Table of Contents


Navigation Menu and Security Integration

Navigation Menu integrates with the Magentrix security framework to ensure users see only the navigation options appropriate to their access levels. Understanding how Apps, Menu Items, security roles, user groups, and feature permissions work together enables administrators to create navigation experiences that align with organizational security requirements while providing users with efficient access to authorized content.

Security Framework Overview

Navigation Menu visibility is determined by multiple security layers working together:

  • App-Level Security: Role and group assignments control which users can access each App
  • Menu Item-Level Security: Sharing configuration (for Link and Web types) or underlying permissions (for Entity, Active Page, and Feature types) control individual Menu Item visibility
  • Runtime Evaluation: The system evaluates all security factors at runtime to determine what each user sees

This layered approach ensures navigation respects both organizational structure and individual access permissions.

App-Level Access Control

Role-Based App Access

Apps are assigned to security roles to control which users can access them. When an App is assigned to a role, all users with that role can see the App in the App Selector and access its navigation structure.

How Role Assignment Works:

  • Administrators assign one or more security roles to each App
  • Users who belong to at least one assigned role can see and access the App
  • Users who do not belong to any assigned role cannot see the App
  • Multiple roles can be assigned to a single App for broad access

For information on configuring security roles, see About Magentrix Security Roles.

Group-Based App Access

Apps can also be assigned to user groups, providing additional flexibility for controlling navigation access based on criteria beyond security roles.

How Group Assignment Works:

  • Administrators assign one or more user groups to each App
  • Users who are members of at least one assigned group can see and access the App
  • Group-based access works independently of role-based access
  • Users can gain App access through either role or group membership

For information on configuring user groups, see Managing User Groups.

Combined Role and Group Access

When an App is assigned to both roles and groups, access is determined using OR logic:

  • Users can access the App if they belong to at least one assigned role, OR
  • Users can access the App if they are members of at least one assigned group

When an app is assigned to both roles and groups, access is determined using OR logic:

  • Users can access the app if they belong to at least one assigned role.
  • Users can access the app if they are members of at least one assigned group.

Users do not need to satisfy both conditions. Meeting either the role requirement or the group requirement grants access to the App.

Example: An App is assigned to the "Partner Manager" role and the "North America Partners" group. A user can access this App if they have the Partner Manager role (regardless of group membership) OR if they are a member of the North America Partners group (regardless of their role).

Menu Item-Level Visibility

Beyond App-level access, individual Menu Items have their own visibility rules that determine whether users see specific navigation entries within an App they can access.

Link and Web Menu Items

Link and Web Menu Items use manual sharing to control visibility:

  • Administrators configure sharing to specific security roles and user groups
  • Users must belong to at least one shared role or group to see the Menu Item
  • Sharing uses OR logic: role membership OR group membership grants visibility
  • Without sharing configuration, the Menu Item is invisible to all users

Important: A Link or Web Menu Item must be both assigned to an accessible App AND shared to the user's role or group. Both conditions are required for visibility.

Entity Menu Items

Entity Menu Items do not support manual sharing. Visibility is controlled by system permissions on the underlying entity:

  • Users who have permission to access the entity can see the Menu Item
  • Users without entity access cannot see the Menu Item
  • Entity permissions are configured through entity security settings, not Menu Item configuration

For information on configuring entity permissions, see Configuring Entity Permissions.

Active Page Menu Items

Active Page Menu Items do not support manual sharing. Visibility depends on access to the underlying Active Page:

  • Users who can access the Active Page can see the Menu Item
  • Users without Active Page access cannot see the Menu Item
  • Active Page access is typically controlled through role and group configuration on the Active Page itself

Feature Menu Items

Feature Menu Items do not support manual sharing. Visibility is controlled by the underlying feature's permission settings:

  • Each feature type (Article List, Storefront, Wiki) has its own sharing model
  • Users who can access the feature can see its Feature Menu Item
  • To control visibility, adjust sharing or permissions on the underlying feature

For detailed information on Feature Menu Items, see Understanding Feature Menu Items.

Folder Visibility Behavior

Folders in Navigation Menu have automatic visibility behavior based on their contents:

  • Folders are visible only when at least one child Menu Item is visible to the current user
  • Folders automatically hide when none of their child Menu Items are visible
  • This behavior prevents users from seeing empty navigation containers

How Folder Auto-Hide Works: The system evaluates visibility for all Menu Items within a Folder. If at least one Menu Item passes all visibility checks (sharing, permissions, feature access), the Folder appears. If all Menu Items fail visibility checks, the Folder is hidden.

Runtime Visibility Evaluation

Navigation visibility is evaluated at runtime each time a user accesses the portal. This dynamic evaluation ensures users always see navigation appropriate to their current access level.

Evaluation Process

When a user accesses the portal, the system performs the following evaluation:

  1. App Evaluation: Identify all Apps assigned to the user's roles or groups
  2. Menu Item Evaluation: For each accessible App, evaluate visibility for each Menu Item:
    • For Link/Web Menu Items: Check sharing against user's roles and groups
    • For Entity Menu Items: Check system permissions on the entity
    • For Active Page Menu Items: Check access to the Active Page
    • For Feature Menu Items: Check underlying feature permissions
  3. Folder Evaluation: For each Folder, determine if at least one child Menu Item is visible
  4. Render Navigation: Display Apps, Folders, and Menu Items that pass all visibility checks

Dynamic Updates

Because visibility is evaluated at runtime, navigation automatically reflects changes to:

  • User role assignments
  • User group memberships
  • Menu Item sharing configuration
  • Entity permissions
  • Active Page access settings
  • Feature sharing and permissions

Users see updated navigation after refreshing their browser or logging in again following security changes.

Security Integration Scenarios

Scenario 1: Partner Portal Navigation

Requirement: Partners should see navigation to deal registration, training, and marketing resources. Different partner tiers should see different resources.

Implementation:

  • Create a "Partner Portal" App assigned to all partner security roles
  • Create Entity Menu Items for Deal Registration entity (visibility controlled by entity permissions)
  • Create Link Menu Items for training resources, shared to all partner roles
  • Create Link Menu Items for premium marketing resources, shared only to "Gold Partner" and "Platinum Partner" roles
  • Use Folders to organize resources by category

Result: All partners see the Partner Portal App and basic navigation. Premium resources are visible only to higher-tier partners based on role sharing.

Scenario 2: Regional Navigation

Requirement: Users in different geographic regions should see region-specific content and resources.

Implementation:

  • Create user groups for each region (North America, EMEA, APAC)
  • Create a "Regional Resources" App assigned to all regional groups
  • Create Link Menu Items for each region's content, shared to the corresponding regional group
  • Create Web Menu Items for region-specific external resources, shared to appropriate regional groups

Result: Users see only the resources relevant to their region based on group membership. The same App structure serves all regions with regionally-filtered content.

Scenario 3: Feature-Based Navigation

Requirement: Users should access storefronts based on their assigned access levels.

Implementation:

  • Create Storefronts with appropriate sharing configuration for target audiences
  • Feature Menu Items are automatically generated for each feature
  • Add Feature Menu Items to appropriate Apps through the Menu Builder
  • Feature visibility is controlled by each feature's sharing settings

Result: Users see Feature Menu Items only for features they have access to. Navigation automatically reflects feature-level permissions.

Best Practices

Security Planning

Map Roles to Navigation: Before creating Apps and Menu Items, map security roles to navigation requirements. Identify which roles need access to which content and functionality.

Use Groups for Cross-Role Access: When navigation requirements span multiple roles (e.g., regional content for users in various roles), use user groups to provide access without modifying role assignments.

Document Security Decisions: Maintain documentation of App assignments, Menu Item sharing, and the business rationale for each configuration. This aids troubleshooting and future maintenance.

Layered Security Approach

App-Level for Broad Access: Use App-level role and group assignments to control access to entire navigation experiences. This provides the first layer of security.

Menu Item-Level for Granular Control: Use Menu Item sharing (for Link and Web types) to provide granular control within Apps. This allows different users to see different subsets of navigation within the same App.

Feature-Level for Content Security: For Feature Menu Items, rely on feature-level sharing and permissions. This ensures navigation visibility aligns with content access.

Testing and Validation

Test Across User Types: After configuring navigation security, test by logging in as users with different roles and group memberships. Verify that each user type sees appropriate Apps and Menu Items.

Verify Folder Behavior: Test scenarios where some Menu Items within a Folder are visible and others are not. Confirm Folders hide appropriately when all children are invisible.

Test Permission Changes: Verify that navigation updates appropriately when user roles, group memberships, or sharing configurations change.

Ongoing Maintenance

Review After Security Changes: When security roles or user groups are modified, review navigation configuration to ensure continued alignment with access requirements.

Audit Navigation Access: Periodically audit navigation visibility to ensure it remains appropriate for each user type. Check for unintended access or missing navigation options.

Coordinate with Feature Administrators: When features that generate Feature Menu Items are created or modified, coordinate with feature administrators to ensure navigation and feature security align.

Troubleshooting

User Cannot See an App

Issue: A user reports they cannot see an App in the App Selector.

Solution: Verify the following:

  • The App is assigned to at least one security role the user belongs to, OR
  • The App is assigned to at least one user group the user is a member of
  • Check the user's current role and group assignments in user management

User Can See App but Not Specific Menu Items

Issue: A user can access an App but cannot see certain Menu Items within it.

Solution: Check the Menu Item type and corresponding visibility control:

  • For Link/Web Menu Items: Verify sharing includes the user's role or group
  • For Entity Menu Items: Verify the user has system permissions on the entity
  • For Active Page Menu Items: Verify the user has access to the Active Page
  • For Feature Menu Items: Verify the user has access to the underlying feature

Folder Not Appearing

Issue: A Folder configured in an App does not appear in navigation for certain users.

Solution: Folders hide automatically when none of their child Menu Items are visible. Check visibility for all Menu Items within the Folder. At least one Menu Item must be visible for the Folder to appear.

Navigation Not Updating After Security Changes

Issue: Changes to roles, groups, or sharing do not appear to affect navigation.

Solution: Navigation visibility is evaluated at runtime. Users may need to refresh their browser or log out and back in to see updated navigation. Verify that security changes were saved successfully.

Unexpected Menu Item Visibility

Issue: Users can see Menu Items they should not have access to.

Solution: Review the visibility chain:

  • For Link/Web Menu Items: Check sharing configuration for overly broad role or group assignments
  • For Entity Menu Items: Review entity permission settings
  • For Active Page Menu Items: Review Active Page access configuration
  • For Feature Menu Items: Review feature-level sharing and permissions
  • Remember that role OR group membership grants access; users may qualify through unexpected paths

Related Documentation

Jump to Navigation Menu Checklist

<< Understanding Feature Menu Items

Last updated on 1/14/2026

Attachments


Privacy & Security StatementTerms & Conditions
Copyright © 2026 by Magentrix Corporation - All rights reserved.
Powered by Magentrix