Tutorial: Granular permissions for individual items

Consider the following use case:

You want to create a custom role, which enables users to:

• View all blogs and their blog posts
• Edit and delete a particular blog
• Create, edit and delete blog posts of only this particular blog

Users in this role are not able to:

• Create any blogs
• Edit or delete any blogs, except a particular one 
• Create, edit or delete any blog post in blogs other than this particular blog.

To accomplish this, perform the following:

1. Create a custom role
   Create a dedicated role whose users will be able to edit only one blog and its posts.
   Perform the following:
   1. In the Sitefinity CMS backend, Administration » Roles » Create a role.
   2. In the input files, enter BlogEditors and click Create.
      Go back to the Dashboard. 
2. Setup the global permissions for blogs.
   Perform the following:
   1. In the Sitefinity CMS backend, click Administration » Permissions » by Section » Blogs.
   2. Under sections Create a blog, Delete blog and posts, and Modify blog and manage posts, perform the following:
      1. Click Change.
      2. Select the Explicitly deny this to selected roles and users: checkbox and click Add roles or users.
      3. Select role BlogEditors and click Done selecting » Done.
         Go back to the Dashboard.
3. Setup individual blog permissions.
   Perform the following:
   1. Click Content » Blogs.
   2. Expand the Actions link of the blog for which you want the BlogEditors role to have permission to modify and manage its blog posts.
   3. In the dropdown box, select Permissions.
   4. Click Break inheritance.
   5. Under sections Delete this blog and its posts and Update this blog and manage its blog posts, perform the following:
      1. Click Change.
      2. Under Advanced, remove BlogEditors role and deselect Explicitly deny this to selected roles and users: checkbox.
      3. Select Selected roles or users radio button and click Add roles or users.
      4. Select the BlogEditors role and click Done selecting » Done.

RESULT: All users assigned in role BlogEditors can edit and delete only one particular blog. They can also create, edit, and delete blog posts in this blog. For all other blogs they have only view permissions.