I am running Kentico 11. I have a section of the site that requires user login to read and download some hidden content.
Those users are stored in the Configuration -> Users table. I have a custom Role that these users are assigned to so they can login and view the content & download files. We have an external (CRM) system that is integrated with Kentico. This CRM automates the User account creation & Role assignment based on yearly training records. So the user accounts do not get manually created. CRM manages the creation & deactivation. This is working as intended with 1,000s of users.
Business requirements have changed and now requires two levels of access. Will require a 2nd Role be created. First tier will allow basic access to content. A new 2nd tier (additional Role) will allow access to the file downloads.
The first tier will remain managed by the 3rd party integration from CRM (account & 1st role assigned). The 2nd tier will have to be manually controlled. Someone will have to login to Kentico, Configuration -> Users. Search for the user and add the 2nd Role.
To avoid putting the burden on the programmers I need to allow some of my non-technical team (customer support, product management) to be able to manage the Users.
These non-technical do not have Kentico CMS accounts. I do not want to make them Administrator and give them "keys to everything".
My question is specific to Configuration -> Permissions -- can I give my non-technical team the Read permission to "CMS Basic User" and Manage User Roles "Contractor" (and my custom role 1st ) and expect that they will be able to login to Kentico, navigate to Users and maintain my Contractors.
This is expected to allow them to view my contractors, and add them to a new 2nd role "Contractor Download". Take bob.smith@someemail.com for example. Bob is a contractor, the CRM tool added him to the Users Table with the roles Authenticated, Everyone and Contractor. Bob has completed some training and now needs the Contractor Download role.
Is the appropriate best-practice in Kentico to give my non-technical staff the CMS Basic User role & Contractor Role so they can manage our contractors? Is there a risk to this configuration? Will they be able to manage other roles? I do not want them to be able to edit content management, ecommerce or any other configurations.
It can be hard to give permission to manage one role but not the other. Usually in terms of UI permissions, you either have permission to the entire operation or you don't.
While using Kentico's back end UI would be beneficial, and giving them an account with limited administrative roles I think would be fine, what i would do is create a custom User interface and give them access to that UI, and all that UI element would be would be a drop down of available users to assign to the role, and a button that would use Kentico's API to assign them.
You can make the entire thing using the Custom Control webpart and point to your ascx, don't need anything particularly fancy.
the API to assign the role is pretty simple:
UserRoleInfoProvider.AddUserToRole(ValidationHelper.GetInteger(ddlAvailableUsers.SelectedValue, 0), RoleInfoProvider.GetRole("ContractorDownload").RoleID);
Make the drop down a list of (UserID, UserFullName) using the following dataset:
int[] UserIDsInContractorRole = UserRoleInfoProvider.GetUserRoles()
.WhereEquals("RoleID", RoleInfoProvider.GetRole("Contractor").RoleID)
.Select(x => x.UserID).ToArray();
int[] UserIDsAlreadyAssigned = UserRoleInfoProvider.GetUserRoles()
.WhereEquals("RoleID", RoleInfoProvider.GetRole("ContractorDownload").RoleID)
.Select(x => x.UserID).ToArray();
ddlAvailableUsers.DataSource = UserInfoProvider.GetUsers().WhereIn("UserID", UserIDsInContractorRole).WhereNotIn("UserID", UserIDsAlreadyAssigned).Columns("UserID, FullName").OrderBy("FullName").Result;
ddlAvailableUsers.DataValueField = "UserID";
ddlAvailableUsers.DataTextField = "FullName";
ddlAvailableUsers.DataBind();