Knowledge Base

Access Control

Last Modified:
21 Jan 2021
User Level:
Administrator +

Description

If you'd like to add an authentication requirement to published pages on your site you can use Access Control to limit access to users within a specified Group. For example, you might have a staff-only area on your site that should only be accessible by specific Groups or Users.

Users can be authenticated using the following methods:

  • log-in as a Terminalfour user
  • log-in with a third-party authentication protocol like NTLM, LDAP or Shibboleth
  • IP address based
  • using a Control Rule Profile to configure a .htaccess file

In this article we'll cover the Access Control feature which allows you to configure the Groups who can access a Section's published pages.

Check out the Access Control Module we've created to give you even more control over Access Control.

 Follow the steps below to configure and implement Access Control:

  1. Enable Access Control
  2. Create Access Control Profile
  3. Create the File Extension
  4. Configure the Channel
  5. Build the Site Structure
  6. Create & enable Page Layout with PHP ext
  7. Grant Group Access
  8. Publish the Channel
  9. Update the Configuration

Enable Access Control

To enable Access Control on a Section the first things we must do are:

Now when you select the Access Control tab and enable the setting you can check the Group(s) that you would like to grant access to the published pages in this Section: 

Animated GIF of the Access Control Tab with Access Control enabled in Section

Create the Access Control Profile

Add the T4 Tag

<t4 type="accesscontrol" output="groupnames" />

Adding this T4 Tag to a Content Element will output a comma-separated list of the Group names that are flagged as having access to the published page:

 

  Screenshot of published page with list of Access Control Groups

However, we need to enforce this. To do this we use an Access Control Profile.

Access Control Profiles

Access Control Profiles let you specify how Access Control rules should be applied to the published page.

Go to Sites & Channels > Access Control. Create a new Access Control Profile and select the Create New Basic PHP Access Control 

A basic profile has the following fields:

ItemDescription
Name The name of the Access Control Profile.
Description An optional description of the Access Control Profile.
Code Before Section

The code that is output before a Section is published.

 

Code After Section The code that is output after a Section is published (if any). 
Code Before Link 

The code that is output before a link is published. 

 

Code After Link

The code that is output after a link is published. 

Create a File Extension

You may be using server-side code like PHP or ASP.NET on your page. In this case you will need to ensure that the file extension has been created.

Go to System Administration > System Settings > File Extensions. If you are using PHP and this file extension has not already been added, select Create New File Extension.

Screenshot of the file extension screen showing a PHP file extension being added

The extension value should not be preceded by a dot.

Configure the Channel

The Channel must be configured to publish content using the file extension you've added and to enable Access Control.

Go to System Administration > Set up Sites & Channels > Channels and edit the Channel that you want to use Access Control with.

Under Available File Extensions check Enable File Extension Overriding and permit PHP (if you are using PHP).

Under Access Control and Personalization, enable both Access Control and Personalization. From Configuration, select the Access Control Profile created earlier:

  Screenshot of the Channel settings required for Access Control Profile

 Click Save Changes when you are done.

These settings must be applied to a Channel and will have no effect when applied to a Microsite.

Build the Site Structure

Three new Sections are required below the Section that has Access Control applied.

  • Login
    • displays Login Screen (hidden from navigation).
  • No Access
    • displays a message to users who have restricted access
    • hidden from navigation).
  • Logout
    • displays a link to log out. Set the link to /?logout 
    • not hidden from navigation.

Screenshot of the Site Structure required for Access Control

Add Content - Login

Your login panel could look like this:

 <!-- login form -->
<div class="loginPanel">
<h1>Heading goes here </h1>

<form action="" method="post">
<label for="uname">Username</label><input type="text" name="uname" id="uname">
<br />
<label for="pwd">Password</label><input type="password" name="pwd" id="pwd">
<br />
<input type="submit" value="Log in">
</form>
</div>

The form action must either be empty, as in this example, or contain the path to the published login page itself.

Add Content - No Access

Add the following code to the No Access Section using a plain text or code only Content Type:

<h1>You do not have access to see this page</h1>
<p>If you believe that you should have access to see this page, please contact your support team.</p>
<p><a href="/?logout">Please click here to log out</a></p>

Create & enable a Page Layout with the file extension

  1. Edit the Page Layout which is currently enabled on the Section, for example, "About us". Copy the header and footer code and paste this into a new Page Layout.
  2. Enable the appropriate file extension for the Page Layout.
  3. In the Site Structure, enable the Page Layout where the Access Control is set up

Screenshot of the Page Layout with the PHP file extension enabled

Grant Group Access

Once Access Control has been configured and enabled you can assign Groups to the required Sections in the Site Structure.

  1. Modify the Section(s) that you wish to control access to.
  2. Select the Access tab.
  3. Assign access by enabling the Group(s) that you want to grant access to

Enabling Groups allows members of those Groups access to the published Section. These Groups can consist of both TERMINALFOUR and Visitor Users.

  Animated GIF of the Access Control Tab with Access Control enabled in Section

Visitor User

You may have users who are required to access published content but do not require access to Terminalfour or may not be managed by your directory service.

For instance, you may want to grant access to users outside your organization, in this case, Visitor Users can be created. Visitor Users only have access to the published Section(s) and do not have access to the Terminalfour system. 

Publish the Channel

Publish the Channel to apply the changes.

Access Control Login

Update the Configuration

The only file you need to modify is "Code-Before-Section.php" as this is where the settings for connecting to Terminalfour Site Manager Web Services are held, as well as the base URLs for each Access Controlled section or site.

Web Services Settings

The following three variables store the settings for connecting to TERMINALFOUR Web Services:

// Site Manager Web Services Username, Password & URL
$s_ws_user = 't4wsuser';
$s_ws_pass = 'password';
$s_ws_url = 'http://10.0.0.242/740001/services/';

Each variable must be updated to values which are appropriate for your own Terminalfour installation.

The username and password must log in as a local account within Terminalfour.

The URL specified for Web Services is your Terminalfour URL with "services/" replacing the "SiteManager" part. This URL must be accessible from your Web Server/PHP installation.