SmartTarget Extensions: Better Security on Promotion Management

If you have used SmartTarget, you will probably know that the security model for managing promotions is pretty basic – you either have rights to manage promotions or you don’t. On my current implementation we have different business units managing their own SmartTarget promotions for various sites and applications, all within the same CMS, so all able to view, edit (and accidentally break!) each others promotions. This post shows a simple solution we came up with to ensure each user could only manage appropriate promotions.

Continue reading

Setting Alchemy Plugin Permissions

alchemySo you came to Tridion Developer Summit and heard about this hip new Tridion framework called Alchemy. Or maybe you’d already heard of Alchemy and have been anxiously awaiting the chance to try building your own plugin. The problem is, you can’t build and test a plugin on your Tridion environment because you can’t let just any user play with your plugin as you develop. Fortunately, we at Alchemy recognize that security is a huge concern for many users and we are working hard to address this as comprehensively as we can. Unfortunately, we aren’t there yet. However, if you are really anxious to start building I’m going to show you how to lock down your plugin so that only certain users have access to your ribbon bar or context menu extension, using just the Alchemy API and some JavaScript. Continue reading

Issues with the TridionRsaContainer registration!

Scenario

We’d copied a CM instance (VirtualMachine) from the PRD environment and placed this into the UAT environment, all configurations done as we’d tested and expected.

To avoid getting the error stating that the [clientUATdomain]\MTSUser does not have access to the tridion.security configuration setting we executed the TridionRsaContainer command

aspnet_regiis -pa "TridionRsaKeyContainer" "[clientUATdomain]\MTSUser"

This failed with the MTSUser. On confirming we had the correct [domain]/username/password and further investigation we found that no-one knew the actual account that had been used to install SDL Tridion 2011 CM. We needed this account so we could log into the UAT CM machine in order to give the MTSUser access to the tridion.security configuration setting. This is because this config setting is protected using this windows functionality : http://msdn.microsoft.com/en-us/library/yxw286t2(v=vs.100).aspx

Solution
We could see that file in question is actually a file in c:\programdata\microsoft\crypto\rsa

This file is accessible only to a small number of users (the production domain mtsuser had access to it). So we tried this:

  • log in on the PRD machine as the production domain mtsuser
  • export the rsa key via this command
aspnet_regiis -px "TridionRsaKeyContainer" keys.xml -pri

We then placed this keys.xml file onto the UAT CM box and then executed the import command

aspnet_regiis -pi "TridionRsaKeyContainer" c:\temp\keys.xml

and finally, the following command

aspnet_regiis -pa "TridionRsaKeyContainer" "[clientUATdomain]\MTSUser"

So, on booting up the CM Browser… boom… We got an error in the GUI after a quick dig into the respective ‘Tridion Configuration’ error in the Event system … we then executed

aspnet_regiis -pa "TridionRsaKeyContainer" "nt authority\network service"

Quick restart of the services and all is well again.

The motto of the story – DO NOT ‘LET SLIP‘ WHICH USER INSTALLED THE CM – especially if you want to clone the machine during a setup!

If you’ve had a similar experience we’d be very interested to hear if there are other ways around this – other than simply re-installing the CM with a noted user :)

Special thanks to Harald Hoffelinck on this solution!

A Custom Resolver in practice

Back in February I posted an article about Custom Resolvers. Yesterday I rolled my first Custom Resolver into a production environment, so I figured it was time to share my findings.

Background

To set the scene, it probably helps to explain the business requirements first. We have a large implementation with over 300 publications. Many of these share content, some of which needs to be secured, and links to binaries that also need to be secured. We have a third party security solution, which is implemented as a proxy on top of our published site. The proxy looks for a security.xml in the folder of any request, and then prompts for login etc depending what is contained in the XML file. This works very well for pages, but the pages often link to binaries (which were all contained in the “/images” directory for each publication). In order to secure binaries with different sets of restrictions we needed to bind the binaries in different Structure Groups. To simplify the concept, we decided to publish a variant of each binary linked from a page to the same Structure Group as the page. This has the desired effect of securing all binaries that are linked from secured pages with the same restrictions.  When a binary is linked from multiple secured pages, multiple variants of the binary are published. Continue reading

Welcome back SDL Tridion Workflow

Over the last two weeks, I have had the privilege of spending a lot of time with some of the R&D folks at SDL who are working on the forth coming releases of their world beating WCM platform SDL Tridion. At both SDL Innovate 2012 and SDL Tridion HQ in Amsterdam this week, there has been a lot of talk about “bundles”. Now I can’t really tell you anything about bundles per se (because I really don’t know the details), but from what I hear “it will be the revolution of SDL Tridion Workflow” which has been the thorn in many a consultant and customer’s side since R4. The biggest feature of the new workflow offering will be grouping items together into “Bundles”, allowing you to process complete work packages through a workflow process instead of just a single Page or Component. Continue reading

TDSE impersonation & snap in security

I’ve just finished upgrading a customer to SDL Tridion 2011 where part of the task involved migrating a custom application from Tridion 2009 server to the new 2011 GUI server.  The application uses the .Net Interop library in order to create a TDSE object.  When the code ran to impersonate the object the following exception was thrown with the message:

Continue reading