Skip over navigation

Protection Points

Site administrators can limit access to a page, a file, or a directory of items in Roxen CMS by adding a protection point. An authentication prompt would pop up in the browser for a user trying to access a protected item, and a user would be expected to enter a Princeton netID and password. Canceling the password prompt returns a forbidden error (403) to the user.

Access Control Groups

Protection points in Roxen are group-based. You cannot add individual users to a protection point.

  • You can use the default site-based groups, prefixed by the site directory name
    (-administrators-editors-readers).
  • You can create a custom access control group in Roxen.
  • You can use an Active Directory group.
  • You can use the Campus net users group to limit access to on-campus devices.
  • You can use the PU-Users group to allow any Princeton netID.
  • You can use the Everyone group to override a more restrictive protection point on a parent directory.
  • You can add a group to another group, such as adding an Active Directory group with all of a department’s faculty members to a -readers group.

By default, the root folder for any site on the dept servers has Everyone set to have Read access. Then the -editors group has Write access. The -readers group redundantly has Read access. The Administrators group, made up of system administrators from WDS and EIS, also has Write access. The Proofreaders group, which includes select members of the Office of Communications, has Read access.

Setting explicit permissions

In the Insite Editor, you add a protection point via the Permissions button of the Properties tab. In the Content Editor (CE), you would use the "Edit Permissions…" menu item from the pop-up menu, accessed via the blue and white arrows. The next screen for either method has a button labelled "Set Explicit Permissions…." When setting explicit permissions, you would want to change Everyone from Read to None. Then add groups as needed, granting them Read or Write access.

When protecting a page, you should not add a protection point to the index.xml file itself; you should add the protection point to the parent directory.

In the Insite Editor, items with explicit permissions have a "Custom" label below the Permissions button. In the Content Editor, protected items have a gray lock icon to the left of the item icon.

Protected items in the menu

Pages with a protection point will disappear from the navigation menu when published to the front-end servers. If you require navigation menu access to the protected page, you must set up a link to an unprotected page, add that page to the menu, then create a link to the protected page within the content area of the unprotected page.

On-campus and off-campus users

If you set Everyone to None, and you give the Campus net users group Read access, users who try to access the form from the wired campus network or the puwireless and eduroam Wi-Fi networks are able to access the page without authenticating. You can combine the Campus net users group with the PU‑Users group (also give them Read access). On-campus users can access the protected item normally. Off-campus users can access the protected item after authenticating with a Princeton netID.