Web page access control rules are rules that you create for your site to control both the publishing actions that a web role can perform across the pages of your website as well as to control what pages are visible by what web roles.  The web page access entity has the following attributes:


A descriptive name for the rule.


The website that this rule applies to; must match the website of the page to which this rule is applied. Filters Web Page. 

Web Page

The Web Page that this rule applies to. 

The rule will affect not only the page but all child pages of the page, therefore making this attribute select the branch of the website to which the rule will apply.  If a rule is applied to the home page, then it will apply to the entire Portal.


Grant Change or Restrict Read.  See Below.


A description of the rule. Optional.

After creating a new access control rule, associate it with a page, this will cause it to affect both the page you assign the rule to as well as all child pages – in other words, the entire ‘branch’ of the website.   

There are two type of access control rule: Grant Change and Restrict Read.

Grant change

Grant Change allows a user in a web role associated with the rule to publish content changes for this page and all child pages of this page.  Grant Change takes precedence over restrict read.

 So for example, you might have a “news” section of the site; which you want to be editable by users in the “news editor” web role.  These users might not have access to the entire site, and certainly can’t edit the entire site, but within this branch they have full content publishing authority.  You would thus create a web page access control rule called “grant news publishing to news editors” or something to that effect.

Next you would set the right to “grant change” and the webpage to the parent page of the entire “news” branch of your site.

You would then assign this web role to any contacts you want to designate as news editors.  Bear in mind one user can have many web roles.

A Grant Change rule should always be present in any portal that you wish to enable front-side editing for.  This rule will apply to the home page of the site, thus making it the default rule for the entire site.  This rule will be associated with a web role that is to represent the administrative role for the site.  Users that are to be given front-side content publishing rights will be assigned to this role.

Restrict Read

The restrict read rule is used to limit viewing of a page (and it’s child pages) and its content to only specific users.  Whereas grant change is a permissive rule (it grants the ability to do something to its users), the restrict read rule is a restrictive rule, in that it restricts an action to a limited set of users.  For example, you might have a section of the site meant to be used by employees only.  You might restrict read of this branch to only people in the “employee” web role.  You would thus create a new rule called “restrict read to Employees only”.

You would then set the right to restrict read and the page to the page at the top of the branch which is to be read only by employees.

You would then associate this rule with the employee web role and then assign users to this role.

The root 'home' page of a website is a special node and must not have a restrict read rule applied to it. This will produce a runtime error. The security validation requires that all users must be able to read the root page of a website in order to validate contents within the site. The login, access denied, page not found, and error page are also special cases that also must be readable by all users.
  Related Topics