Now, granted, this may be due to a misunderstanding of the roles/permissions model in Plone, as it's a little different than many systems I've worked with in the past, but here's the situation and where I'm getting stuck.
-- Client needs a Plone site (4.3.3) to be restricted to logged-in users only, with the option to make selected content visible to not logged in users. Easy enough, the Intranet workflow suits this purpose, allowing them to publish externally what they wish, and keep the rest internal. No problem here!
-- Now, this site has roughly 2K users, and a dozen or so groups they're organized into. Certain pages and folders (appearing on the top nav bar as well as a sidebar nav portlet) should only be visible to members of certain groups, read-only, and not visible at all to any other logged in users other than site admins. I have gone in to the "Sharing" tab of the folders and pages in question, unchecked the "Inherit Permissions From Higher Levels" box, and added the desired group, checking the "Can View" permission box. "Logged-In Users" shows no boxes checked, and no other group is shown. However, it seems to have no effect -- all logged in users, regardless of group affiliation can see the items in nav bars, visit them, and so forth.
-- I've attempted in frustration to create a new workflow that copies the intranet workflow, but has an additional publication state that removes the 'view' and 'access contents' rights of the Member role, but that has predictable results -- regardless of group sharing settings, no user who is not an Admin can see the items at that point.
So...what am I missing? Ideally, this is the permissions model we're striving for:
1.) By default, created items are visible to logged in users, read-only. A draft/internally publish state pair here is fine also.
2.) Certain items should be selectively published externally, accessible to anyone hitting the site.
3.) Of the items published internally, certain ones should only be accessible and visible to the members of certain groups. Write/add permissions are not relevant here -- there is a small group of site admins who will be handling that, we're only working with/struggling with selective view permissions.
I'm sure this is just a structural misunderstanding I have on the Plone security model, but if anyone can give me some pointers on where to start looking or how to structure a new Workflow to achieve the goal we're working towards, that would be great. Thank you in advance!
Keep using the intranet workflow. For pages and folders that you want to make readable to a particular group: 1. Leave the page or folder in the private workflow state, NOT published internally. (I think this is the step you were missing.) 2. On the Sharing tab for the page or folder, grant 'Can view' to the group you want to share with, just like you already tried. You don't have to change the "inherit permissions from higher levels" checkbox.
In other words, putting an item in the internally published state grants the View permission to all users with the Member role, as you discovered. If you leave the item private you can then grant it more selectively using the sharing tab.