The privilege audit tools of iCM let you to see which of your iCM groups and users have content roots and privileges assigned to them that allow them to access iCM content.
You are able to report on user access to articles, media, End Points, forms, form data, and any users with the ability to export site user data.
Generating the Audit Spreadsheet
To perform the audit select "iCM Groups/Users" from the Management section of iCM.
From the iCM Groups and Users homepage, select "Actions" in the left hand panel, then "Download privilege spreadsheets" from the actions panel.
The work area lists the various audit reports you can download.
To download a report, double-click on it.
Report Format
The reports for each content type follow a similar format.
The first columns of the spreadsheet list the content roots (ie the articles, form groups etc) organised by group or, in the case of articles, the structure of the article tree.
Further columns are created for each iCM group, then each iCM user, that has that content root assigned. You are able to see if a group or user has Read or Write (or both) access to that content.
If a group or user has been given specific access to a content root, rather than inheriting access from a root higher up the group/tree structure, this is marked with an asterisk.
If a group or user doesn't have a content root assigned to them, they won't appear in the report.
For example, this is a section of a report generated for access to iCM forms.
| FORM GROUPS | GROUPS | USERS | |||||
| ID | ADMINISTRATORS | TIM'S USERS | TIMG | JOSHS | RICHB | ||
| 38 | BookAndPay | RW | RW(*) | ||||
| V1 | RW | RW | RW(*) |
The forms are organised in iCM like this:
The report tells us that the ADMINISTRATORS group has read and write access to the BookAndPay and V1 form groups. We can tell this group has <access to all> form groups because there are no asterisks following the RW.
TIM'S USERS group doesn't grant any access to these form groups, but appears on the report because it grants access to other form groups further down the list.
The user TIMG doesn't have these groups assigned as a content root (note, this user may have access via group privileges, see below) but appears on the report because he has access to other form groups further down the list.
The user JOSHS has direct access to the BookAndPay group, assigned as a content root to his user, which means he inherits access to the child V1 group.
The user RICHB does not have direct access to the BookAndPay group, but does have the V1 group assigned. He may have access to BookAndPay via group membership if he's in the ADMINISTRATORS group.
Access from Group Membership
It's very important to remember that these reports do not show user access inherited from iCM user groups.
In the example above the user TIMG may well have access to the BookAndPay form group because he could be a member of the ADMINISTRATORS group.
These reports only show content roots that have been assigned directly to the groups and users in the report. They are intended as an audit of the content roots assigned to users and groups, not a report showing the full access everyone may have to an item.
If you need to check what a user has access to, including via group membership, edit the user and select "Show inherited privileges" and "Show inherited content" from the actions panel.
To use these reports successfully they should form the first step in your audit, with step two checking the groups that appear in the report and the users in them.
Share this page
