Manage OrchestraCMS Permissions

OrchestraCMS contains more than 50 objects that require permissions to be set up based on the users’ different roles. There are permissions required for VisualForce pages, classes, section, and the application.

The installation and upgrading processes and managing user permissions to OrchestraCMS components are simplified with the use of Salesforce permission sets.

Using permission sets allows for more granular control of user permissions.

Saving an OrchestraCMS profile automatically generates or updates the permission set for all users in the profile, based on the selected profile permissions, and applies those permissions to the relevant OrchestraCMS objects and pages. The permission sets are applied to users when they are added to an OrchestraCMS profile.

OrchestraCMS administrators can manage permission sets for each OrchestraCMS profile:

• The Available Permission Sets column contains additional permission sets that are available in the organization.
• The Applied Permission Sets column contains OrchestraCMS auto-generated permission sets and additional permission sets that are registered with the OrchestraCMS profile.
• The Add button adds additional permission sets that are available in the organization and assigns those permissions to OrchestraCMS users for this profile.
• The Remove button removes custom permission sets from the OrchestraCMS profile and from OrchestraCMS users for the profile. The OrchestraCMS-generated permission set for the current profile, and the OrchestraCMS Org Wide permission set cannot be removed.
• The Filter option makes it easy to identify permission sets.
  • The number of permission sets displayed in each list is limited to 25. A message, “Start typing to filter the list”, reminds you to use the filter to narrow down your results.

Auto-generate permission sets

We recommend that the system administrator select the Configure link on the OrchestraCMS Installed Package detail page.

This action will generate or refresh all permission sets for all OrchestraCMS profiles, and display the status of the OrchestraCMS Permission Generator.

Permission sets for all OrchestraCMS profiles are also updated when the system administrator logs in to OrchestraCMS (if they were not refreshed by a previous action).

To generate or refresh a permission set for a single profile, use the Save button on the OrchestraCMS profile.

Apply or re-apply permission sets to OrchestraCMS users

1. In OrchestraCMS Setup, under Site, click Profiles.
2. On the Profiles page, click Edit beside the profile that needs permissions re-applied.
3. On the Edit OrchestraCMS Profile page, click Manage Users.
4. On the Manage Users page, click Reapply Permissions. This will ensure that the OrchestraCMS auto-generated permission sets and any other registered permission sets have been assigned to all users assigned to this profile.
   • If permission sets have not been assigned to the user, they will show up in the Missing Permission Sets column.

New Administrative Permissions

On OrchestraCMS upgrades to Spring 2015 and later, there are three new administrative permissions: Site Setup (which gives you the ability to add a site), Priority Levels, and Overture Section (in Setup, under Profiles). When you first upgrade from an earlier version of OrchestraCMS, you won’t see these check boxes displayed unless you first refresh licenses.

• In Setup, under Licenses, click Check Now.
• In Setup, under Profiles, you will see the new permissions.

Generating or refreshing OrchestraCMS Permissions

An upgrade to OrchestraCMS automatically generates permission sets when the administrator first logs in to OrchestraCMS after install.

Alternately, the Salesforce system administrator can also select the "Configure" link on OrchestraCMS Installed Package detail page in order to generate or refresh any permission sets missing from an OrchestraCMS profile and display status of the OrchestraCMS Permission Generator. This is the recommended action.

1. Under Deploy, click Installed Packages.
2. On the Installed Packages page, you will see your installed package.
3. To generate or refresh OrchestraCMS permissions, click Configure.

Site Guest User permissions

On installation or upgrade, OrchestraCMS automatically generates ocms_SiteViewer permissions, providing access to objects, fields and Visualforce pages for guest users who are listed as Active.

If the guest user is not active but is activated later, and the administrator clicks on OrchestraCMS Site Details (under Setup), a message will appear to say the permission set doesn’t exist, or the guest user doesn’t have the required permission.

In that case, the “Validate Permissions” option should be used.

Validate permissions for a Site Guest User

1. In OrchestraCMS Setup, under Site, click Details.
2. Click Edit.
3. Click Validate Permissions.

The SiteViewer permission set is shared among all guests in the organization.

If you want to create additional Visualforce pages for your public website users, you will have to go to the Available Visualforce Pages list in the Salesforce guest profile, select your additional pages, click Add, and then Save.

If your public website users will be submitting forms, do the following:

• Make modifications to permissions for standard or custom objects that will be used in forms. For example, if you build a web-to-lead form using fields from the Leads object, you must grant Create access to that object under Standard Object Permissions. If you want your forms to be able to update existing records, you also need to grant Edit access to the appropriate objects.

Add custom content type permissions to OrchestraCMS profiles

After your custom content type is created, it appears in the Create New Content dialog in the Content Type list for users who have access to the content type. A user’s OrchestraCMS profile determines whether they have permission to create, edit, or publish content using specific content types, including custom content types.

Custom content type permissions are not automatically added to OrchestraCMS profiles that have permission to create or modify other content types. At minimum, you must open and save the profile again to grant access to the new custom content types.

Modify the content type permissions for an OrchestraCMS profile

1. In the OrchestraCMS Setup panel, under Site, click Profiles.
2. Click Edit next to the profile that you want to add custom content type permissions to.
3. Under the Content Permissions area, add or remove one or more of the Create, Edit, and Publish permissions for the new content type; permissions for new content types might already be added to the profile, but will not be active until the profile is saved again.
4. Click Save.

Assign permissions for Intranet users

There are two types of Intranet users:

• Users who need to access the Intranet as well as manage the Intranet in OrchestraCMS.
• Users who only need to access the Intranet.

Manage Intranet permissions for OrchestraCMS users

Make sure your current site is the Intranet you have just created.

Internal users who require access to the OrchestraCMS application to make changes to the intranet site are managed by OrchestraCMS permission sets.

• If OrchestraCMS users need access to the Intranet, they will also need access to IntranetRedirect page, Intranet App and Tab (created in Salesforce) if access was not given. The Salesforce administrator must create the Permission Set in Salesforce and include these components.
  

The Permission Set should then be assigned to OrchestraCMS profiles.

Assign permissions for Intranet users

There are two types of intranet users:

• Users who need to access the intranet as well as manage the intranet in OrchestraCMS.
• Users who only need to access the intranet.

To assign a permission set to OrchestraCMS profiles for users needing access to the Intranet

1. In OrchestraCMS Setup, click Profiles.
2. On the Manage Profiles page, click Edit next to a profile.
3. Click Manage Permissions.
4. The Applied Permission Sets column contains OrchestraCMS auto-generated permission sets and additional permission sets that are registered with the OrchestraCMS profile.
5. Select the newly-created Permission Set for your Intranet site.
6. Click Add to assign the Permission Set to OrchestraCMS users for this profile.
7. Click Done.

All existing users in this profile, and any new users added to that profile, will be assigned the Permission Set.

Manage permissions for intranet-only users

There are two options for managing permissions for intranet-only users:

• Intranet-only users who do not need access to OrchestraCMS can use a Salesforce profile to configure access.
• Access can be configured using the OrchestraCMS “ocms_SiteViewer” Permission Set

Configure permissions using a Salesforce profile

1. In Salesforce Setup, under Manage Users, click Profiles.
2. Click Edit next to a custom profile. If you do not currently have a custom profile, you can click on a standard profile name, then click Clone to create an identical custom profile.
3. In the Custom App Settings area, click to select Visible next to your intranet app if it is not already selected. Optionally, click to select Default if you want users belonging to that profile to go directly to the intranet when they log in to Salesforce.  
4. In the Tab Settings area, under Custom Tab Settings, select Default On next to the name of your intranet tab if it is not already set to that value.
5. In the Custom Object Permissions area, click to select the Read box each OrchestraCMS custom object.
6. If your intranet users will be submitting forms, do the following:
   • In addition to the Read check box, click to select the Create check box for the Form Data object. If you want your forms to be able to update existing records, you also need to grant the Edit permission.
   • Make modifications to permissions for standard objects or custom objects that will be used in forms. For example, if you have a custom object called Employee Feedback that will be used in forms, you need to grant read and create permissions, at minimum, for this object. If you want your forms to be able to update existing records, you also need to grant the edit permission.
7. Click Save.
8. On the Profiles page, under the Profile Name column, click to select the profile you were editing.  
9. Scroll down to the Enabled Apex Class Access area, and click Edit.
10. From the Available Apex Classes list, select IntranetRedirect, and then click Add.
11. Click Save.
12. Scroll down to the Enabled Visualforce Page Access area, and click Edit.
13. From the Available Visualforce Pages list, click to select the IntranetRedirect page and click Add to move them to the Enabled Visualforce Pages list.
14. Click Save.
15. Scroll down to the Field-Level Security area, and under Custom Field-Level Security, click View beside one of the OrchestraCMS custom objects.
16. Click Edit.
17. Click to select the Visible box beside each field. Optionally, you can also select Read Only for fields that you want to restrict to read-only access.
18. Click Save.
19. Click Back to Profile.
20. Repeat steps 15 to 19 until the process has been completed for all OrchestraCMS custom objects.

Configure permissions using the Salesforce Permission Set

If the OrchestraCMS SiteViewer permission set is used instead of a Salesforce profile permissions, the Salesforce administrator must manage the assignment of those permission sets using Salesforce functionality – for example, the “Manage Assignment” option under Permission Set or Data Loader.

Set the administrator profile permission for managing access levels

When your organization has the OrchestraCMS Private Sharing feature license, a new profile permission is available to allow administrators to manage access levels.

This permission is available for OrchestraCMS profiles associated with an OrchestraCMS System Administrator or an OrchestraCMS Site Administrator license. It is enabled by default.

Permissions can’t be removed from the OrchestraCMS System Administrator profile, but they can be removed from site administrator profiles.

Add or remove the Manage Access Levels permission from a site administrator profile

1. In OrchestraCMS Setup, under Site, click Profiles.
2. Click Edit next to the profile name.
3. Under Administrative Permissions, click to select or clear the Manage Access Levels check box.
4. Click Save.

The Manage Access Levels permission makes the Access Levels option available in OrchestraCMS Setup. This is where administrators can create, edit, and delete access levels.

User profile permissions to limit sharing

When private sharing is enabled in OrchestraCMS, sharing permissions can be set for each OrchestraCMS profile to control those with whom users can share. Sharing permissions, and all other permissions, can’t be restricted for the OrchestraCMS System Administrator profile.

Salesforce Public Groups are used to specify which collaborators and visitors the users can share. Leaving the sharing permissions blank allows users belonging to that profile to have unrestricted sharing permissions.

Set profile sharing permissions

1. In OrchestraCMS Setup, under Site, click Profiles.
2. Click Edit next to the profile name.
3. Scroll down to the Sharing Permissions section.
4. To specify the collaborators that users can share with, do the following:
   • Click Add Collaborators.
   • In the Add Collaborators dialog, select one or more groups from the Available list, and click Add to move them to the Share With list.
   • Click Save.
5. To specify the visitors with whom users can share, do the following:
   • Click Add Visitors.
   • In the Add Visitors dialog, select one or more groups from the Available list, and click Add to move them to the Share With list.
6. Click Add.

Remove a Public Group from profile sharing permissions

1. In the Sharing Permissions section of the profile, click Delete next to the Public Group that you want to remove.
2. In the Delete Sharing Rule dialog, click Yes.

Set the administrator profile permission for managing targets

When your organization has the OrchestraCMS Targeting feature license, a new profile permission is available to allow administrators to manage targets. This permission is available for OrchestraCMS profiles that are associated with an OrchestraCMS System Administrator or OrchestraCMS Site Administrator license, and is enabled by default. Permissions can’t be removed from the OrchestraCMS System Administrator profile but can be removed from site administrator profiles.

Add or remove the Manage Targets permission from a site administrator profile

1. In OrchestraCMS Setup, under Site, click Profiles.
2. Click Edit next to the administrator profile.
3. Under Administrative Permissions, click to select or clear the Targets check box.
4. Click Save.

(This permission makes the Targets option available in OrchestraCMS Setup. This is where administrators can create, edit, and delete targets.)

Create community profiles and set permissions

Only custom profiles can be assigned the permissions required to access a site created with OrchestraCMS. For example, a customer community profile should be cloned from the Customer Community User standard profile. In addition to internal and Community profiles, Chatter and Portal profiles can be added to communities (Chatter customers, from private groups with customers, can’t be added to communities).

Create a new profile

1. In Salesforce Setup, under Manage Users, click Profiles.
2. Do one of the following:
3. Click on the profile name of any standard profile.
4. Click Clone in the Profile Detail. This should be an internal, Community, Portal, or Chatter profile.
5. Enter a name in the Profile Name box.
6. Click Save.

Assign Taxonomy permissions

There are create, edit, and publish permissions for taxonomy, and an OrchestraCMS System Administrator or OrchestraCMS Site Administrator can assign the appropriate permissions to relevant users.

To grant taxonomy permissions to an OrchestraCMS profile

1. In OrchestraCMS Setup, click Profiles.
2. Click Edit next to the profile you want to add permissions to.
3. In the Content Permissions area, click to select one or more of the Taxonomy permissions (Create, Edit, Publish, Translate). You can click the check box to the left of Taxonomy to automatically select all three permissions.
   
4. Click Save. 

Assign user permissions for a Publish Approval process

There are user permissions, in both Salesforce and OrchestraCMS, that are required for users to be able to successfully participate in a publish approval process.

Assign Salesforce permissions

• We recommend using OrchestraCMS permission sets.
• Editors and authors have permissions as the initial submitters in the Salesforce approval process, because they will be creating the content and pages that will be submitted.
• Publishers and site administrators will be set as the approvers in the Salesforce approval process, and when they approve the submitted content and pages, the content and pages are published.

Assign OrchestraCMS permissions

When a publishing approval process is enabled in OrchestraCMS, it is the Salesforce approval process that primarily controls how users are affected by the process. However, there are some considerations to make for OrchestraCMS profile permissions:

• Approvers who are the final approver in the process require publish permissions so the item is published at the end of the approval process.
• Approvers who are allowed to edit the items they are approving require both edit and publish permissions.
• Approvers who are never final approvers are not required to have publish permissions.
• OrchestraCMS profiles can allow users to publish independently of the approval process.
• For single-step approval processes, all approvers require publish permissions. It is often easiest to provide all approvers with publish permissions. Having publish permissions does not exempt the users from having to submit their own content items and pages for approval; this is determined by the structure of the approval process and whether their OrchestraCMS profile is granted the specific permission to publish independently of the approval process.

Allow permission to publish independently

There is a specific permission that allows users associated with a profile to publish independently of the approval process. These users still require OrchestraCMS publish permissions to be able to publish content items and pages.

Allow users associated with a specific profile to publish outside of the approval process

1. In OrchestraCMS Setup, click Profiles.
2. Next to the profile name that you want to grant this permission to, click Edit.
3. Scroll down to the Approval Process Permissions area, and click to select the check box beside Allow users with this profile to publish independently of the approval process.
4. Click Save.

Manage translation permissions

There are two items that determine whether an OrchestraCMS user has permission to translate a content item to a specific language: OrchestraCMS profile permissions and translation group membership.

OrchestraCMS profile permissions determine whether a user is able to translate a content item of a specific type (e.g., Text, Media).

Translation group membership determines which languages a specific user is able to translate.

When a language is added to a site, a translation group for the language is automatically created. OrchestraCMS users with “Manage Translation Groups” permission have the ability to add and remove users from translation groups.

If you have a multilingual licence installed, even if you are only using the single default language, users other than the system administrator need to be added to the default language translation group before they can create or edit content and pages.  

If you don’t have the multilingual licence installed, the translation groups are not present in OrchestraCMS Setup.

Profile translation permissions determine what OrchestraCMS users can do with content based on Content Type.

For each Content Type, you can set permission to Create, Edit or Publish content. With multilingual, there is a fourth permission: Translate.

The Translate permission allows specific users with that permission to translate existing content. Editors can create and build content in one language; translators can translate that content without being able to change the content or structure.  

Provide content translation permissions to an OrchestraCMS user profile

1. In OrchestraCMS Setup, under Site, click Profiles.
2. Next to the profile that requires translation permissions, click Edit.
3. In the Content Permissions area, click to select the Translate box next to the content types that you want that profile to be able to translate.
4. Click Save.

Add or remove translation group members

1. In OrchestraCMS Setup, under Site, click Translation Groups.
2. On the Manage Translation Groups page, in the row of the translation group where you want to add or remove members, click Edit.
3. In the Manage Group Members dialog, do one or both of the following:
4. From the Available Users list, click to select one or more users to add to the translation group, and then click Add.
5. From the list of members included in the translation group, click to select one or more to remove from the translation group, and then click Remove.
6. Click OK.

Permissions for additional Content Types (OrchestraCMS Extensions)

For OrchestraCMS Extensions, these (Salesforce)Visualforce pages need to be added to a permission set and assigned to users.

Create a new Permission Set

1. In Salesforce Setup, expand Manage Users.
2. Click Permission Sets.
3. Click New.
4. Enter the permission set information.  Enter the permission set name: OrchestraCMS Extensions. A license is not needed.
5. Under Apps, click Visualforce Page Access.
6. Click Edit.
7. Select each required Visualforce page (from the list, above) from Available Visualforce Pages on the left.
8. Click on each and click Add to add it to Enabled Visualforce Pages on the right.
9. Save.

Permission Sets for Library conversion

Being able to create a permission set allowing users to edit inactive user records is required for any OrchestraCMS users with an OrchestraCMS System Administrator or OrchestraCMS Site Administrator profile.

We strongly recommend that you create a permission set specifically for this purpose before you attempt to convert a media library, and that you do not apply it to autogenerated OrchestraCMS permission sets.

Create permissions to edit inactive user records

1. In Salesforce App setup, under Customize, select User Interface.
2. In User Interface, under Setup, select “Set Audit Fields upon Record Creation” and “Update Records with Inactive Owners” User Permissions.
3. Click Save.
4. In Salesforce Administration Setup, under Manage Users, select Permission Sets.
5. On the Permission Sets page, click New.
6. Create a new Permission Set, such as OrchestraCMS Library Media Conversion.
7. Click Save.
8. In the interface for your new Permission Set, under System, click System Permissions.
9. Enable “Update Records with Inactive Owners”.