Security Overview - Sitecore

Overview

By default the Everyone user is granted Read access at /sitecore root. This article outlines the fundamentals of securing your website's pages to authorized users.


Notes

Storage



Built-In Roles




Miscellaneous



Security Assignment Dialog

Although within Sitecore's Security Editor you can edit some permissions for items, you can't manage the full set of permissions except through the assignment dialog, which is opened via the Security > Assign button.

Security  Assign button

Security > Assign button


The Security Assignment dialog shows four sets of permissions for the selected user/role.
Security  Assign dialog

Security > Assign dialog






User Domain Setup

Although you can write code to create a Sitecore user without specifying a domain, the Sitecore Admin UI (Security Editor, Access Viewer, etc.) won't work for such a user. You are therefore strongly encouraged to create users within a domain. This effects two areas of your code: the Login page and the User Registration page. Assign a domain to each site within your Sitecore installation by way of its site node within your web.config file.

Login Page

public partial class Login : System.Web.UI.UserControl
{
    protected void Page_Load(object sender, EventArgs e)
    {
        /*--- Set the navigation url for the Register hyperlink ---*/
        var registerHyperLink = (HyperLink)uxLogin.FindControl("RegisterHyperLink");
        registerHyperLink.NavigateUrl = "~/Register.aspx?ReturnUrl=" + HttpUtility.UrlEncode(Request.QueryString["ReturnUrl"]);

        uxLogin.RememberMeSet = false;

        if (!IsPostBack)
        {
            /*--- Restore remembered username(?) ---*/
            var c = Request.Cookies["username"];

            if (c == null)
            {
                uxUsernameTextBox.Text = "";
            }
            else
            {
                uxUsernameTextBox.Text = c.Value;
                uxLogin.RememberMeSet = true;
            }
        }
    }

    protected TextBox uxUsernameTextBox { get { return uxLogin.FindControl("UserName") as TextBox; } }

    protected void uxLogin_LoggedIn(object sender, EventArgs e)
    {
        /*--- Inits ---*/
        var url = Request.QueryString["url"];

        /*--- Remember/Forget Username ---*/
        if (uxLogin.RememberMeSet)
            Response.SetCookie("username", uxUsernameTextBox.Text, 365);
        else
            Response.DeleteCookie("username", Request);

        /*--- Redirect (?) ---*/
        if (url == null)
        {
            Response.Redirect("~/"); // Main page for authenticated users
        }
        else
        {
            var url2 = Server.UrlDecode(url);
            Response.Redirect(url2);
        }
    }

    /*  This field and the LoggingIn and LoginError event procedures place the user
        in the correct domain for the current site.  This way the user doesn't have
        to specify the domain, logging in (for example) as "johndoe" instead of
        "domain\johndoe". */

    private string _usernameEntered = string.Empty;

    protected void uxLogin_LoggingIn(object sender, LoginCancelEventArgs e)
    {
        var domainUser = Sitecore.Context.Domain.GetFullName(uxLogin.UserName);

        if (System.Web.Security.Membership.GetUser(domainUser) != null)
        {
            _usernameEntered = uxLogin.UserName;
            uxLogin.UserName = domainUser;
        }
    }
    protected void uxLogin_LoginError(object sender, EventArgs e)
    {
        uxLogin.UserName = _usernameEntered;
    }
}

Registration Page

private string _usernameEntered = string.Empty;

protected void uxCreateUserWizard_CreatingUser(object sender, EventArgs e)
{
    /*  Prefix what the user typed for a username with the domain for the current site. 
        Retain what the user typed in case the registration fails. */
    var domainUser = Sitecore.Context.Domain.GetFullName(uxCreateUserWizard.UserName);
    _usernameEntered = uxCreateUserWizard.UserName;
    uxCreateUserWizard.UserName = domainUser;
}

protected void uxCreateUserWizard_CreateUserError(object sender, CreateUserErrorEventArgs e)
{
    /* Restore what the user typed */
    uxCreateUserWizard.UserName = _usernameEntered;

    /* Other error-handling */
    Literal ErrorLabel = (Literal)uxCreateUserWizard.CreateUserStep
        .ContentTemplateContainer.FindControl("ErrorMessage");

    if (e.CreateUserError != MembershipCreateStatus.Success)
    {
        MembershipCreateUserException ex = new MembershipCreateUserException(e.CreateUserError);

        if (e.CreateUserError.ToString() == "InvalidPassword")
        {
            ErrorLabel.Text = "The password supplied is invalid. Passwords must conform to the password strength requirements.";
        }
        else
        {
            ErrorLabel.Text = ex.Message;
        }

    }
}

Password Recovery Page

Be sure to "convert" the username typed by the user to a domain username.

var domainUser = Sitecore.Context.Domain.GetFullName(uxUserNameTextBox.Text)

General User Access Setup Procedure

Web.Config



Sitecore Security Editor

Within the Master database, assign the following permissions.





Administrative User Access Setup Procedure

Company Administrator Role




Site Administrator Roles