Assets that are created and managed in the content development environment should not be modified directly on the target site. Therefore, it is important to secure target site assets to prevent changes that are outside the control of the content development environment.
Preventing uncontrolled changes is especially important with respect to ATG Content Administration deployments:
The changes that users make on the target site are liable to be overwritten by subsequent deployments. In the case of a full deployment, all changes are always overwritten, inasmuch as the deployment begins by deleting all target assets.
Incremental deployments assume that the set of assets that is active on a target actually represents the assets on that target.
In an incremental deployment, ATG Content Administration identifies the current set of assets on the target, examines it against the project to deploy, and deploys the new set by deploying only the asset changes to the target site. It is this element of the incremental deployment procedure that makes it faster than a full deployment.
However, if a user modifies the assets on the target directly, the target’s knowledge of its current set of assets is no longer valid because it no longer represents the target’s actual data. Therefore, subsequent incremental deployments are compromised and cannot result in a new current set of assets that accurately represents the target’s data. In this situation, a full deployment to the target site which first deletes all target assets is necessary in order to restore a valid set of assets.
Note: If you use secured repositories in the content development environment to control access of ATG Content Administration users to specific asset types and individual assets, be aware that ATG Content Administration does not deploy the ACLs for those assets when they are deployed to a target.
For all these reasons, it is critical that you secure ATG Content Administration-managed assets on your staging and production targets so users cannot modify them. Several recommended strategies follow, which are suitable to various content development, testing, and production requirements.
Modify user access privileges in the ACC
If you require access to the ACC in the target environment, you should do one of the following:
If you use secured repositories in the target environment, manually modify their definition files so the appropriate ACC user groups are restricted to List and Read access to repository items. Users who belong to those groups can only view the items—for example, for content validation purposes. For information on managing secured repository definition files, see the ATG Repository Guide.
If you do not use secured repositories in the target environment, and you do not require access to them, simply remove UI access privileges to those repositories from the appropriate ACC user groups. For information on modifying the UI access privileges for ACC user groups, see the ATG Programming Guide.
Alternatively, if you require access to the repositories, configure secured repositories to sit on top of your repositories and restrict the appropriate ACC user groups to List and Read access to the repository items, as described in the ATG Repository Guide.
Restrict access to personalization and scenario assets
If you manage personalization and/or scenario assets with ATG Content Administration, do one of the following:
If you do not require access to the assets in the target environment, disable access to the Targeting and/or Scenarios task areas in the ACC by removing those UI access privileges from the appropriate ACC user groups. For information on how to do this, see the discussion on managing access control in the ATG Programming Guide.
If you do require access to the assets in the target environment, prevent users from modifying scenarios by granting only List and Read access to all scenario folders to the appropriate ACC user groups. This ensures that all users who belong to those groups can view (but not add to or edit) the folders and their contents. For information on how to do this, see the discussion on setting up security for scenarios in the ATG Personalization Programming Guide.
Note: This functionality is not available for other ACC-editable personalization and scenario assets that you can manage with ATG Content Administration, namely, targeters, content and profile groups, and slots.