Chapters1 Restricting user-group assignments to nodes
When a user is assigned to a group, the user will automatically be granted all permissions, that are set for the group. If the assignment however is restricted to specific nodes or channels, the group’s permissions are only granted for the specified nodes and channels.
The restriction can be done in the user properties dialog, in the group tree next to the assignment of the user to groups.
When the checkbox for assigning the user to a group is checked, an icon appears that shows the restriction status and can be clicked to maintain the node restrictions. When the icon is grayed (like in the image below) the assignment is not restricted to nodes.
When the icon is not grayed, the assignment is restricted to at least one node.
After clicking the icon, a list of nodes is shown with checkboxes to restrict the assignment to nodes. This dialog will also contain information about restriction to nodes, the user is not allowed to see.
After changing the assignment, this dialog and the main user properties dialog must both be confirmed by clicking OK.
2 Removing user-group assignment
When a user-group assignment is restricted, this assignment cannot be removed by a user who is not allowed to see all nodes, to which the assignment is restricted.
3 Mitigation of privilege escalation
A user that has at least one node restriction for any of his own groups cannot create unrestricted group memberships for other users, because this could be used to gain privileges by means of simply creating a new user with more privileges (no node restrictions).
The user properties dialog assists you at making sure that your changes are allowed by automatically adding all available nodes to the restriction if needed.
4 Editing inherited objects in channels
When a user starts editing an inherited object in a channel, but has no permission to edit the object in its own node, the object will automatically be localized and the user starts editing the localized copy.