Note: You can access the Security Page by by clicking the Security button at the top of page.
-Local Rights and Cascading Rights
-SSL and "real" security
|Inherited and Local Rights|
Notice in the picture, there are two rows of Rights listed under Inherited Rights. Adminstrators and Everyone. Notice how Administrators have True for every right allowing them to edit pages. However, Everyone (a special Group that represents regular website visitors), only has List and View.
Local Rights are ones set on the current page. They represent this page and all of those below it. You can add new Users or Groups to this list by clicking on the green New button at the bottom. Click on a User or Group to add it to this page.
Note: Local Rights always override Inherited Rights. This means that if you want to hide a certain page, then simply set List to No. (For the group in question)
Note: Be careful setting rights to restrict the Administrator access. You can unwittingly lock yourself out of the website.
Individual Rights can be granted or denied by setting a single one to Yes or No. Leaving it blank allows it to inherit the rights from above.
Note: A user will automatically have a combination of rights. They have all of the rights granted to the Everyone account, and then any granted to them personally. If they are logged in, they also have any rights granted to the special Logged in Users group, and any granted to their specific group.
Warning: the /system directory contains all of the private information such as orders, mailing lists, emails, etc. Be extra careful to ensure that "Everyone" is set to not have any "View" or "List" access to this information.
You can double check the security for any system directory by going to the page: /acl.htm. For example to check the security on the system directory for www.yourdomain.com, log in and go to www.yourdomain.com/system/acl.htm. Check to make sure that Everyone doesn't inherit "View" rights of "Yes". Also check to make sure that Everyone doesn't set a Local "View" Right of "Yes" either.
You may need to expose mailing lists for use as membership directories on visible parts of the site. It's best to handle this by giving access to a list directly and not the whole system directory.
This Right grants or denies the ability to see a link to the page. For example, you would set this to False or No if you want to hide a page. Keep in mind that this can be separate from the ability to View the actual page.
This Right grants or denies the ability to load a page. If a person tries to access a page that they can't View, they will see a Login page instead.
Note: You can use this very effectively to show a link to a page but require them to login to view it.
This Right grants or denies the ability to make changes to the text or upload/delete images from a page. Keep in mind that it doesn't allow them to see the whole Administrative interface (buttons on the left and top)...in fact, they don't even need to be logged in.
With Edit rights, the user will see an Edit button on the page when they access it.
This Right grants or denies the ability to delete this page and/or its child pages. It is rare that someone would grant the right to delete pages but not create new ones.
This Right can be used to create a page that users can submit new pages to but not delete old ones. (Users cannot see the pages that have been added...but they can add new ones.)
You can also create pages that users can edit but not delete and/or not create new pages underneath.
This Right grants or denies the ability to access this security page. It is very common to give a user the ability to create and edit pages, add children, etc., but not the ability to set security.
Note: Be careful who you grant this ability to. They could effectively lock you out of a section of your website.
Note: This isn't a replacement for security that restricts access to indivual resources. Invisible Gold can still allow a visitor to download files or images on pages they don't have rights to see. To most users this will be secure. Text itself is encrypted, but uploaded files are not specifically protected.
| Users, Groups, Login, Security, Registration|