Setting up user permissions in EPiServer CMS, part 2
This post is about setting up user permissions in EPiServer CMS. It is meant as a basic introduction. Part two (this post!) is about how administrators create a well-defined and natural permission structure which is easy to maintain. Part one was an introduction to the different provider models which you can use with your website.
Stop poking web.config!
At the end of part one we had a look at how to grant access to web editors and administrators to the administrator and web editor interfaces. This is configured in web.config as shown in the image below.
Note that there are two location nodes: DBLOGUI and DBLOGUI/Admin. Administrators and web editors have both access to DBLOGUI. This means that both groups have access to http://website/DBLOGUI/<AnyPathThatFollows>.
However, we want to explicitly limit access to the path http://website/DBLOGUI/admin to only administrators. We do this by adding a location path to DBLOGUI/admin and only allowing the roles of WebAdmins and Administrators to access it.
If you use groups in an active directory then you should prefix them with the domain name. Like so: DOMAINGroupName.
If there is a possibility that more than one type of web editor groups are going to exist then it is advisable that you create one generic web editors group that only have access the edit-interface. Why? Because every time you add a group to web.config to allow access to the edit-interface the application pool of the website is recycled.
Using EPiServer CMS to configure permission levels
If the website implements the SqlServerRoleProvider and SqlServerMembershipProvider then groups are created and maintained in the administrator’s interface of EPiServer CMS. If the WindowsMemberShipProvider or ActiveDirectoryMembershipProvider is used then these accounts are managed in Windows and in the active directory.
All web editors should belong to the web editors group since this group gives them access to the edit interface. But in order to grant them different permission levels in the page tree we need to create different web editor groups. The following image gives an example of this:
Beside WebAdmins and WebEditors, three more groups are defined:
A WebEditor can belong to one or more of these groups aside from the generic WebEditors group. In this manner we can maintain a manageable structure in the page tree without the need to edit web.config each and every time we add or delete a group.
These groups can then be added to the page tree: