Limit read access to a subtree to a certain role in Sitecore

I've been struggling with this off and on for months, and it may be non-trivial to answer.

What is the easiest way to limit public access to an item and its subitems to members of a single role? (Editors still need to be able to edit the item.)

e.g. There's a role, extranet/clubmember, and items,

- Clubhouse
 | - Items
 | - Inside
 | - Clubhouse

And I want extranet/clubmember members to be able to read the items and subitems, sitecore/* members (Or, say, sitecore/editor) to h开发者_如何学编程ave edit access, and everyone else (in default and extranet domains) to be denied.

Second, does this solution still work with a custom role and membership providers for extranet? Why or why not, or what methods do I need to implement? I recall from earlier experiments that my custom role provider seems to affect Inheritance permissions in particular.

---

Have you tried the following:

• uncheck Inherit for Everyone (the global one) to Clubhouse root
• explicitly allow Read for extranet\clubmember to Clubhouse root
• explicitly allow Read/Write for sitecore\Everyone to Clubhouse root

Explicit assignments always win. So, that scheme should have the effect you expect.