How to provide Sitecore non-administrator user the capability to unlock items locked by idle users?

Due to its capability to configure different features and functionalities, Sitecore always seems like a jig-saw puzzle to me. Recently, one of the scenarios I came across was - content editors locked content items and didn't unlock the items after edit, the concerned manager wanted overriding permissions to unlock items. This seemed like a common scenario across the world. With this context, it is probably well-known that Sitecore administrators have the capability to view locked items and unlock items but it wouldn't be judicious to give anyone administration capability. In this blog post, I cover the step-by-step process to create a role that can help view the locked items report and unlock items but the user wouldn't be allocated administrator permission directly. In other words, under-the-hood, the user would be toggled as admin only to view/unlock items but then be back to original permissions.

Pre-requisites:

Running Sitecore instance (10.4.0 in my case)

Sitecore PowerShell Extensions (SPE) (6.4 in my case)

Once SPE is installed, no hidden secret that if you are logged-in as administrator, you can view the locked items report from Start menu under Reporting Tools:

This is the wonderful PSE Script by Michael West that actually does the job. In a Sitecore instance, it sits under /sitecore/system/Modules/PowerShell/Script Library/SPE/Tools/Security Management/Reports/Security Audit/Locked Items

Since I love this interface so much, here is how it looks while logged-in as administrator:

On clicking proceed, you must see the list of locked items along with the user who locked the item:

You can choose one item to unlock or unlock all items at a time. Such an useful interface!

Before going any further, here are the different users created in the instance apart from the default admin user:

User	Role
Tom	Sitecore Client Maintaining
navan	Sitecore Client Users
Jon	Sitecore Limited Content Editor

Now, through role manager, create a new role and name it as "Report User":

Since I did not want to touch the existing Locked Items report, I created a separate menu option for the locked item report but this time for non-admin access. Although the script body is the same, I didn't use the same item mainly because the menu options need to work differently for the non-admin's report and I didn't want to disturb the existing admin functionality in the process.

Although it was just a replication of the structure, here are the steps for reference:

1. Create a PowerShell Script module folder named Non-Admin at the same level as /sitecore/system/Modules/PowerShell/Script Library/SPE/Tools/

2. Create a PowerShell Script module named Security Reports under Non-Admin at the same level as /sitecore/system/Modules/PowerShell/Script Library/SPE/Tools/Security Management

3. Since I just need the locked items report for now, copied over "Locked Items" item and renamed as "Locked Items Report" and placed it under - /sitecore/system/Modules/PowerShell/Script Library/SPE/Non-Admin/Security Reports/Reports

4. I also need to modify the Unlock All and Unlock menu options so, copied only those two items from /sitecore/system/Modules/PowerShell/Script Library/SPE/Tools/Security Management/Internal/List View/Ribbon/Item to /sitecore/system/Modules/PowerShell/Script Library/SPE/Non-Admin/Security Reports/Internal/List View/Ribbon/Item

Summary:

Source	Destination	Template
Tools	Non-Admin	PowerShell Script Module Folder
Security Reports	Security Management	PowerShell Script Module
Internal	Internal	PowerShell Script Library
Reports	Reports	PowerShell Script Library

So, here is the new folder structure for reference:

Most importantly, remember to rename the view name in the script body of the new Locked Item Report item form LockedItems to LockedItemReport:

Now, similar to how other sample reports are configured, add role-based rule for the new items but point the rule to the new view named LockedItemsReport:

/sitecore/system/Modules/PowerShell/Script Library/SPE/Non-Admin/Security Reports/Reports

Same with the Unlock All and Unlock ribbon items, customise the Edit rules field for the item(s) to work for the new Locked Items Report as follows:

Within the newly copied Unlock All and Unlock items, add the new logic that uses the elevated access just to unlock the item:

Unlock All:

********

********

Unlock:

#########

#########

Beware with the above two scripts, sitecore\admin is hard-coded as elevated user and if the Report User role is assigned to sitecore\admin user, their admin access might be blocked so, there is a need for a safety net that checks for sitecore\admin user!

Nevertheless, with that setting in place, login as navan, configured with the following roles:

- Sitecore Client Users

- Report User

Start menu for navan at this point:

Now, login as admin and switch to core db and provide read permission for PowerShell Reports menu to the Report user role as shown below:

That's it, log-in as navan and the new locked items report must be accessible:

Remember our old Jon and Tom? their access here for reference:

Redundant Tom:

Note that Tom already has access to PowerShell reports due to his Sitecore Client Maintaining role so, Report User role is redundant in his case and added here just for demonstration.

End-result:

References:

How to enable non-admin user to use powershell extensions?