Guide to setting up secure Content Approval Workflows – 1 of 2

Optimizely Content Approvals are a mature and highly configurable feature. However every project is different and in designing an optimal workflow for our customers – it is important to plan accordingly to ensure a clean user experience while adhering to security principles when dealing with access rights.

The principle of least privilege (PoLP) refers to an information security concept in which a user is given the minimum levels of access – or permissions – needed to perform his/her job functions.

This is a key principle that we will take forward in designing our workflow.

Planning Content Approval Workflows

The key to planning an Approval workflow is defining the types of user roles who will be involved in a sequence.

For each user role you define, consider the “Principle of least privilege” in granting them permissions to your Optimizely system. We only want to give each role access that is absolutely necessary to the functioning of your optimal approval workflow.

Consider the following for each user role you are planning.

  • Should members of this user role have access to CMS or Commerce content or both?
  • Will the user role be responsible for approving or publishing content or both?
  • Can users in a role override the Approval sequence to publish content that has not gone through it’s full workflow?

Working Example

In the rest of this series we’ll work through setting up an optimal workflow to meet a requirement.

The Requirement

  • The Approval Workflow is to manage Commerce Content only
  • Products are added programmatically though an API integration and should enter the approval sequence automatically
  • Content to be approved only by designated language specific approvers (English, Spanish, French). Spanish approvers can only review Spanish content.
  • The approvers have the ability to edit content during the review process
  • Content in all languages is published by a user with publishing permissions

Our User Roles

Given this requirement we can define 2 distinct roles

Content Reviewers

  • Edits and approves content assigned through a workflow
  • Cannot publish content

Content Publishers

  • Publish content in any language once assigned in the workflow after approval by a Content Approver
  • Does not approve content
  • However can override an approval sequence for a product to force the publishing even if it has not yet been approved by a Content Approvers.

Code Base Updates

Virutal Roles

If you’re not familiar – this page will explain Optimizely virtual roles: Virtual roles | Optimizely Developer Community (episerver.com)

The “CatalogManagers” virtual role grants access for the Catalog system in Commerce only.

We will define two roles for our system which both map to this CatalogManager virtual role:

ContentReviewers – Can review content that has been assigned

ContentPublishers – full permission to publish content. They have the ability override approval sequences and force publish if required

In the web.config map these roles to the “CatalogManagers” as follows:

      <add name="CatalogManagers" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="ContentReviewers, ContentPublishers" mode="Any" />

  

Avoid adding these roles to the “CommerceAdmins” virtual role. That should be kept for WebAdmins and Administrators only.

Content Repository Save Actions

The wrong Content Repository Save Action can cause the approval sequence to be overridden.

Review your code base to make sure that  content programmatically created that should go through an approval sequence uses the “Request Approval” save action.

  _contentRepository.Save(writableContent, SaveAction.RequestApproval, AccessLevel.NoAccess);

Next Post

In the next post we will proceed to configure Optimizely Access Rights, User Groups, Roles and finally the Approval Sequence to meet our requirement while adhering the principles outlined at the beginning of the post.

2 thoughts on “Guide to setting up secure Content Approval Workflows – 1 of 2”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s