Section Segmentation and User Permissions Part 2 of 2

In this example, we will combine what you learned about sections in the first article in this series with the access control concepts from this article to create a protected area of the site. Note that you can do much more with user permissions than grant or limit access based on sections – be sure to explore the possibilities on your own!

Recall that by default, the Content structure tab is associated with the Content top-level node and the Standard section. The out-of-the-box eZ Publish
behavior is that everything published here constitutes a visible part of your site. This means that everybody, both logged in and anonymous users, is able to view all content located here. For example, if you create a new article in the Content structure tab, it will be visible to everybody.

A "protected area" is a part of your site that is only accessible to a certain group of users. For example, a company might have some employee-only material or annual reports available only to trusted clients.

In short, to make a protected area, you must segment the node tree by creating a new section and assigning it to some node(s). Then, you must use the permission system to grant access to the secret section for a specific group of users. The procedure below goes through the specific steps to create an example protected area:

1. Access the Administration Interface and navigate to the Content structure tab.
2. Create a folder called "Secret documents" somewhere under the Content top-level node. You can verify that it is in fact displayed on your public site at this time.
3. Bring up the Sections interface by navigating to the Setup tab and clicking the Sections link on the left menu.
4. Create a new section called "Secret section" by clicking the New section button and providing the name and navigation part.

5. Assign the newly created section to the "Secret documents" folder that you created in step 2. To do so, click the Assign button to the right of your new section in the Sections interface. Browse to the correct folder, mark its radio button, then click the Select button.

   You can now verify that the "Secret documents" folder is inaccessible from the public front-end site by bringing up your site in another browser window and attempting to access the folder.

6. In the Administration Interface, navigate to the User accounts tab and create a new user group called "Secret users".
7. Create a new user within the "Secret users" group.
8. Create a new role called "Secret role". To do so, click the Roles and policies link in the Access control panel in the User accounts tab. Then, click the New role button and name the role.

9. Add a new policy to the role as described on the previous page.

   Grant access to the "read" function in the "content" module. During the final step where you add limitations, make sure that the policy grants access to the "Secret section" section.

10. Assign both the Anonymous role and the newly created role to the "Secret users" group as described on the previous page.

Bring up your site and attempt to log in with the user that was created inside the "Secret users" group. The user should be able to access the "Secret documents" part of the site, while anonymous users will still be blocked.