Question

Photo of Hock_Hin Lee

0

"View only" security role

Is there a "View Only" security role?  i.e. the user with this role can only view the contents in Rock but not change it in any way.

If there is no such role, how easy is it to create such a role?

  • Photo of Jeremy Hoff

    1

    As a starting point, how to setup a role to view only the Person Profile Page. Where to begin with the setup? Thanks

    Start in Rock > Security > Security Roles and create a new role titled "Read-Only".
    Then on the Person Details page, edit the Page Security to include "View" for the new roll "Read-Only"
    Then edit Block Security for each Block to include "View" access for the new roll "Ready-Only".

    This is the safest way I can think of.  Alternatively, you could copy the "Staff-Like" Security Role and then edit security to /remove/ Edit access where needed... this will speed the role creation but removing security means extra vigilance.

    I'll give a nod to Jim Michaels excellent "Demystifying Rock Security" subscription video, which can help in more ways that just this: https://community.rockrms.com/subscriptions/rx2019 

    I hope that helps!

    • Hock_Hin Lee

      Created the Read Only role, added role to Person Detail page, assigned role to user.
      Cannot login, I think because no rights to page after successful login. Tried to add Read Only role to the page after login, but that page cannot configure for security. Did I do something wrong?


      BTW, I am testing these on version 7.6

    • Hock_Hin Lee

      Looking at the Page Security for the Person Details page, I noticed that only Administrators are allowed to Edit and/or Administrate. Yet, User with Staff Like Workers role can Edit the person's data.


      The Security help notes for the Edit tab goes like this:-
      The roles and/or users that have access to edit blocks on this page or any child page, when those block or pages don't specifically define security for the current user (i.e. when this page is used as a 'parent authority').


      My interpretation of Edit from the text above is Editing the blocks and fields on the page, and NOT about Editing the data contents of the fields. Have you tried creating a read only role?

  • Photo of Jeremy Hoff

    1

    Have you tried creating a read only role?

    Yes :-)

    Cannot login, I think because no rights to page after successful login. Tried to add Read Only role to the page after login, but that page cannot configure for security. Did I do something wrong?

    Nothing wrong, just need to do more. For example, the site has security as well and you'll want to add the new Role there with "View" rights under Rock > CMS > Sites.  This is because the default "All Users" role is "Deny" for the internal site.

  • Photo of Jeremy Hoff

    0

    Hi Hock,

    Setting up a "Read Only" role is doable. I'll say that "contents of Rock" is a pretty broad term... lots of attributes, entities, places that focus on security I'm not sure which content you're referring.  You may need to setup a role and define the areas specifically...

    • Hock_Hin Lee

      As a starting point, how to setup a role to view only the Person Profile Page. Where to begin with the setup? Thanks

    • Hock_Hin Lee

      A clarification after playing with security roles for some time,
      I want to allow the user to view the data of people in Rock, but not able to change any of the data about these people

  • Photo of Hock_Hin Lee

    0

    Jeremy, sorry to bother you again.

    I managed to create a Read Only Role, assigned to a user and it works!  However, in the Smart Search section, the drop down list (as you enter info into the search field) does not appear.  The Smart Search still works AFTER I press the Enter key, but no interactive drop down list.  I could not find the place to increase permission for this feature

    Smart Search drop down list 2020-02-14 100704.png

    • Hock_Hin Lee

      Found the answer. Added my new Read Only Role to the Search Controller within the Security > REST Controllers > Security Lock/permissions