Publication and CMS configuration using Active Directory security
Introduction
Note: the information in this article doesn't apply to iXperion 1.2 and later. See Active Directory integration changes within iXperion 1.2 for more information.
To configure a secured publication and a secured cms environment using an active directory connection is rather complex, especially regarding the used active directory and cms manager groups.
But before you start, first read the following articles:
- For the publication environment you have to follow the instructions in this document: Membership_and_Role_Providers-Active_Directory_Role-_and_Membership_Providers
- For the cms environment you have to follow the instructions in this document: http://support5.smartsite.nl/smartsite.dws?goto=117
Now that you have read about the basics you have to take in consideration the following rules and make an appropriate implementation plan for your organization. The biggest issues are the different business rules between the publication environment and the cms environment considering user and visitor mapping.
Publication Environment business rule:
- SmartsiteAccessGroup
Group that defines access to Smartsite. Active Directory group memberschip must at least include this group to get access to Smartsite. - VisitorGroup
When Active Directory user membership includes this group, mapping will be forced to the Visitors table instead of the Users table.
So when a user must have access to the CMS-manager he can not be a member of the VisitorGroup.
CMS environment business rule:
- AccessGroup
Group that maps a visitor to the visitorstable so he can have access to Smartsite 5 rendered content (like Forms). - ManagerAccessGroup
Group that maps a user to the userstable so he can have access to the Smartsite CMS Manager.
Membership of both groups and to be mapped to the userstable is, in contrast with the publication environment, allowed.
Configuration
To make sure that a user that needs access to the CMS-manager and the secured publication content is mapped to the users table and that a visitor that's only allowed to the secured publication content is mapped to the visitors table, please configure the following groups and settings:
Add the following active directory groups:
- smartsiteaccesslocal
- sitevisitors
- manageraccesslocal
Add the following groups to Smartsite:
- smartsiteaccesslocal (parent: startgroup)
- sitevisitors (parent: smartsiteaccesslocal)
- manageraccesslocal (parent: startgroup)
Change the registry, key security (within the siteroot), to:
- accessgroup: smartsiteaccesslocal
- manageraccessgroup: manageraccesslocal
Change the web.config to:
<Smartsite.ActiveDirectoryConfiguration>
<settings>
<add name="SmartsiteAccessGroup" value="smartsiteaccesslocal"/>
<add name="VisitorGroup" value="sitevisitors"/>
<add name="StoreFullyQualifiedLoginName" value="false"/>
</settings>
</Smartsite.ActiveDirectoryConfiguration>
Active Directory group membership
An employee that needs access to the CMS-Manager and to the secured publication content needs to be a member of the following two active directory groups (so he's only mapped to the userstable):
- smartsiteaccesslocal
- manageracesslocal
And not sitevisitors!
An employee that only needs access to the secured publication content needs to be a member of the following two active directory groups (so he's not mapped to the userstable but only to the visitorstable):
- smartsiteaccesslocal
- sitevisitors