Sitecore Security: Users, Roles, and Permissions

Image

 One of the foundational pieces of a Sitecore solution is the content authoring users, roles, and the permissions to access the Sitecore content and media, especially useful in a multi-site instance. The following describes a general approach for creating roles and users in a multi-site Sitecore instance that I have used in production for many solutions and it has worked well. This basic approach was passed down to me by our VP of Web Solutions, Jeff Stoll.Here we go!We start by creating two types of roles:

1) Action RolesRoles that simply inherit from Sitecore built-in roles to provide the functionality or actions the user can performSitecore built-in roles are described in detail here:https://doc.sitecore.net/en/Products/Sitecore_Experience_Platform/Security_and_administration/The_security_roles.aspx

2) Site permission rolesEach site in the solution has a Site role which is assigned read and write access to that specific site's content in the content tree and media library

A user is created by assigning the user to at least one action role and at least one site, some super-users are assigned to many site rolesLet's take a look at this with an example ...In our example solution, we have two sites, Site One and Site Two and we have a couple flavors of users, those that simply edit content which we'll call "Content Authors" and others that can edit and publish the content that we'll call "Content Publishers".First, we'll create the Action Roles with example company Acme as follows:Action Role "Acme Content Author"Inherits Sitecore built-in roles "Author" and "Sitecore Client Translating".Action Role "Acme Content Publisher"Inherits Sitecore built-in roles "Author", "Sitecore Client Translating", and "Sitecore Content Publishing"You could inhert "Acme Content Author" and "Sitecore Content Publishing" to accomplish this as well, but I prefer to use base roles which can be a little easier if you end up morphing roles into something beyond a Content Publisher being a Content Author who can publish.Next, for the second dimension into roles for a user, the Site roles. They do not inherit built-in roles and used to set permissions to access a specific site's content and media. They are as follows in our example:Site One: This role is given read and write access to Site One content and mediaSite Two: This role is given read and write access to Site Two content and mediaNow, let's say we have user Bill who will be content authoring Site One, we will assign him to the following roles:Acme Content Author (action role)Acme Site One (site role)Now, let's say we have user Mary who content authors and publishes for all sites, we'll assign her to the following roles:Acme Content Publisher (action role)Acme Site One (site roles)Acme Site TwoTo summarize, we create roles for Action and roles for Site permissions and put a user into at least one action role and at least one site role.Another thing to consider is workflow. For some commands in our workflow, we restrict those so that the "Acme Content Author" can not access them because in our example only the "Acme Content Publisher" can approve content which auto-publishes.  Here's an example of restricting the commands in the Approval state from the content author action role:

WorkflowPermissions

Another not-necessarily-related to the focus of this blog, but a tip none the less for workflow is to create one base data template for example named "Base Workflow" and this inherit this template in all data templates. Then, you control workflow in one place from the "Base Workflow" data template. Often, during the initial blast of content into a site that has not launched, workflow can be cumbersome, especially to the newbies to Sitecore doing that initial content entry. So, you may want to have workflow in place but not turn it  on until the site has launched. Then you can quickly turn it on for all content in the content tree by setting it in "Base Workflow" in seconds.Tip: To find out what roles a user is assigned to, edit the user, select "Member Of". This will give you a complete list of all the roles and roles they inherit from.

UserMemberOf

This can be overwhelming and not what you want to see to know what roles to assign a new user to that is the same. Click the "Edit" button and you will see only the roles the user was assigned to, not all the inherited roles.

UserMemberOfEdit

This set is the ones you would use to assign a new user to act the same way.That's all for now on users, roles, permissions and a little bit about workflow.