Setting up Publishing: Assigning Publishing Rights
On This Page
.gif){kind=icon}
Understanding User Roles
Setting up Rights and Rights Groups
Best Practices
Assigning Publishing Rights to Users
Assigning Ownership of Templates
Adding LDAP Users and Groups
Changing the Navigation Framework
Using Hierarchy-Based URLs or Unique ID-Based URLs
Disabling or Enabling Hierarchy-Based URLs
Miscellaneous Tips
Understanding User Roles
.gif){kind=spacer}
Every Microsoft Content Management Server 2001 (MSCMS) user, from subscribers who browse your site to read postings, to administrators who set up the site, is assigned a role. All users can be assigned to more than one role. There are five keys to understanding user roles:
Roles are tied to channels, folders, or galleries.
Example: Dave is an author in the Sales folder, Mary is an editor in the Sales folder, and Ann is a moderator in the Sales channel.
Roles are not system-wide.
Example: Dave is an author in the Sales folder, and he is also an author in the Company News folder, but he is not an author in any other folders.
A user can have more than one role.
Example: Ann is an author in the Sales folder; in the Marketing folder, Ann is an editor.
Some roles overlap others.
For instance, you may be both an author and an editor in one folder.
You see only the parts of MSCMS 2001 you need for your roles.
Example: if a user has been assigned to the moderator role only, they'll see only the channels hierarchy in the MSCMS 2001 Site Builder.
Subscribers
Subscribers are users inside and outside your organization who have been given access to channels, in order to view pages published on your site. Inside users are given access through their membership to one or more subscriber groups. Outside users can log in to your site as guests. They browse channels to which guest subscribers group members have been given access.
Subscribers do not have access to the MSCMS 2001 authoring environment unless they are also an author, editor, resource manager, template designer, or administrator. You can assign any Windows 2000 or LDAP account to the subscriber role, provided the account resides on a domain that is in a trust relationship with the machine hosting the server. Subscribers can use their browsers to view pages published on the channels they're subscribed to.
A subscriber can be a user who has been assigned to the subscriber role only, and therefore does not have rights to participate in content publishing. However, content creators (authors, editors, moderators, resource managers, and template designers) must be given subscriber rights to the containers they will work in. This allows content creators to use their browsers to view content they have created on the Web site.
Authors
Authors create pages and submit them for approval by an editor. Some users are authors in more than one folder.
Authors also usually post their pages to a channel, though this may be left for others—such as an editor—to do. A posting contains the following information:
the page to be published
which channel to publish it on
the date the posting is available to subscribers
the date the posting expires.
Editors
The editor role overlaps the author role. As well as doing everything authors do, editors approve pages for publication. Editors can be assigned to more than one folder.
Editors ensure that pages are accurate and decline inaccurate or otherwise inappropriate pages. They can ask the author to revise such a page, or revise it themselves before approving it.
Editors are assigned to Site Builder folders. Although folders do not appear on your site, editors can do their work in the Web Author exclusively. The Web Author has a search tool that allows editors to search for pages waiting for approval.
Moderators
Moderators approve or decline postings to their channels. This ensures that the schedule and content are appropriate and relevant for each posting on a channel. Moderators can reject inappropriate postings, and can ask for the schedule, the page, or both to be revised. Alternatively, they can revise a posting's schedule before approving it. However, they cannot revise the page content itself. Moderators can also change the order of postings.
Resource managers
Resource managers are mainly responsible for 'stocking' resource galleries with resources. Resources are any file type that can be added to a page or template, including:
Microsoft Word documents
PDF files
ZIP files
image files
MP3s.
Only users with resource manager rights can delete or create resources.
Template designers
There are two types of templates: page templates and navigation templates.
Page templates are used to create pages. Every MSCMS 2001 page uses a page template.
Navigation templates allow subscribers to navigate the channels of an MSCMS 2001 site in order to view postings.
Users who create page templates are page template designers, and users who create navigation templates are navigation template programmers. Both act under the role as template designers.
Administrators
The administrator role is special in the MSCMS 2001 system. Administrators can do any task any other role can do, however, administrators are solely responsible for setting up MSCMS 2001 hierarchies (folder, channel, gallery) and rights groups. Administrators automatically have subscription rights to all channels.
Note To view users on a domain, the administrator's account must have "Access computer from network" rights on that domain's Primary Domain Controller (PDC). If these rights have been removed, administrators cannot assign rights or add users to rights groups. If "Access computer from network" rights have been removed, ask your network administrator to reassign them.
Setting up Rights and Rights Groups
Setting up rights consists of:
creating rights groups
adding role members to the rights groups
assigning containers for members of the rights groups to work in.
These tasks are explained in the following sections.
Note Domain trust relationship issues may cause the Site Builder to be unable to display the list of users from your domain. The administrator's machine account should be on the same domain as the MSCMS 2001 server.
Understanding rights and rights groups
Rights allow users to act in (or on) a given container. To have rights in a container, a user must be a member of an MSCMS 2001 rights group, which is a group of one or more users. Each role has its own set of rights groups.
A user's rights depend on the rights groups they have been assigned to. For example, to make a person the moderator of a channel named Sales, you would:
create a moderator rights group
add the user to the moderator rights group
give the rights group access to the Sales channel.
Administrator rights group membership
Administrators have all rights in and to all containers. Therefore, you don't assign containers to the administrator rights group, and cannot remove them from it. There is only one administrator rights group, which is created when MSCMS 2001 is installed. You can create one or more rights groups for each role except the administrator's role.
Keep the number of members in the administrator rights group to a reasonable minimum. This helps centralize administrative control of the whole system, and prevents confusion caused by giving too many users powerful rights.
Subscriber rights group membership
Generally, you want members of any subscriber rights group to have access to the channels that have been assigned to the Guest Users rights group. If a subscriber rights group has access to only a few channels, it may save time to assign those channels to the Guest User rights group.
Note that if a user has author or editor rights to a channel, they have subscription rights to the channel automatically.
Assigning rights to template designers
Page template designers often must have template galleries created for specific purposes. However, only MSCMS 2001 administrators have rights to create containers. Therefore, some users whose primary function is to create and edit page templates may need to belong to the administrators rights group so they can create their own containers.
For example, if MSCMS 2001's "switching" templates are used, a page template designer needs to create and store switching templates in a gallery designated exclusively for switching templates. Authors should not have access to galleries that contain the "alternate" templates.
Navigation template programmers assign navigation templates to channels. You may want to assign navigation template programmers to the administrators rights group so they can assign navigation templates to channels themselves. Users can view navigation template properties only if they have rights to those template galleries.
Synchronizing MSCMS 2001 user names with Windows domain user names
Removing users
If an MSCMS 2001 user has been removed from the Windows 2000 domain (shown as NT domain on dialog box), the user's name remains on the MSCMS 2001 database.
Best Practices
Creating Windows 2000 or LDAP groups for MSCMS 2001 rights groups
For future work, you can save time by creating Windows 2000 or LDAP groups for each rights group you create. You can add a Windows 2000 or LDAP group to a rights group, rather than adding members individually. This way, you can add or remove users from the Windows 2000 or LDAP groups, allowing the rights groups to update automatically.
Authoring using content-related pages in the Web Author
Pages that are cross-posted to multiple channels but share underlying content are said to be "connected." Authors and editors can do the following tasks using the Web Author:
create and publish connected pages
edit connected pages
copy, move, and delete connected pages.
Assigning Publishing Rights to Users
Assigning publishing rights, step 1: creating a rights group
Display the list of user roles by selecting the User Roles icon.
.gif)
Click a user role. A list of existing rights groups for that role is displayed on the right.
Right-click an existing rights group, or anywhere within that list, and select New Group. A new rights group is added to the list.
Name the rights group to make it easy to identify. For example, if it's a rights group for authors who'll create content related to inside sales, name it "Inside Sales Authors." (MSCMS 2001 disallows duplicate names of rights groups.)
Enter a description
Double-click the rights group. The Properties dialog box opens.
.gif)
On the General tab of the dialog box, enter a description of up to 256 characters. This description should indicate which containers the rights group has rights to.
.gif)
Assigning publishing rights, step 2: adding members to a rights group
Once a rights group is created, the next step is to add members.
Click the Group Members tab in the Properties dialog box. The tab displays a list of existing Windows domain groups or LDAP Organizational Units (for Site Server or Active Directory), if any have been assigned to the MSCMS 2001 rights group.
Click the Modify button. The Modify Members dialog box opens.
.gif)
Click Synchronize, if new users have been recently created. The Modify Members dialog box updates to show all Windows NT domains and LDAP server contents. Note there is a text box, Display List, that shows the number of pages. The number of pages equals the number of total users/groups in the domain divided by 1000. So, if a domain contained 40,001 users groups, the text box would show 41 pages.
Select a domain name in the Modify Members dialog box. The domain members field lists the domain groups if using Windows 2000, and the Organizational Units if using Site Server, or the Organization Units and containers if using Active Directory.
Caution Generally, you want members of any subscriber rights group to have access to the channels that have been assigned to the Guest Users rights group. If a subscriber rights group has access to only a few channels, it may save time to assign those channels to the Guest User rights group.
Click "Select from list of all groups and users" from the drop-down list.
To add a group and all its members to the rights group, select the group and click Add. The group moves to the Rights Groups Members area.
To hand-pick members of a group, select a group and click Members. The Group Members dialog box opens either for LDAP or Windows 2000 (shown as NT Group Members on dialog box).
.gif)
In the Group Members dialog box, click the check box beside a user's name to add users to the rights group. When finished, click OK.
To select individual members from the list, double-click (or select them and click Add) to add them to the Rights Groups Members box.
Click OK on the Modify Members dialog box. The dialog box closes, and the selected user names appears in the Rights Groups Members area on the Group Members tab.
Note To force an immediate refresh of your Site Builder, click Synchronize. Otherwise, your Site Builder will be updated to reflect the changes within approximately 15 to 20 minutes.
You can also select groups and users manually by clicking "Manually enter groups and users" from the drop-down list.
.gif)
.gif)
.gif)
.gif)
Assigning publishing rights, step 3: assigning containers to a rights group
Once a rights group has been created and members have been added to it, the next step is to choose which containers those members will work in.
Subscription rights to a channel are automatically set when a channel is assigned to any rights group. This allows the rights group members to view content published to the channel in their browser.
Ensuring subscription continuity
Read this section before following the procedure to assign containers to a rights group.
Your site's navigation templates may have been set up to crawl the virtual directories and display channels in the same hierarchical order as your Site Builder. If this is the case, to view pages in a channel, a subscriber must have rights to the channel directly above it in the channel hierarchy. This is called subscription continuity.
.gif)
In the rights configuration shown above, Inside_Sales subscribers won't be able to view the Frameless channel even though it's assigned to the rights group. The continuity chain between the root channel ("Channels") and Inside_Sales is broken because the Inside_Sales' parent channel, Frameless Sample, isn't assigned to the group. However, if hierarchy-based URLs are used and Inside_Sales subscribers know the full path name, they can view pages published there.
Continuity is not required for any containers (including channels) for any rights groups other than subscribers, except where viewing rights are not allowed (see the section on pruning containers for viewing rights in Chapter 5, "Using the Server Configuration Application" in the MSCMS 2001 Setup Guide).
Click the Group Rights tab in the rights group's Properties dialog box. The tab displays a list of hierarchies for the containers that can be assigned to the rights group.
.gif)
You can assign containers to rights groups in two ways:
To assign one container to a rights group, click the name of a container you want to assign to the Rights Group. The "X" beside the container name changes to a check mark.
To assign a container and all of its subcontainers ("children"), right-click the container and select Propagate Rights to Children. Each cross beside the container and all its children changes to a check mark.
To learn about a container, hold your pointer over its name to display its description.
Tip To get more information about a particular container to help decide if you should assign it to a rights group, right-click and select Properties, then click the Rights tab. The tab displays a list of rights groups already assigned to the container. (With folders, the Default Posting Channel information on the General tab should also be helpful.)
Assign at least one appropriate container from each container category displayed on the Group Rights tab, then click OK.
Note Once a channel has been assigned to a user, the user is automatically subscribed to that channel. If users do not wish to see (in their browser) content published to channels they've been automatically subscribed to, they can unsubscribe themselves from channels.
.gif)
Deleting user accounts
When a user login ID is deleted from the network, it still appears in any rights groups it was previously added to. If an MSCMS 2001 user leaves your organization, remove the user from the rights groups they had been assigned to.
Assigning Ownership of Templates
The templates shipped with MSCMS 2001 are assigned to "Everybody." You must reassign ownership of these templates to template designers, in order to distribute responsibility for editing and maintaining them.
Template ownership can be limited to one person, or granted to all users who have rights in the gallery where the template is stored. Until ownership is explicitly changed, the template designer who created the template owns it.
Changing the owner of a template
Display the hierarchy of templates by selecting the Template Gallery icon in the Site Builder.
Expand the template gallery hierarchy as necessary.
Select a gallery containing a template whose ownership you want to change.
Right-click the template and select Properties. The Template Properties dialog box opens.
.gif)
Click the Browse ( ) button. The Select Owner dialog box opens.
.gif)
Select a domain from the Domain Name drop-down list. The domain user groups and names appear in the Domain Members box.
Select the name of a template designer who has rights in the gallery the template is stored in and click OK.
Adding LDAP Users and Groups
Note In the context of this section, the term LDAP refers to both Site Server and Active Directory.
To add LDAP users and groups to an existing rights group:
Open the Site Builder.
Select the User Roles icon. Click one of the roles, for example, the Subscribers user role.
.gif)
From the list, select the user group you want to add members to. Double-click the group. The user group's Properties dialog box opens.
Select the Group Members tab.
.gif)
Click the Modify button—the Modify Members dialog box opens.
Click Synchronize, if new users have been recently created. The Modify Members dialog box will update to show all LDAP server contents.
Select a Domain Name in the Modify Members dialog box. The Domain Members field lists the domain members, including individuals and groups.
If you select an Site Server Membership Server group and anonymous access to the LDAP server is not allowed, and you are not already logged in to the LDAP server, you receive a login prompt.
.gif)
Enter your full LDAP Server login name, for example
.gif)
.gif)
cn=Administrator,ou=Members,o=CompanyName
and the LDAP password. Click **Continue**.
**Note** You can use the name and password of any LDAP user with sufficient rights to view the list of groups and users on the Membership Server.Administrators need an LDAP user name and password (in addition to their NT directory service user name and password) to create and maintain subscriber groups.
Select a domain member and click Members. The Group Members dialog box opens.
.gif)
In the Group Members dialog box, click the check box beside a user's name to add users to the rights group. When finished, click OK.
Click OK on the Modify Members dialog box. The dialog box closes, and the selected user names appears in the Rights Groups Members area on the Group Members tab.
.gif)
About AD nested groups and log on conventions in MSCMS 2001
We offer limited support for Active Directory nested groups on domains running in native mode. You can log on to MSCMS 2001 as members of a subgroup if its parent group is granted rights to MSCMS 2001, but you cannot expand the nested group.
Distinguished names are displayed only if they cannot be converted from domain names to canonical format due to network problems. Otherwise, domains (and only domains) are displayed in canonical format (Microsoft.com).
So, for example, if you selected Microsoft.com as your domain and Microsoft.com/Users as your container in the Server Configuration Application (SCA), you would see Microsoft.com in the domain list when logging in.
Users can specify their logins as follows:
Domain selected
User name format
Example
Windows NT 4.0 format
user's login
WinNT://Microsoft/jsmith
Active Directory domain - distinguished name format
relative distinguished name
Depends on how the user was created in Active Directory.
The format can be user's login if first name and last name are not specified, or it can be first name, middle name, and last name.
Active Directory domain - canonical format
You can also log in directly using the UPN format (jsmith @domain.com) and bypass selecting a domain.
jsmith@Microsoft.com
Changing the Navigation Framework
Much of the look and functionality of the Web interface is controlled by navigation templates and system resource files. Therefore, your Web interface can be customized by following the guidelines, instructions, and examples in the MSCMS 2001 Site Programmer's Guide.
About navigation templates
Navigation templates allow subscribers to navigate the channels of a site in order to see postings. MSCMS 2001 offers a selection of ready-to-use navigation templates. Your navigation programmers can edit those, or create new ones to suit your purposes. For more information, see the MSCMS 2001 Site Programmer's Guide.
The software ships with a default navigation template assigned to the root channel. When you create a channel hierarchy below the root channel, each subchannel automatically inherits the navigation template of its "parent" container. If the navigation template is changed for a channel, you can choose whether or not that change is cascaded to the children.
Using Hierarchy-Based URLs or Unique ID-Based URLs
What are hierarchy-based URLs?
A hierarchy-based URL is an address for an item stored in an MSCMS 2001 hierarchy. For example, the URL for an MSCMS 2001 page might look like this:
https://www.example.com/Marketing/Newsletter/CurrentIssue.htm
"CurrentIssue" is the name of a posting (Content Management Server 2001 adds a .htm extension to the URL for postings). It does not show the root channel name in the URL. The hierarchy for the URL is as follows:
Channels Marketing Newsletter CurrentIssue
Hierarchy-based URLs and non-English languages
In hierarchy-based URLs, MSCMS 2001 uses the name of the channel in the language they appear in on your site. Provided that the names of channels and postings use characters within the A to Z ASCII character set, hierarchy-based URLs are more compatible with Internet search engines.
Certain non-Roman characters may not map correctly to ASCII and, therefore, may not work properly on the Internet. For instance, non-standard characters in a URL are replaced by URL-encoded characters. This changes the names of channels as they appear in the Address field of a Web browser. For example, Infoseek cannot index pages where the URL contains the symbols ()@?#$%^&*. For Internet use, we recommend using Roman character-based names for pages and channels.
For information on setting up your MSCMS 2001 site for use by Internet search engines, see the section "Setting up for indexing by a Web search engine" in Chapter 4, "Managing Access."
Unique ID-based URLs
What are unique iD-based URLs?
A unique ID-based URL uses randomly generated numbers and letters to uniquely identify a channel or posting. The following is an example of a unique ID-based URL for a posting of an MSCMS 2001 page:
https://sample/NR/Intranet/Intranethome.asp?Mode=STORYRUNTIME&NodeGuid={E4D1912
3-9DD3-11D1-B44E-006097071264}
Disabling or Enabling Hierarchy-Based URLs
The option to choose between using hierarchy-based URLs or unique ID-based URLs is available from the Server Configuration Application. Refer to Chapter 5, "Using the Server Configuration Application" in the MSCMS 2001 Setup Guide for complete information about disabling or enabling hierarchy-based URLs using this tool.
Refreshing the Site Builder
Content Management Server 2001 stores and retrieves items in the cache whenever the Site Builder is used. When many users work at one time, the cached version of containers, pages, and postings can become unsynchronized with the current ones stored in the database. Refreshing the Site Builder ensures you are working with the latest version of containers, pages, and postings.
You can refresh the Site Builder with the Refresh or Global Refresh tools.
Refresh
The Refresh tool refreshes single items, such as a folder or channel. Right-click the page or channel and select Refresh from the pop-up menu.
Global Refresh
The Global Refresh tool refreshes all containers in the Site Builder. Click the Global Refresh icon on the Site Builder toolbar.
.gif)
Miscellaneous Tips
Consecutively publishing pages
Publishing pages consecutively means you can create a new version of a page to replace the original on a given date. Note that the pages must be in the same channel. Pages can be published consecutively by:
naming the page identically to the original
setting the original page's expiry date to the date you want the posting for the new page to replace it
setting the start date of the posting for the new page to the date you want it to replace the original.
If both postings share the same publishing dates, both appear in the run-time channel hierarchy and have the same name. So, to replace a posting it is not enough to set a second posting with the same name to start; you must also expire the first.
The approval process in one version of a page or posting is independent of that of any other version. Each version can be modified or approved at any time.
Consecutively publishing channels
You can create a version of a channel to replace the original on a given date by:
naming the new channel identically to the original
setting the original channel's expiry date to the date on which you want the new channel to replace it
setting the new channel's start date to the date you want it to replace the original.
If the original channel and new channel share the same publishing dates, both appear in the run-time channel hierarchy and have same name. So, to replace a channel, it is not enough to set a second channel with the same name to start; you must also expire the first.
Published channels inside an expired channel, or inside a channel with a start date in the future, do not display in the browser channel hierarchy. However, they appear in results from "What's Important."
Linking to an MSCMS 2001 channel or posting from an external source
Because your system could be using either unique ID-based or hierarchy-based URLs, the safest method of addressing the link is to navigate to the posting or channel in your browser, and copy the URL from your browser's address box. You may need to periodically update the link, because the URL is subject to changes made to its channel's hierarchy.
Bypassing the approval process
You can have authors publish pages directly, without editor or moderator approval, in any channel of your choice.
Do not assign an editor to a channel's corresponding folder. MSCMS 2001 auto-approves pages submitted there.
Do not assign a moderator to the channel. Postings submitted there are auto-approved.
You can use the auto-approval system to have content approved by an editor only, or by a moderator only, to suit your needs.