How to Limit Access to a Subset of Umbraco Forms for a Group of Backoffice Users

To be able to administer permissions for Umbraco Forms on User Group level, first, we need to add the following configurations to appsettings.json, in the "Forms" group:

 

"Forms": {
   "Security": {
      "ManageSecurityWithUserGroups": true
   }
}

 

When we set the property ManageSecurityWithUserGroups to true, it enables Group Permissions in the Third Party tree under the Users tab in backoffice. From here, we can administer permissions to folders on the Forms tab.

Hint: When enabling group permissions, security settings for existing User Groups can default back to OFF. Make sure that your Administrators group and your Editors group, and other groups you might have, have the access rights you want them to have by turning the appropriate toggles ON for those groups if they have been toggled off.

Now, on the Forms tab, create a folder under the Forms folder in the tree. This folder will be the start folder for your User Group.

Back on the Users tab, create a User Group by clicking Groups and then the Create group button. Assign access rights for the new group, set start nodes for content and media, etc.

Still on the Users tab, you might have to reload the page. Then, in the left tree, expand Forms Security / Group Permissions and locate your new User Group.

Give it appropriate access rights and then click Select start folders. This will bring up all folders that reside under the Forms folder on the Forms tab. Select the new folder that you created to assign it as start folder to the User group and click Submit.

Notice the Has Access toggle in the Form Security list. This toggle determines whether the User Group has access to specific existing forms. Also, when a new form is created, that form will appear in this list.

Now, when a User belonging to the User Group in question logs in and clicks the Forms tab, they will not see all existing forms but only the ones that reside in the folder we created because we set that specific folder as start folder for the User Group that the user belongs to. However, we are missing a crucial piece. As it is, the user can not create new forms, nor see new forms in the User Group folder that might have been created by an Adminstrator. We need to add an additional configuration to appsettings.json, namely the GrantAccessToNewFormsForUserGroups property.

 

"Forms": {
   "Security": {
      "ManageSecurityWithUserGroups": true,
      "GrantAccesToNewFormsForUserGroups: "all"
   }
}

 

Remember the Has Access toggles in the Form Security property on the Group Permissions for your User Group? When we set the GrantAccessToNewFormsForUserGroups property to “all” we are effectively saying that all User Groups should get its Has Access toggle set to true for new forms when they are created. However, the User Groups still only has access to the forms created in their start folder, and that’s key.

The combination of having ManageSecurityWithUserGroups set to true, GrantAccessToNewFormsForUserGroups set to “all”, and creating specific start folders for specific User Groups gives us exactly the behavior we are looking for, namely that a User Group manages their own forms in their own folder and no other User Groups (except for Administrators) have access to their folder.

For the specific client, we created User Groups and Umbraco Forms folders for the remaining twenty districts and all was well. Probably a bit of an edge case to have so many top nodes but, hey, it works, and can be useful for a site with as few as two top nodes as well.

I hope that made sense. If we got anything wrong, or if you disagree, or have other experiences - feel free to reach out. The best way to learn is together. Thanks for reading.