Wiki Access Control

IMPORTANT: When considering access control, please note that the Wiki is not meant for storing company-confidential information. HR, Finance, or Legal teams should be especially careful. Wiki access control is not encrypted and not password protected (other than Backyard passwords). Deleted Wiki data is archived in a shared (although not easily viewable) Trash. Admins have read access to everything...

Essentially, you should treat any Wiki content as if it could be visible to the entire company. Access control is merely a convenience, for example to prevent accidental overwrite or trivial viewing.

For additional details and comments see BUG:3038385.

By default, all Wiki pages can be seen, and changed, by anyone with access to the Wiki site. However, if you want more control, there are preference variables you can set to control access.

Access can be restricted to individuals, groups, or a combination of both. If access is controlled for an entire web, the web settings are in effect for all pages (but can be orveridden on a page-by-page basis).

This tutorial document explains the most common access controls. For more detailed information, see AccessControl.

Important: The Wiki has very strict formatting rules. Make sure you use "bullet list" format - three spaces, an asterisk, and another space - in front of any access control rule! Follow the examples below exactly.

The ALLOW options

  • ALLOWTOPICVIEW
  • ALLOWTOPICCHANGE
  • ALLOWTOPICRENAME

Who Can View My Page? (ALLOWTOPICVIEW)

To control view (read) access set the ALLOWTOPICVIEW variable somewhere in your page (usually at the end of the page). If you don't want the setting to be visible on the page, put it inside an HTML comment (see the example.)

Anyone who is not named in the ALLOWTOPICVIEW setting, or who is not a member of a named group, will be denied access to view this page.

   * Set ALLOWTOPICVIEW = Comma-separated list of Wiki user and group names

NOTE: If ALLOWTOPICVIEW is not set, anyone can view (unless ALLOWWEBVIEW is set in WebPreferences).

Who Can Edit My Page? (ALLOWTOPICCHANGE)

To control change (wrote or edit) access set the ALLOWTOPICCHANGE variable somewhere in your page (usually at the end of the page). If you don't want the setting to be visible on the page, put it inside an HTML comment (see the example.)

Anyone who is not named in the ALLOWTOPICCHANGE setting, or who is not a member of a named group, will be denied access to edit this page.

   * Set ALLOWTOPICCHANGE = Comma-separated list of Wiki user and group names

Who Can Rename My Page? (ALLOWTOPICRENAME)

To control rename (move) access set the ALLOWTOPICRENAME variable somewhere in your page (usually at the end of the page). If you don't want the setting to be visible on the page, put it inside an HTML comment (see the example.)

Anyone who is not named in the ALLOWTOPICRENAME setting, or who is not a member of a named group, will be denied access to rename this page.

Note: RENAME access is required to move a topic to another web or to the Trash.

   * Set ALLOWTOPICRENAME = Comma-separated list of Wiki user and group names

Format for Setting Access Controls

The format for setting access control very strict. See the Examples below.
  1. Put nothing else on the same line
  2. Use a Wiki bullet (3 spaces, *, one space) followed by the word Set.
  3. The variable, ALLOWTOPICCHANGE must be spelled correctly in all CAPS.
  4. User names are usually of the form Main.FirstLast
    (Main. followed by the First name (first letter capitalized), then Last name (first capitalized). No Spaces.)
  5. Group names must be the form Main.NameGroup (e.g. Main.VickiBrown). See Wiki Groups (below) for more about groups.

ALERT! IMPORTANT: If you mistype a user or group name in the ALLOWTOPICCHANGE setting, it's possible to lock a topic so that no-one can edit it from a browser! This includes you. Use caution.

You must include Main. as well as the Wiki user or group name.

NOTE: If ALLOWTOPICCHANGE is not set, anyone can write (unless ALLOWWEBCHANGE is set in WebPreferences).

Attachments

Attachments cannot be controlled separately from pages. If a page is restricted, the attachments are too. You cannot "lock" one or more attachments while leaving a page open to everyone.

Web Access (Many Topics)

  • ALLOWWEBVIEW
  • ALLOWWEBCHANGE
  • ALLOWWEBRENAME

To restrict access to all topics in a web (the part following /view/ in the URL), set the ALLOWWEBVIEW and/or ALLOWWEBCHANGE variable in the WebPreferences topic. If you set ALLOWWEBCHANGE, you should set ALLOWWEBRENAME to match.

Note: WebPreferences is pre-configured with "empty" variables. Just add the names to the appropriate setting. (Empty settings allow access to everyone.)

Pay Attention to the Word Following ALLOW

Caution: Setting access in WebPreferences can be confusing!
  • Set ALLOWWEBVIEW, ALLOWWEBCHANGE, and/or ALLOWWEBRENAME to control access to all topics in the web
  • Set ALLOWTOPICVIEW or ALLOWTOPICCHANGE, and/or =ALLOWTOPICCHANGE=to control access to the current topic (i.e. =WebPreferences = itself)
  • The ALLOWWEB settings __only work in the WebPreferences topic!

Wiki Groups

If you're planning to restrict access to a limited group of people, especially on multiple pages, you may find it convenient to create a Wiki group. See WikiGroups for the list of groups currently available. (There are a lot of these!). Use the form on that page to create a new group.

Note: Wiki groups must be made up of Wiki usernames. You cannot, for example, create a group for members of an email distribution list without first converting all of those addresses to Wiki usernames.

Creating Wiki Groups

Important:
  • Wiki groups must be created in the Main web.
  • The name of the group must end in the word Group.
  • Be sure to use the form at WikiGroups to ensure that your group is created with the proper format.

Important: The Wiki will always add you to the group when it is created. If you won't be a permanent member, do not remove your name until until after you have thoroughly tested the new group's access! (Ask another group member to try editing the group.)

Tip: When you create the group, leave one person out initially. Then set up access control for your pages and have that person test. When that person gets an error about not being able to view/change the pages, you can add them to the group and test again.

Group format

Groups are created as Wiki pages. The format is
   * Set GROUP = Main.VickiBrown, Main.SteveKup, Main.AaronNas
   * Set ALLOWTOPICCHANGE = Main.VickiBrown

In this case, the Topic is the Group definition page; the people listed after ALLOWTOPICCHANGE are allowed to add or remove people in the group.

Editing Group Membership

Once a group has been created, you can ad or remove members by editing the group page. Add people by appending their Wiki usernames to the list after
   * Set GROUP =
Do not press any RETURN. The GROUP list should be one long line. Remember to capitalize the first letter and include Main. .

The DENY Options

  • ALLOWTOPICVIEW
  • ALLOWTOPICCHANGE
  • ALLOWTOPICRENAME

In some cases, instead of allowing access to one or more individuals or group, you man decide you want to deny access. Only do this if the set of denied users is considerably smaller than the set of allowed users. For example, to allow access to all employees, regardless of group, but deny access to clients, you might want to
  • Set DENYTOPICVIEW = ClientGroup

As in the case of the ALLOW options, any Wiki user who is not explicitly denied access is implicitly allowed.

A very important rule for Access control: Set ALLOW or Set DENY. There's no need to set both (and doing so can cause confusion, for Twiki as well as humans).

What About WebChanges and Email Notification?

The WebChanges topic in each web is calculated dynamically when you open it. It will not list pages you cannot view.

Similarly, email notification checks privileges first. Users will only be notified of changes to topics for which they have view access.

Access Control Examples

Web Access

<!--
   * Write-protect all pages in this web:
      * Set ALLOWWEBCHANGE =  Main.VickiBrown
   * Limit Read Access to our team for all pages in this web:
      * Set ALLOWWEBVIEW =  Main.VickiBrown
-->

Topic Access

<!--
   * Write-protect this page:
      * Set ALLOWTOPICCHANGE = Main.VickiBrown
   * Limit Read Access to our team
      * Set ALLOWTOPICVIEW = Main.VickiBrown, Main.Nretting
-->

Caution!

When locking pages:
  • Do NOT type your Wiki name. Copy it and past it from the signature area below the edit box.
  • When locking a page for someone else ALWAYS include yourself until you've tested that the other person can use it!
  • When creating a group, always use the form at WikiGroups to ensure that your group is created with the proper format.
  • When creating a group, do not remove yourself from the group until it's been tested with at least one more member.

And finally, be sure to test before saving:
  • Use Preview mode to test your access control. Many kinds of mistakes will manifest themselves in the preview. If you spell a user or group incorrectly or screw up up list syntax, the items won't be underlined or they'll have question marks next to them, etc. At that point, you just hit Back and fix it. It isn't 100% but it does catch a lot of mistakes.

Many Wiki admins have said that one of the most common Help requests is "I've locked myself out of my page". Don't let this be you!


-- VickiBrown - 19 Aug 2008

Topic revision: r2 - 21 Mar 2013, VickiBrown
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding CFCL Wiki? Send feedback