This module focuses on the access rights capability in Optimizely CMS SaaS. Access rights play a crucial role in protecting digital content by controlling which user can view, edit, or publish content within the system. By defining and managing the rights and permissions, you can ensure that your digital assets remain secure and that only authorized personnel can modify or distribute content.

After completing this module, you should be able to:​

• Define the types of access and roles in Opti ID
• Create custom Opti ID roles and set access rights in CMS SaaS
• Explain how access rights inheritance works for subitems
• Set access rights from the Publish menu
• Manage access rights for media and languages in CMS SaaS

How do I benefit from access rights?

Access rights in CMS SaaS enable you to safeguard sensitive content by restricting access to authorized users only, thus ensuring content security. Additionally, by customizing access levels and roles, you can facilitate efficient collaboration among team members, as each user can be granted permissions tailored to their specific roles and responsibilities.

Here's how access rights benefit different personas:

• Content Managers: Access rights allow content managers to manage roles and permissions for contributors, preventing unauthorized content modifications and maintaining version control. This capability supports a streamlined content workflow.
• Marketing Managers: Marketing managers use access rights to deliver targeted content by controlling access for specific audiences, such as showing ads only to users in a certain geographic area, thereby enhancing marketing effectiveness.

Access to features

Opti ID product switcher allows you to switch between your Optimizely products. You can also access parts of the platform by a specific URL. Each part of the Optimizely platform has different built-in roles and groups to control authentication and authorization.

What you see in the CMS (SaaS) left navigation pane when logged in depends on which product you selected and what permissions you have. This menu is configured during CMS (SaaS) onboarding and setup, and access rights are defined for different user groups. You need to have administrator access to configure access rights in Optimizely.

Access to content

CMS (SaaS) access rights work together with Opti ID roles, where you define the access rights and assign them to a specific Opti ID role in CMS (SaaS). Then, you assign that Opti ID role to users or groups in Opti ID.

You can control which parts of the CMS (SaaS) application content structure are available to business users, such as content editors and site administrators, and what is available with restricted access to visitors. You can also let visitors post comments on the application through access rights.

Types of access

These are the types of access rights in CMS (SaaS) that you can grant or deny for Opti ID roles.

• Read – Users with the role can access the content as a reader; otherwise, the content is invisible.
• Create – Users with the role can create content under the item.
• Change – Users with the role can access the content to modify it. Typically, Create and Change are set together, but there may be cases where you want someone to modify created content (but not create their own) or vice versa.
• Delete – Users with the role can delete the content.
• Publish – Users with the role can publish the content.
• Administer – Users with the role can create and edit approval sequences and set access rights and language properties on individual content items for content given this access. This type of access does not provide access to the administrator page. To access the administrator page, you must be a member of the Content Admins group.

Built-in user groups (roles in Opti ID)

Optimizely CMS (SaaS) has built-in user groups with pre-defined access levels shown in the following image. The Everyone and Administrators user groups exist only in CMS (SaaS) and are evaluated during runtime. This means you cannot assign them to users, rather the system handles that. The Content Admins and Content Editors user groups exist in both CMS (SaaS) and Opti ID. In Opti ID, these user groups are called roles, which you can assign to individual users or groups to grant specific access rights.

Administrators: Windows defines this group when you create the application. Administrators can access every part of the system and can edit all application content. Typically, they are developers who set up or maintain the application.

Content Admins: Optimizely defines this role to access administrator functions. Membership in this group does not provide editing access to the content structure. In most cases, only a few system administrators or "super users" belong to this group.

Content Editors: Optimizely defines this role to access the editing functions. Add users to this group to give them editing rights to specific content. You can organize editors in groups according to content structure or language on large applications.

Everyone: Windows defines this group as giving visitors read access to application content. Unregistered visitors to a public application remain anonymous because the system can't identify them. If you want to remove the Everyone group from content (to change access rights for a web page, for example), you must login to access content, even if it is published.

Read the articles below to learn how you can assign these CMS (SaaS) built-in user groups to users and groups in Opti ID.

Create custom Opti ID roles and set access rights in CMS SaaS

You can create custom roles in Opti ID to apply specific access rights to areas of your CMS (SaaS) content tree. For example, part of your content tree may be devoted to marketing assets, and you want to limit access to only Marketing group members. In this case, you could create a custom role called Marketing in Opti ID, assign it to a user or group of users in Opti ID, and then assign access rights to that role after it syncs to CMS (SaaS) as a user group.

Create a custom role in the Opti ID

First, you need to create custom roles in Opti ID Admin Center and then define the custom role’s level of access in CMS (SaaS).

The link below will walk you through the steps to create a custom role in Opti ID.

Add a custom role to an individual user in Opti ID

You have successfully created a new custom role in Opti ID. The next step is to assign this role to an individual user or group of users.

See the following walkthrough to learn how to assign a custom role to an individual user in Opti ID.

Let’s look at an example. You assigned a role to Abbie in Opti ID, then set the access rights for that role in CMS SaaS so only Abbie (and system administrators) can edit a specific page.

You can add the Opti ID role (that is only assigned to Abbie) to any number of pages and content and set the role's (and therefore Abbie's) access rights to each content item similarly (or differently) for each page.

Add a custom role to a group of users in Opti ID

While you can always assign a role to an individual user for a specific CMS SaaS instance, creating a group of users and giving access to the group is a more efficient process when you have several users who need common access to content.

See the following walkthrough to learn how to assign a custom role to a group of users in Opti ID.

Let’s look at an example. You created a custom Marketing role and a Marketing users group in Opti ID. Then you added Abbie, Erin, and Reid to that group, and assigned the Marketing role to the Marketing users group.

Now when you give access rights to any number of pages and content in CMS SaaS for the Opti ID Marketing role, that gives everyone in the Opti ID Marketing users group the same access at once instead of having to assign it to each individual.

You can also modify the Marketing user group to add Eddie to all the marketing content (or remove Abbie). You do not have to visit each page or content item to update users' access rights.

Set access rights in CMS for Opti ID roles

At this point, you have created a custom role for CMS (SaaS) in Opti ID and assigned it to a user or group of users in Opti ID. The custom role syncs from Opti ID to CMS (SaaS) when a user signs into CMS (SaaS) with the custom role. You can optionally assign the role to yourself and then sign in to initiate the sync.

Now that the custom Opti ID role is in CMS (SaaS) as a user group, you need to define access rights for it.

The link below will walk you through the steps to set access rights in CMS for Opti ID roles.

Note that, if you set conflicting access rights to content, selected access rights prevail over cleared access rights. For example, Abbie is a member of the Marketing users and Support users groups in Opti ID, each has Opti ID roles with different CMS (SaaS) access rights set on the same content; Marketing has Publish rights, but Support does not. Abbie, who is in both groups, has Publish rights to the content, but Erin, who is only part of the Support group, does not have Publish rights.

Access rights inheritance and subitems

Set inheritance for content subitems

Content inherits access rights from its closest parent item by default. When you set access rights for a content item, the rights apply to it, and subitems that have the Inherit settings from the parent item option enabled. Subitems with this option cleared are not affected. For example, Funds Transfer, Bill Pay, and eStatements have the same access rights because they inherit the access rights from the Online Banking page.

If you break the inheritance for Bill Pay and change its access rights, the access rights become different from the parent (Online Banking) and its two siblings (Fund Transfer and eStatements).

Set access rights for subitems

Selecting the Apply settings for all subitems checkbox applies the access rights of the parent item to its subitems, even if a subitem has inheritance cleared. For example, you can apply the same access rights from the Online Banking parent page to its children (Funds Transfer, Bill Pay, and eStatements).

When you select Apply settings for all subitems, anyone with a selected CMS (SaaS) user group is given access.

Suppose a parent item and a non-inheriting subitem have the same CMS (SaaS) user group, and the access rights for the CMS (SaaS) user group differ between the parent and the subitem. In that case, CMS (SaaS) applies the parent's settings when you select Apply settings for all subitems. For example:

• If the Online Banking parent item has Opti ID role Content Admins with only Read access set and the eStatements subitem has Opti ID role Content Admins with all access rights set, then Apply settings for all subitems on the Online Banking parent item resets the Opti ID role Content Admins access rights on eStatements to Read access only.
• Conversely, suppose Online Banking has Opti ID role Content Admins with all access rights, and subitems have Opti ID role Content Admins with only Read access. In that case, Apply settings for all subitems gives Opti ID role Content Admins all access rights on the subitems.

Set access rights from the Publish menu

Administrators generally manage application access rights from Settings. However, you can set access rights for a single page or a shared block from the Publish menu if you have CMS (SaaS) administrator access in Opti ID, which is useful when you need to publish an item to verify the final result but do not want it to be publicly visible.

See the following walkthrough to learn how to set access rights from the publish menu.

Access rights for media

An editor must have Create access rights to the global or application-specific folder under For All Applications or For This Application to upload an image or create a shared block. Similarly, an editor must have Create access rights to the current page when adding assets to the local For This Page folder.

Media are never automatically published if someone sets an approval sequence on the folder to which the media are uploaded.

Suppose you want media to be automatically published when it is uploaded. In that case, editors who upload must have Publish access rights to the global folder, application-specific folder, or the page if you upload media to the local folder.

Access rights for languages

If your application has content in multiple languages, you can define access rights for each language so editors can create content only in the languages to which they have access. Go to Settings > Languages to see enabled languages, but only users with access rights to a language can create and edit content in that language.