Change administrator permissions on a content


Enonic version: 7,0,2
OS: Ubuntu 19

Hello, there is a folder I would like to block publish authority to any user, even administrator, this that possible?



Here is my folder permission, but even so if I log with an administrator user I can still publish content.


You need to explicitly restrict publishing: click “Custom” and then toggle “Publish” button from default green V to red X.


Didn’t work, even if I do that for system.admin user I can still publish content there after relogging, could it have been overwritten by a configuration on our server?


So you mean system.admin role?


Yes, when I said administrator I meant user with role/system.admin.


Ok. So, as Alan says.
You should be able to prevent users from publishing by “Denying” actions (if they are inherited from parent).
Sadly, the permissions UI has not seen much TLC since we released XP, and it is definetly confusing in its current state.

When you turn off the “inherit” button, you are actually still inheriting, the button is more like a “Unlock to edit permission inheritance”. So, since you are still inheriting permissions, but want to prevent any user from publishing items within this structure, you will need to change all permission lines (roles, grups and users) within the list, and set them to to “deny publishing”. If a user has just one of these roles that still has publish permission, he will still be able to publish.

Now for the second problem. If you move any item (from somewhere else, and into this structure). The default current approach is “keeping” the permissions set for that item. You can clear the migrated permissions by editing the parent item permissions, and simply clicking “overwrite all child items”.

We are aware the UI problems now and have created tasks to improve this greatly. At least it will be much clearer to understand what is happening. UI improvements ETA early 2020.

Can you pls try once more, and notify me how things went?


At first it seemed a bit confusing but thanks to all replies I understood how it works. My main question however was in the end if I could do the follow:

It’s odd to limit administrator access but if is there it should work right? For any other role it works fine.


Having tested quickly, as you say it does not appear to apply to the “su” user at least.
We’ll have to look into it…


Any new information regarding this?


Just saw the topic.
“system.admin” is a special role that always has “Full Access”. You cannot restrict its permissions.
Otherwise with this configuration you would not be able to modify the permissions anymore for example.

Content Studio’s UI could display “system.admin” as having “Full Access” and not being editable.