Revisioning for categorized content

On this page we'll take the basic Revisioning tutorial one step further to configure a simple content revision workflow for content that is divided into categories (vocabularies, taxonomies). So far we've implemented this:
Authors write content that prior to being made publicly visible must be reviewed (and possibly edited) by moderators. Once the moderators have published content, authors should be prevented from modifying it while “live”, but they should be able to submit new revisions to their moderators.
Our next task is to realise this:
Both authors and moderators should be allowed to only access content relevant to their departments.
[If you need authors and moderators to view all content but only edit content relevant to their departments, then look at using TAC rather than TAC-Lite.]

So we're looking at the separation of access by taxonomy, more so than by content type (Page, Story, etc...). The latter is easily established using the "edit any|own type content" permissions (User management >> Permissions, node section) in combination with the "view any|own type content" permissions (revisioning section).

This page is self-contained. If you've just completed the steps of the basic Revisioning tutorial, simply install the TAC-Lite module and skip to step 5.

1. Login to your drupal installation as administrator.
2. Download install and enable the Module Grants (including Module Grants Monitor), Revisioning and TAC-Lite modules as per their README instructions. If you'd like to compare revisions side-by-side with the differences auto-highlighted, then also install the Diff module.
3. With Revisioning loaded the Accessible content menu item comes with an additional In draft/Pending moderation tab. The content summary shown, which includes each content's vocabulary (i.e. category) term, is direct reflection of the logged-in user’s permissions and vocabulary grants. For administrators (and other roles with the "administer nodes" permission) the I can edit and I can view tabs will normally show all content on the site, when All is selected also.
4. Under Administer >> Content management >> Content types, click edit next to the content types for which you wish to enable/disable revisioning. Under Workflow settings, "Default options", tick both the "Create new revision" and "New revisions in moderation" boxes. Also in this section untick "Published". Press “Save content type”.
5. Navigate to User management>>Roles to create some author roles, e.g. Sports Author and Arts Author, and one or more Moderator roles.
6. Under User management>>Permissions give the author roles “create content” permissions for the desired content types but none of the edit or delete permissions. As explained here these node module permissions take precedence over the access control grants used by modules like TAC-Lite and Workflow. So you need to switch off all of these in order to let modules using grants do their thing. Most importantly switch off “administer nodes” as this gives roles unconditional access to all nodes. Give Authors and Moderators the “view revisions” (node module section, or the relevant "view revisions of any|own content" from the revisioning module section) and “edit revisions” (revisioning module) permissions. Give Moderators the “revert revisions”, “publish revisions” and “unpublish current revision” permissions. You may not want to give any role the “delete revisions” permission, so that a full audit trail is always kept. Finally, under the module_grants_monitor section tick, at a minimum, "access I Can View tab", "access I Can Edit tab" and "access All tab" for authenticated users. Add "access Pending tab" (revisioning section) for Moderators. Press “Save permissions”.
7. Create at least one user in the Sports Author role, one in the Arts Author role, and one in the Moderator role: User management>>Users>>Add user
8. Go to Content management>>Taxonomy to Add vocabulary e.g. “department”. On the same page attach the vocabulary to the content types that require it. Press Save, then add some terms, for example “sports”, “arts”, “science”.
9. Go to User management>>Access control by taxonomy.
   There a couple of way to create access schemes. One is outlined in the comment to this page (thanks: johnmunro). Another one is to equate a "scheme" to a role and then proceed as follows. Select the “department” vocabulary, set the number of schemes to 4 and press “Save configuration”. Now click Scheme 1 (name it “sports author”) to assign view and update grants associated with the “sports” term to the Sports Author only. Then using Scheme 2 (“arts author) do the same for the “arts” term in relation to the Arts Author. Keeping things simple for now, use Scheme 3 to grant view, update and delete (if desired) access for all terms to the Moderator role. You may refine this later with more moderators. Finally, if the departmental content is to be viewed by the public, then use Scheme 4 (“public”) to grant view access only for all terms to anonymous users only. Do not include "authenticated users" in the "public" scheme as this will result in authors being able to create content for departments they don't belong to. Save.
   Finally, go to Administer>>Content management->Post settings and press “Rebuild permissions”. This will bring any existing grants in the node_access table in line with the newly edited vocabulary grants.

You should now be in business. Log in as one of the authors and Create content for the selected department. Save. Log out.
Log in as a moderator to inspect the revised content queue via the Accessible content>>In draft/Pending moderation tab. Click on the title of the content and then on the next page, pick the desired revision by clicking on its saved date. The page that appears next displays the content prepared by the author. Above the content you will find Edit this and Publish this links. Click the Publish this link and on the next page confirm. Log out to see the now public content.
Log in as one of the authors in another department. Note that under Accessible content authors (and moderators) cannot see or share other authors' content unless they're part of the same department, which is exactly what we aimed for. Also note that under Create content the department drop-down only shows the department(s) the logged-in author belongs to.