Knowledge Base

Personalization and Access Control

Last Modified:
17 Jul 2019
User Level:
Administrator +

Description

Personalization and Access Control give you greater control over who can view published pages.

With Access Control you can add an authentication requirement to a published page for site visitors. The authentication may be via a login screen using any configured authentication service (e.g. NTLM, LDAP, Shibboleth, TERMINALFOUR Local User Login, IP address or.htaccess file). For example, you might have a staff only area of your site that should only be accessible by specific Groups or Users.

Check out the Access Control Module we've created to give you even more control over Access Control.

 Follow the steps below to configure and implement Access Control:

  1. Create the Access Control Type
  2. Create Access Control Profile
  3. Create PHP File Extension
  4. Configure the Channel
  5. Build the Site Structure
  6. Create & enable Page Layout with PHP ext
  7. Grant Group Access
  8. Publish the Channel
  9. Update the Configuration

You can also enable and use Hierarchical Access. This is related to Access Control but allows tighter restriction of access rules relating to Groups of Groups. For instance, if your home page is available to all Groups and then Subsections are available only to specific Groups, then Subsections will automatically inherit the rights of the parent page unless a more specific (or stringent) access rule is applied.

To enable hierarchical access rules, go to System Administration > Set up Sites & Channels > Access Control and check Enable Hierarchical Access Control.

Create an Access Control Content Type

First up, follow these instructions on setting up an Access Control Content Type.

Enable Access Control Content Type in System Administration

  1. Go to System Administration > Set up Sites & Channels > Access Control 
  2. Since it's now a System Control Type, you can select the Access Control Content Type from the Access Control Content Type drop-down list
  3. Click Save Changes

Now that an Access Control Content Type is set, when you select the Access Control tab and enable the Access Control you can check the Group(s) that you would like to grant access to the published page from this Section.  

Screenshot of the Access Control Tab with Access Control enabled in Section  

Create the Access Control Profile

Add the T4 Tag

<t4 type="accesscontrol" output="groupnames" />

Adding this T4 Tag to a Content Element will output a comma-separated list of the Group names that are flagged as having access to the published page:

 

  Screenshot of published page with list of Access Control Groups

However, we need to enforce this. To do this we use an Access Control Profile.

Access Control Profiles

Access Control Profiles let you specify how Access Control rules should be applied to the published page.

Go to Sites & Channels > Access Control. Create a new Access Control Profile and select the Create New Basic PHP Access Control 

A basic profile has the following fields:

ItemDescription
Name The name of the Access Control Profile.
Description An optional description of the Access Control Profile.
Code Before Section

The code that is output before a Section is published.

 

Code After Section The code that is output after a Section is published (if any). 
Code Before Link 

The code that is output before a link is published. 

 

Code After Link

The code that is output after a link is published. 

Create a File Extension

File Extensions

You may be using server-side code like PHP or ASP.NET on your page. In this case you will need to ensure that the file extension has been created. Go to System Administration > System Settings > File Extensions. If you are using PHP and this file extension has not already been added, select Create New File Extension.

Screenshot of the file extension screen showing a PHP file extension being added

The extension value should not be preceded by a dot.

Configure the Channel

The Channel must be configured to publish content using the file extension (that you have added) and to enable Access Control. Go to System Administration > Set up Sites & Channels > Channels and edit the Channel that you want to use Access Control with.

Under Available File Extensions check Enable File Extension Overriding and permit PHP (if you are using PHP).

Under Access Control and Personalization, enable both Access Control and Personalization. From Configuration, select the Access Control Profile created earlier:

  Screenshot of the Channel settings required for Access Control Profile

 Click Save Changes when you are done.

These settings must be applied to a Channel and will have no effect when applied to a Microsite.

Build the Site Structure

Three new Sections are required, below the Section which has the Access Control applied.

  • Login
    • displays Login Screen (hidden from navigation).
  • No Access
    • displays a message to users who have restricted access
    • hidden from navigation).
  • Logout
    • displays a link to log out. Set the link to /?logout 
    • not hidden from navigation.

Screenshot of the Site Structure required for Access Control

Add Content - Login

Your login panel could look like this:

 <!-- login form -->
<div class="loginPanel">
<h1>Heading goes here </h1>

<form action="" method="post">
<label for="uname">Username</label><input type="text" name="uname" id="uname">
<br />
<label for="pwd">Password</label><input type="password" name="pwd" id="pwd">
<br />
<input type="submit" value="Log in">
</form>
</div>

The form action must either be empty, as in this example, or contain the path to the published login page itself.

Add Content - No Access

Add the following code to the No Access Section using a plain text or code only Content Type:

<h1>You do not have access to see this page</h1>
<p>If you believe that you should have access to see this page, please contact your support team.</p>
<p><a href="/?logout">Please click here to log out</a></p>

Create & enable a Page Layout with the file extension

  1. Edit the Page Layout which is currently enabled on the Section, for example, "About us". Copy the header and footer code and paste this into a new Page Layout.
  2. Enable the appropriate file extension for the Page Layout.
  3. In the Site Structure, enable the Page Layout where the Access Control is set up

Screenshot of the Page Layout with the PHP file extension enabled

Grant Group Access

Once the Access Control has been configured and enabled you can assign Groups to the required Sections in the Site Structure.

  1. Modify the Section(s) that you wish to control access to.
  2. Select the Access tab.
  3. Assign access by enabling the Group(s) that you want to grant access to

Enabling Groups allows members of those Groups access to the published Section. These Groups can consist of both TERMINALFOUR and Visitor Users.

  Screenshot of the Access Control Tab with Access Control enabled in Section

Visitor User

You may have users who are required to access published content but do not require access to TERMINALFOUR or may not be in managed by your directory service.

For instance, you may want to grant access to users outside your organization, in this case, Visitor Users can be created. Visitor Users only have access to the published Section(s) and do not have access to the TERMINALFOUR system. 

Publish the Channel

Publish the Channel to apply the changes.

Access Control Login

Update the Configuration

The only file you need to modify is "Code-Before-Section.php" as this is where the settings for connecting to TERMINALFOUR Site Manager Web Services are held, as well as the base URLs for each Access Controlled section or site.

Web Services Settings

The following three variables store the settings for connecting to TERMINALFOUR Web Services:

// Site Manager Web Services Username, Password & URL
$s_ws_user = 't4wsuser';
$s_ws_pass = 'password';
$s_ws_url = 'http://10.0.0.242/740001/services/';

Each variable must be updated to values which are appropriate for your own TERMINALFOUR installation.

The username and password must log in as a local account within TERMINALFOUR.

The URL specified for Web Services is your TERMINALFOUR URL with "services/" replacing the "SiteManager" part. This URL must be accessible from your Web Server/PHP installation.