access rule. For example, you can add users by his or her public group or role, or you can add individual users. Your selection determines what is populated in the Available list, and optionally, you can filter this list: enter a search term and click Find.
5. Select one or more groups, roles, or users to share with from the Available list, and then click Add.
6. Repeat steps to add more groups, roles, and users as required.
7. Click Select. Repeat procedure as required to add more page-level access rules.

You can delete an access rule if you want to remove access from a specific group, role, or user.

Delete an access rule

1. In OrchestraCMS Setup, under Site, click Access Levels.
2. On the Access Levels page, click Delete next to the name of the access level.
3. In the Delete Access Level dialog, click Yes.

After access levels are created, you can assign them to content in the content item properties. If an access level is set on a content item, the access level is retained when a new version of the content item is created. Content items that are created by cloning another content item retain the access level of the original content item.

If an access level is assigned to a content item created with the core Menu content type, the access level rules are only applied to the root menu and not to the individual menu items. If you are using a custom content type, you can set this behavior for menus.

Assign an access level to a content item

1. Open the content item in the content editor.
2. In the Actions panel, click Properties.
3. From the Access Level list, select the access level you want to apply to the content item.
   
4. Click Save.

You can similarly assign access levels to pages in the page properties. If an access level is set on a page, the access level is retained when a new version of the page is created. Pages that are created by cloning another page retain the access level of the original page.

Assign an access level to a page

1. Open the page in the page editor.
2. In the Actions panel, click Properties.
3. From the Access Level list, select the access level you want to apply to the page.
4. Click Save.

Manually share content items and pages

When access levels are activated in OrchestraCMS, a Share button appears in the Actions panel for content and pages. Manual sharing is normally used in conjunction with access levels. Access levels make it easy to assign consistent access rules to content and pages. Manual sharing is used to provide users with access to an individual content item or page. Manual sharing is usually for exceptional cases when the access level assigned to a content item or page does not provide the required level of access to all required users.

Although you can use manual sharing without access levels, we do not recommend this. Access levels keep your access rules consistent. They also take less time to apply to content items and pages.

Add a sharing rule to a content item

1. Open the content item in the content editor.
2. In the Actions panel, click Share, and then click Share with Visitors.
3. In the Visitors dialog, click Add Visitor.
4. In the Add Visitor dialog, select the check box beside content templates that you want users to see.

5. From the Search list, select how you want to add users to the sharing rule. For example, you can add users by his or her public group or role, or you can add individual users. Your selection determines what is populated in the Available list, and if you wish, you can filter this list. (Enter a search term and click Find.)
   
6. Select one or more groups, roles, or users to share with from the Available list, and then click Add.
7. Repeat to add more groups, roles, and users as required.
8. For menu content items only, there is an Apply to all children option, which is selected by default. This applies the sharing rule to the root menu and all individual menu items. If you want to apply different sharing rules to individual menu items, you can disable this option. For more information on sharing individual menu items, see “Share individual menu items in a menu” on page <OV>. If you do not see this check box when applying a sharing rule to a menu, you may be using a custom content type that does not have this ability enabled. See “Custom content types and private sharing” on page <OV> .
9. Click Finish.
10. Click Close.

Add a sharing rule to a page

1. Open the page in the page editor.
2. In the Actions panel, click Share, and then click Visitors.
3. In the Add Visitors dialog, from the Search list, select how you want to add users to the sharing rule. For example, you can add users by his or her public group or role, or you can add individual users. Your selection determines what is populated in the Available list, and optionally, you can filter this list: enter a search term in the for box and click Find.
4. Select one or more groups, roles, or users to share with from the Available list, and then click Add.
5. Repeat to add more groups, roles, and users as required.
6. Click Add.
7. Click Close.

You can delete a sharing rule if it is no longer required.

Delete a sharing rule

1. In the Visitors dialog, click Delete in the row of the sharing rule you want to remove.
2. In the Delete Sharing Rule dialog, click Yes.

Share individual menu items in a menu

To share specific menu items, first you need make sure that users have access to the overall menu content item. You can grant access to the menu content item through an access level.

Sharing individual menu items is useful if you want everyone who visits your site to see a menu, but you want the menu items that an individual user sees to be determined by his or her profile, public group, role, or user record.

Share a specific menu item

1. Open the menu in the content editor.
2. In the dropdown menu on the right, select Manage Sharing.
   
3. In the Manage Menu Item Sharing dialog, click Add Visitors.
4. In the Add Visitors dialog, from the Search list, select how you want to add users to the sharing rule. For example, you can add users by his or her public group or role, or you can add individual users. Your selection determines what is populated in the Available list, and if you wish, you can filter this list: enter a search term, and click Find.
5.  Select one or more groups, roles, or users to share with from the Available list, and then click Add.
6. Repeat to add more groups, roles, and users as required.
7. In the bottom right corner of the Add Visitors dialog, click Add.

You can delete a sharing rule from a menu item if you no longer want that group, role, or user to have access to the menu item. To make changes to the sharing rules applied to individual menu items, the menu must be in an unpublished state.

Delete a sharing rule from a menu item

1. On the Manage Access tab, click Delete in the row of the sharing rule you want to delete.
2. In the Delete Sharing Rule dialog, click Yes.

Grant access to content and pages within OrchestraCMS

Enabling private sharing restricts access to content items and pages within OrchestraCMS. By default, the user who creates a content item or page has access to it.

There are two methods you can use to provide access to other internal users who need to view, edit, or publish the content item or page:

• Establish roles and role hierarchy in Salesforce
• Manually share individual content items and pages with the required users

These methods are normally used together. A role hierarchy provides automatic access to content items and pages based on the position of their role in the hierarchy.

Manual sharing allows you to grant access to an individual content item or page. This is useful when the role hierarchy does not provide the required level of access to the required users. For example, if a specific piece of content or page was being developed by multiple people in different departments, it is likely that the role hierarchy would not provide the required access to do this. Manual sharing could be used to allow the users to collaborate.

Establish roles and a role hierarchy in Salesforce

Salesforce roles and the role hierarchy are used to open up access to content items and pages when private sharing is enabled. By default, users have access to the content items and pages that they create, as well as the content items and pages that are created by users lower in the same branch of the role hierarchy.

It is not necessary to create roles for every job title at your organization. Users who require the same amount of access to data can be grouped into a single role. If you already have a role hierarchy established in Salesforce, and if private sharing is enabled, it will be automatically used to determine access to content items and pages in OrchestraCMS.

Create a new role in a role hierarchy in Salesforce

1. In Salesforce Setup, under Manage Users, click Roles.
2. If you are directed to an Understanding Roles page, click Set Up Roles. Otherwise, proceed to the next step.
3. Choose one of three view options to create your roles and hierarchy from the view list:
   • Show in tree view. This view displays the role hierarchy in a tree that can be expanded and collapsed to show or hide specific branches of the hierarchy. You can add roles directly to its position in the hierarchy.
   • Show in sorted list view. This view displays roles in a standard table that can be sorted by Role, Reports To, or Report Display Name.
   • Show in list view. This view is a combination of the other two. It displays roles in a standard table, but the role names are indented according to their location in the hierarchy and the list cannot be sorted.
4. Do one of the following:
   • If you are in the tree view, expand the tree to the role that the new role reports to, and then click Add Role under this role.
   • If you are in the sorted list view or the list view, click New Role.
5. On the New Role page, do the following:
   • In the Label box, enter a label for the new role.
   • In the Role Name field, enter a unique name for the role that contains only alphanumeric characters and underscores (it must begin with a letter, and it cannot end with an underscore or contain two consecutive underscores). This field is automatically populated based on what was entered in the Label field.
   • Next to the This role reports to field, click the search icon, and in the Select a Role window, click Select next to the role that the new role will report to. You may need to expand the role hierarchy to locate the role. This field is already populated if you arrive at this page from the tree view.
   • Optionally, in the Role Name as displayed on reports field, enter how you want the role to be identified on Salesforce reports.
6. Click Save.

Repeat the above procedure as necessary to complete your role hierarchy, and then assign users to roles.

Assign users to roles

1. In Salesforce Setup, under Manage Users, click Roles.
2. If you are directed to an Understanding Roles page, click Set Up Roles. Otherwise, proceed to the next step.
3. Next to the role to which you want to assign users, click Assign.
4. Make a selection from the Available Users Search list to populate the list of available users.
5. Select a user from the available users list, and then click Add.
6. Repeat steps 4 and 5 as required to add users to the role.
7. Click Save.

Manually add internal collaborators to content and pages

If an OrchestraCMS user needs to collaborate on a content item or page with one or more users who do not have access to it by default, the content item or page can be shared with those users. They can then access the content in OrchestraCMS.

Add collaborators to a content item or page

1. Do one of the following:
   • Open a content item in the content editor.
   • Open a page in the page editor.
2. In the Actions panel, click Share, and then click Share with Collaborators.
3. In the Visitors dialog, click Add Collaborator.
4. In the Add Collaborators dialog, from the Search list, select how you want to add users. For example, you can add users by his or her public group or role, or you can add individual users (these options may be limited depending on your sharing permissions—restricted sharing only allows sharing with specified public groups). Your selection determines what is populated in the Available list, and you can choose to filter this list (Enter a search term and click Find).
5. Select one or more public groups, roles, or users to share with from the Available list, and then click Add.
6. Repeat to add more groups, roles, and users as required.
7. Click Select.
8. Repeat steps 3–7 to add more sets of collaborators. When you are finished, click Close.

You can also remove collaborators from a content item or page. Removing collaborators revokes their access.

Remove collaborators from a content item or page

1. Do one of the following:
   • Open a content item in the content editor.
   • Open a page in the page editor.
2. On the Share menu, click Collaborators.
3. In the Add Collaborators dialog, click on the collaborator you want to remove, and then click Remove.
4. Click Save.

Special considerations for private sharing

There are some special considerations for private sharing if any of the following scenarios apply:

• Your organization has one or more custom content types that are used to create menus.
• Your organization uses master pages.
• Your organization has a publish approval process enabled.

Custom content types and private sharing

This is relevant if you have a custom content type that contains any of the following content templates related to creating menus:

• Breadcrumb
• Class Styled Menu
• Mega Menu
• Simple Horizontal Menu

Menus use a parent/child structure: the root menu is the parent, and the individual menu items are children. Menus are the only type of content that can have different sharing rules applied to the parent and child elements.

When you build a menu using the core Menu content type, OrchestraCMS automatically knows how to handle the parent/child structure with regards to access levels and manual sharing rules. By default, access levels applied to menus do not automatically share the individual menu items. Also by default, the Apply to all children check box is used to determine if a manual sharing rule applied to a menu is only applied to the root menu or the root menu and all individual menu items.

When you create a custom content type for menus, an administrator must specify that the content type has a parent/child structure and can also specify the following:

• Whether access level rules assigned to the parent menu are also assigned to the individual menu items.
• Whether the “Apply to all children” check box should be displayed in the Add Visitor dialog when a manual sharing rule is applied. If you choose to display the check box, users can clear it so the sharing rule is only applied to the parent menu. If you choose to not display the check box, all sharing rules applied to the parent menu will be automatically applied to all the individual menu items.

Set child element properties for a custom menu content type

1. In OrchestraCMS Setup, under Templates, click Content Types.
2. In the Custom Content Types area, click the name of the custom content type.
3. On the Edit Content Type page, click the Content has a parent/child structure check box.
4. Optionally, do one or both of the following:
   • Click to select the Exclude child elements from access level rules assigned to parent check box. This makes access level rules assigned to the root menu not apply to the individual menu items, which is the default behavior for the core Menu content type.
   • Click to select the Include checkbox in the Add Visitor dialog when sharing content check box. This makes the “Apply to all children” check box appear when a user manually shares a content item or page, which is the default behavior for the core Menu content type.
5. Click Save.

For more information on applying sharing rules to a root menu content item, see “Manually share content items and pages” on page <OV>. For more information on applying sharing rules to individual menu items, see “Share individual menu items in a menu” on page <OV>.

Master pages and private sharing

Content on master pages must be assigned an access level or have sharing rules applied in the same way as other pages and content. For example, if a user has access to a page that has a master page applied, he or she will only see the content on the master page that they have also been given access to. For this reason, it is important to remember to include master pages when you are configuring your access levels and sharing rules.

If you have also configured private sharing for pages, master pages need to be assigned an access level or have sharing rules applied for users to be able to see any of the content on the master page.

Approval processes and private sharing

If your organization has a publish approval process enabled, it is important that approvers have access to the content items and pages in OrchestraCMS that they need to approve. The easiest way to achieve this is by using a role hierarchy. For example, if a content creator’s manager must approve items before they are published, a role hierarchy (that places the manager above the content creator) ensures that the manager always has access to the content items and pages created by the content creator.

Alternatively, users can manually share content items and pages with other users who are part of the approval process.