Navigation Menu and Security Integration
Navigation Menu does not introduce a parallel security model. It composes the existing Magentrix security primitives - security roles, user groups, entity permissions, Active Page sharing, and feature permissions - and presents the result as a navigation tree. This article walks through how the layers combine so administrators can predict and verify what each user will see.
The Layers
For a Menu Item to appear in a user's navigation, every applicable layer must permit it. Layers evaluated, in order:
- App access - The App that contains the item must be assigned to the user's security role. Apps without role access never render their menus.
- Menu Item type-specific access - Each type adds its own check (see the table below).
- Per-item sharing - For Web and Link items only, the user must match at least one of the item's shared roles or groups.
- Folder visibility - A folder appears only if at least one of its descendants is visible.
Per-Type Access Rules
| Type | Visible When |
|---|
| Entity | The user's role has Read permission on the target entity. |
| Active Page | The user's role or any of their user groups is on the Active Page's sharing list. Active Pages can now be shared with both roles and groups. |
| Link | Per-item sharing matches the user's role or group. |
| Web | Per-item sharing matches the user's role or group. |
| Folder | At least one descendant is visible to the user. |
| Feature | The user's role has access to the underlying feature. |
Active Page Sharing - What Changed
Active Pages previously supported sharing with security roles only. Active Pages can now also be shared with user groups. This means an Active Page Menu Item can appear for a user whose group membership grants access, even if their role would not.
This change interacts directly with Navigation Menu: when you share an Active Page with a user group, every Menu Item that points to that Active Page becomes visible to the group's members - through the same App they have access to.
Verifying What a User Will See
Two practical ways to verify visibility:
- Login As - From the user's record, use Login As to enter the portal as that user. Open the App and confirm each Menu Item is or isn't visible.
- Test users per role - Maintain at least one test user per major role and check the navigation after any structural change.
The key principle is that Navigation Menu shows what every layer permits and hides anything one layer denies. When something is unexpectedly missing, walk the layers in order until you find the one that's denying access.
Use Cases
- Auditing what a partner role sees. Pick a representative user, Login As, and walk the menu top-to-bottom. Note items that should not be visible and trace each one back to a layer (App access, item sharing, entity permission, Active Page sharing, or feature permission).
- Granting a single user access without changing role. Add the user to a user group, then share the relevant Active Pages, Web items, or Link items with that group. The user gains visibility without any role change.
- Removing a feature menu without removing the feature. Adjust the role's feature permission to remove the Feature Menu Item, even if the underlying entity or Active Page would otherwise be visible.
- Onboarding a new role with minimal effort. Assign the role to the appropriate App, then share role-targeted Web and Link items. Entity, Active Page, and Feature items follow automatically from the role's data and feature permissions.
Troubleshooting
- Symptom: A user expected to see a Menu Item does not.
Cause: One of the layers is denying access. Walk the layers: App access, type-specific check, per-item sharing.
Resolution: For Entity items, verify entity Read permission. For Active Pages, verify the page's sharing list. For Web/Link, verify the item's sharing. For Feature items, verify the role's feature permission. - Symptom: A user sees an item you wanted to hide.
Cause: Hiding requires removing access at a layer. Per-item sharing only narrows visibility; it does not override broader permissions.
Resolution: Remove the user's role from the item's shared roles, remove the user from the shared group, or restrict the underlying entity/Active Page/feature permission. - Symptom: A folder appears empty when opened.
Cause: All of the folder's children evaluate to hidden for this user.
Resolution: Either grant access to one of the children or restructure the menu so the folder is not empty for that audience. - Symptom: Sharing an Active Page with a group does not seem to grant menu visibility.
Cause: Active Page group sharing was added recently. Your portal may need to be on a release that includes this feature; verify with your account team if you are unsure.
Resolution: Confirm the user's App access first; if that is correct, re-save the Active Page sharing settings and have the user log out and back in.
<< Understanding Feature Menu Items | Navigation Menu Troubleshooting >>