Fine-Graining Page Visibility with Groups

Fine-Graining Page Visibility with Groups

Visibility categories enable administrators to control which content logged-in users (visitors or editors) may access compared to not logged-in website visitors. For this, user groups can be set up in your identity provider (IdP) account, which are then available as distinctive criterion in your visibility categories.

In the context of visibility, a group represents a collection of users, e.g. representatives of partner companies or vendors, who are permitted to open, update, or add content in website areas reserved to them.

Before groups can be specified in custom visibility categories, however, they need to be set up in your IdP configuration where they can then be assigned to users. Note that for Scrivito, group names are merely identifiers with configurable display texts, i.e. they don’t have any meaning. Also, Scrivito doesn’t take account of implicit group assignments (based on rules). As a consequence, such implicit assignments (like “all sales staff members are marketing members as well”) need to be made explicit. For obvious reasons, it is essential that group names are defined and used consistently.

As a user logs in to a Scrivito-based website, the IdP generates an OAuth ID token that Scrivito uses to identify the user. If groups have been set up, the ID token includes a groups claim indicating to Scrivito the groups that have been assigned to the user. By means of those groups, Scrivito can then determine the visibility categories applicable to the user, and grant or deny them access to protected content.

The structure of an ID token containing a groups claim looks like this:

The key used to identify the groups claim in the ID tokens can be either or groups.

Defining groups with Auth0

If you are using Auth0 for managing the identities of your users, there are at least two ways to assign groups to them. One way is to use roles to model groups, another one is to install the Authorization extension that promises to be suited better than roles but requires more setup. For simplicity reasons, we will be showing you here how to define the groups claim using the first method, i.e. by means of Auth0 roles. First, create the desired roles:

Note that group names must not start with an underscore character as Scrivito uses it internally. After setting up the roles, assign users to them or, vice versa, assign these roles to users.

Finally, create a rule (implemented as a JavaScript code snippet) that programmatically adds the groups to the ID token. For that, create a rule based on the “Empty rule” template and enter the below JS code.

To ascertain whether groups are included in the ID token, first log out from Scrivito (by removing all cookies), then log in to Scrivito again to have your identity provider issue a new ID token. Now, try to access a page to which a visibility category is assigned that grants your groups (and nobody else) access.