Tutorial: Granular permissions for individual items

Consider the following use case:

You want to create a custom role, such that users in this role are able to:

• View all blogs and their blog posts
• Edit and delete one particular blog
• Create, edit, and delete the blog posts of only this particular blog

Users in this role are not able to:

• Create any blogs
• Edit or delete any bogs, except one particular
• Create, edit, or delete any blog post in blogs different than this particular blog.

To accomplish this, perform the following:

1. Create a custom role
   Create a dedicated role whose users will be able to edit only one blog and its posts.
   Perform the following:
   1. In Sitefinity CMS backend, Administration » Roles » Create a role.
   2. In the input files, enter BlogEditors and click Create.
      Go back to the Dashboard. 
2. Setup the global permissions for blogs.
   Perform the following:
   1. In Sitefinity CMS backend, click Administration » Permissions » by Section » Blogs.
   2. Under sections Create a blog, Delete blog and posts, and Modify blog and manage posts, perform the following:
      1. Click Change.
      2. Select Explicitly deny this to selected roles and users: checkbox and click Add roles or users.
      3. Select role BlogEditors and click Done selecting » Done.
         Go back to the Dashboard.
3. Setup individual blog permissions.
   Perform the following:
   1. Click Content » Blogs
   2. Expand the Actions link of the blog for which you want the BlogEditors role to have permission to modify and manage its blog posts.
   3. In the dropdown box, select Permissions.
   4. Click Break inheritance.
   5. Under sections Delete this blog and its posts and Update this blog and manage its blog posts, perform the following:
      1. Click Change.
      2. Under Advanced, remove BlogEditors role and deselect Explicitly deny this to selected roles and users: checkbox.
      3. Select Selected roles or users radio button and click Add roles or users.
      4. Select the BlogEditors role and click Done selecting » Done.

RESULT: All users assigned in role BlogEditors can edit and delete only one particular bog. They can also create, edit, and delete bog posts in this blog. For all other blogs they have only view permissions.