Visibility categories enable administrators to control which content logged-in users (visitors or editors) may access compared to not logged-in website visitors. For this, user groups can be set up in your identity provider (IdP) account, which are then available as distinctive criterion in your visibility categories. Visibility categories are available with plans that include read permissions.
In the context of visibility, a group represents a collection of users, e.g. representatives of partner companies or vendors, who are permitted to open, update, or add content in website areas reserved to them.
Before groups can be specified in custom visibility categories, however, they need to be set up in your IdP configuration where they can then be assigned to users. Note that for Scrivito, group names are solely identifiers, i.e. they don’t have any meaning. Also, Scrivito doesn’t take account of implicit group assignments (based on rules). As a consequence, such implicit assignments (like “all sales staff members are marketing members as well”) need to be made explicit. For obvious reasons, it is essential that group names are defined and used consistently.
As a user logs in to a Scrivito-based website, the IdP generates an OAuth ID token that Scrivito uses to identify the user. If groups have been set up, the ID token includes a
groups claim indicating to Scrivito the groups that have been assigned to the user. By means of those groups, Scrivito can then determine the visibility categories applicable to the user, and grant or deny them access to protected content.
The structure of an ID token containing a
groups claim looks like this: