Plone Intranet workflow and group permissions

Now, granted, this may be due to a misunderstanding of the roles/permissions model in Plone, as it's a little different than many systems I've worked with in the past, but here's the situation and where I'm getting stuck.

-- Client needs a Plone site (4.3.3) to be restricted to logged-in users only, with the option to make selected content visible to not logged in users. Easy enough, the Intranet workflow suits this purpose, allowing them to publish externally what they wish, and keep the rest internal. No problem here!

-- Now, this site has roughly 2K users, and a dozen or so groups they're organized into. Certain pages and folders (appearing on the top nav bar as well as a sidebar nav portlet) should only be visible to members of certain groups, read-only, and not visible at all to any other logged in users other than site admins. I have gone in to the "Sharing" tab of the folders and pages in question, unchecked the "Inherit Permissions From Higher Levels" box, and added the desired group, checking the "Can View" permission box. "Logged-In Users" shows no boxes checked, and no other group is shown. However, it seems to have no effect -- all logged in users, regardless of group affiliation can see the items in nav bars, visit them, and so forth.

-- I've attempted in frustration to create a new workflow that copies the intranet workflow, but has an additional publication state that removes the 'view' and 'access contents' rights of the Member role, but that has predictable results -- regardless of group sharing settings, no user who is not an Admin can see the items at that point.

So...what am I missing? Ideally, this is the permissions model we're striving for:

1.) By default, created items are visible to logged in users, read-only. A draft/internally publish state pair here is fine also.

2.) Certain items should be selectively published externally, accessible to anyone hitting the site.

3.) Of the items published internally, certain ones should only be accessible and visible to the members of certain groups. Write/add permissions are not relevant here -- there is a small group of site admins who will be handling that, we're only working with/struggling with selective view permissions.

I'm sure this is just a structural misunderstanding I have on the Plone security model, but if anyone can give me some pointers on where to start looking or how to structure a new Workflow to achieve the goal we're working towards, that would be great. Thank you in advance!


Keep using the intranet workflow. For pages and folders that you want to make readable to a particular group: 1. Leave the page or folder in the private workflow state, NOT published internally. (I think this is the step you were missing.) 2. On the Sharing tab for the page or folder, grant 'Can view' to the group you want to share with, just like you already tried. You don't have to change the "inherit permissions from higher levels" checkbox.

In other words, putting an item in the internally published state grants the View permission to all users with the Member role, as you discovered. If you leave the item private you can then grant it more selectively using the sharing tab.


  • nested attributes not saving the user_id in join table
  • Valid user ID cannot be parsed as fbid in fb:admins
  • Windows Azure VM availability/Failover steps
  • Setting jsp checkbox with a value from database
  • Accesing properties in a UserControl from the MainWindow (WPF/MVVM)
  • Automatic process monitoring/management with Python
  • Dropdown menu with the dropdown-menu-right class does not align to the right
  • Looking for datastructure that maintains a size & purges older elements in the process
  • F# deleting common elements in lists
  • iOS - How to access the device's file library?
  • Windows/C# system-level sequential number generator?
  • Dynamically updating config data codeigniter
  • how can resolve dodgy:unchecked/unconfirmed cast in sonar?
  • Linux over commit heuristic
  • R Leaflet Legend: specify order instead of alphabetical
  • Ant: fileset “dir” attribute with a runtime expanded full path
  • How to upload files in php using html
  • How do I recognize a line break with a switch case that evaluates a char in Java?
  • How to add System.Windows dll to Visual Studio 2010 express?
  • Fixed Background Works in Chrome but Not Firefox?
  • Group variable in cobol
  • Oracle ListaGG, Top 3 most frequent values, given in one column, grouped by ID
  • How to set `secure` and `httpOnly` for Plones `__ac` cookie?
  • rapply over a nested list in R
  • Should I be afraid to use UDP to make a client/server broadcast talk?
  • Granting permissions to Azure Active Directory Web Application automatically
  • Why can't I use non-integral types with switch [duplicate]
  • Detecting # in Scheme list
  • Outlines on links in IE9 remains when focus is changed
  • chrome.tabs.executeScript only fires when the Developer Console is open
  • Change multiple background-images with jQuery
  • Algorithm for a smudge tool?
  • Ajax Loaded meta Tags
  • Xamarin Forms - UWP Fonts
  • Can Jackson SerializationFeature be overridden per field or class?
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • Arrays break string types in Julia
  • Android Studio and gradle
  • Easiest way to encapsulate a HTML5 webpage into an android app?
  • How to push additional view controllers onto NavigationController but keep the TabBar?