Add Item Path Restrictions page (security/item-path-restrictions.md) #44
Description
Context
SPE 9.0 restriction profiles (#1426 in Console repo) include item path restrictions that control which Sitecore content paths are accessible through remoting endpoints.
Proposed Location
security/item-path-restrictions.md
Content to Cover
Overview
- Prefix-based path blocking/allowing for Sitecore item access
- Configured per restriction profile (in XML config and/or item-based overrides)
- Enforced in
PsSitecoreItemProviderfor Get-Item and Get-ChildItem
Configuration Modes
- Blocklist mode: All paths allowed except explicitly blocked prefixes
- Allowlist mode: All paths blocked except explicitly allowed prefixes
Config Example
<itemPathRestrictions mode="blocklist">
<blockedPaths>
<path>/sitecore/system/Modules/PowerShell/Settings/Remoting</path>
</blockedPaths>
</itemPathRestrictions>Item-Based Overrides
- Additional blocked/allowed paths via Treelist fields on Restriction Profile override items
- Additive merging with config-based paths (most restrictive wins)
Enforcement Behavior
- Enforce mode: Returns 403 error when accessing blocked paths
- Audit mode: Logs violation but allows access (dry-run for rollout)
- Get-ChildItem filters out children under blocked paths silently
- Access by item ID is also checked (resolves path before allowing)
Audit Logging
- Violations logged per profile's audit level setting
- Log format:
SPE.Security [VIOLATION] User=... Service=... Profile=... BlockedPath=...
Use Cases
- Block access to
/sitecore/system/Modules/PowerShell/Settings/Remoting(prevent key/profile enumeration) - Restrict content editors to specific content subtrees
- Allow read-only consumers access only to
/sitecore/content/paths
Related
- Depends on Console repo feature/clm branch (#1426)
- Links to: restriction-profiles.md