Jasinski Technical Wiki


Home Page
All Pages

Quick Search
Advanced Search »

Contributor Links

Create a new Page
File Management
Your Profile

Other Wiki Sections



Security Overview - Sitecore

Modified on Wed, Aug 01, 2012, 5:01 PM by Administrator Categorized as Sitecore


By default the Everyone user is granted Read access at /sitecore root. This article outlines the fundamentals of securing your website's pages to authorized users.



  • Users, roles, and membership are stored in the Core database.

  • Item permissions are stored in the Master database. So if you change item permissions, you must publish the site (or affected items) before the new permissions will become effective on the live site.

Built-In Roles

  • Role "sitecore\Sitecore Client Users" allows user to log into the Sitecore admin interface. However, they have the bare minimum of features on the desktop.

  • Role "sitecore\Sitecore Client Authoring" (which is a member of "sitecore\Sitecore Client Users") allows the user to open the Content Editor and Media Library in the Master database, but not to edit anything.

  • Role "sitecore\Sitecore Client Publishing" (which is a member of "sitecore\Sitecore Client Users") gives the user access to the Publish ribbon, allowing the user to publish content.


  • When logging into the Sitecore admin site, if the user is not within the "sitecore" domain, then they must explicitly specify their domain (e.g., "extranet\johndoe").

  • Ability to see and use the Content Editor comes from two security permissions, both within the Core database.
    • Core:/sitecore/content/Documents and Settings/All users/Start menu/Left/Content Editor:Read — this causes the Content editor to appear on the menu
    • Core:/sitecore/content/Applications/Content Editor:Read — this grants the user the right to execute the Content Editor application

Security Assignment Dialog

Although within Sitecore's Security Editor you can edit some permissions for items, you can't manage the full set of permissions except through the assignment dialog, which is opened via the Security > Assign button.

Security  Assign button

Security > Assign button

The Security Assignment dialog shows four sets of permissions for the selected user/role.
Security  Assign dialog

Security > Assign dialog

  • For the selected role, the Permissions frame shows permissions for the item itself. These are on the left and labeled "Item".

  • For the selected role, the Permissions frame also shows permissions for the children of the current item. These are on the right and labeled "Descendants".

  • For the selected role, the Inheritance frame indicates whether the current item can inherit permissions from its parent. This is on the left and labeled "Item".

  • For the selected role, the Inheritance frame also indicates whether the current item's children can inherit permissions from it. This is on the right and labeled "Descendants".

User Domain Setup

Although you can write code to create a Sitecore user without specifying a domain, the Sitecore Admin UI (Security Editor, Access Viewer, etc.) won't work for such a user. You are therefore strongly encouraged to create users within a domain. This effects two areas of your code: the Login page and the User Registration page. Assign a domain to each site within your Sitecore installation by way of its site node within your web.config file.

Login Page

public partial class Login : System.Web.UI.UserControl
    protected void Page_Load(object sender, EventArgs e)
        /*--- Set the navigation url for the Register hyperlink ---*/
        var registerHyperLink = (HyperLink)uxLogin.FindControl("RegisterHyperLink");
        registerHyperLink.NavigateUrl = "~/Register.aspx?ReturnUrl=" + HttpUtility.UrlEncode(Request.QueryString["ReturnUrl"]);

        uxLogin.RememberMeSet = false;

        if (!IsPostBack)
            /*--- Restore remembered username(?) ---*/
            var c = Request.Cookies["username"];

            if (c == null)
                uxUsernameTextBox.Text = "";
                uxUsernameTextBox.Text = c.Value;
                uxLogin.RememberMeSet = true;

    protected TextBox uxUsernameTextBox { get { return uxLogin.FindControl("UserName") as TextBox; } }

    protected void uxLogin_LoggedIn(object sender, EventArgs e)
        /*--- Inits ---*/
        var url = Request.QueryString["url"];

        /*--- Remember/Forget Username ---*/
        if (uxLogin.RememberMeSet)
            Response.SetCookie("username", uxUsernameTextBox.Text, 365);
            Response.DeleteCookie("username", Request);

        /*--- Redirect (?) ---*/
        if (url == null)
            Response.Redirect("~/"); // Main page for authenticated users
            var url2 = Server.UrlDecode(url);

    /*  This field and the LoggingIn and LoginError event procedures place the user
        in the correct domain for the current site.  This way the user doesn't have
        to specify the domain, logging in (for example) as "johndoe" instead of
        "domain\johndoe". */

    private string _usernameEntered = string.Empty;

    protected void uxLogin_LoggingIn(object sender, LoginCancelEventArgs e)
        var domainUser = Sitecore.Context.Domain.GetFullName(uxLogin.UserName);

        if (System.Web.Security.Membership.GetUser(domainUser) != null)
            _usernameEntered = uxLogin.UserName;
            uxLogin.UserName = domainUser;
    protected void uxLogin_LoginError(object sender, EventArgs e)
        uxLogin.UserName = _usernameEntered;

Registration Page

private string _usernameEntered = string.Empty;

protected void uxCreateUserWizard_CreatingUser(object sender, EventArgs e)
    /*  Prefix what the user typed for a username with the domain for the current site. 
        Retain what the user typed in case the registration fails. */
    var domainUser = Sitecore.Context.Domain.GetFullName(uxCreateUserWizard.UserName);
    _usernameEntered = uxCreateUserWizard.UserName;
    uxCreateUserWizard.UserName = domainUser;

protected void uxCreateUserWizard_CreateUserError(object sender, CreateUserErrorEventArgs e)
    /* Restore what the user typed */
    uxCreateUserWizard.UserName = _usernameEntered;

    /* Other error-handling */
    Literal ErrorLabel = (Literal)uxCreateUserWizard.CreateUserStep

    if (e.CreateUserError != MembershipCreateStatus.Success)
        MembershipCreateUserException ex = new MembershipCreateUserException(e.CreateUserError);

        if (e.CreateUserError.ToString() == "InvalidPassword")
            ErrorLabel.Text = "The password supplied is invalid. Passwords must conform to the password strength requirements.";
            ErrorLabel.Text = ex.Message;


Password Recovery Page

Be sure to "convert" the username typed by the user to a domain username.

var domainUser = Sitecore.Context.Domain.GetFullName(uxUserNameTextBox.Text)

General User Access Setup Procedure


  • Within the /configuration/sitecore/sites/site for your site, set the loginPage attribute to the page to be redirected to, and set the requireLogin attribute to true only if EVERY page on the site (excluding the login page) will require the user to login. Set it to false otherwise. (It is more common to be set to false.)

  • Within /configuration/sitecore/settings/setting set Authentication.SaveRawUrl to true.

Sitecore Security Editor

Within the Master database, assign the following permissions.

  • Deny read access to domain\Anonymous to the root content item for your site. This will deny an anonymous user permission to view any site content except what is explicitly allowed.

  • Grant read access to domain\Anonymous to the public content pages, such as the following.
    • Password Recovery page
    • Help
    • Home
    • Privacy Statement
    • User Registration
    • Terms of Use

  • Grant read access to domain\Anonymous to whatever content items are required by the above public pages.

  • To the extranet\Everyone user grant (1) Language Read and (2) Language Write permission on /sitecore/System/Languages. This is to prevent the error: "The security settings for the current language prevent you from seeing this item. To continue, select another language from the Language drop-down list on the Versions tab" when a user in the extranet domain tries to edit an item on a multi-language implementation.

Administrative User Access Setup Procedure

Company Administrator Role

  • Create a new role called "sitecore\Company Administrator"

  • Make the sitecore\Company Administrator role a member of the following built-in roles
    • sitecore\Sitecore Client Publishing — this gives members permission to publish content; it is a member of sitecore\Sitecore Client Users
    • sitecore\Sitecore Client Users (indirectly) — this gives members permission to use the Sitecore admin site.

  • Within the Core database grant the sitecore\Company Administrator role Read permission to the following items
    • /sitecore/content/Documents and Settings/All users/Start menu/Left/Content Editor — this causes the Content Editor to appear on the members' menu
    • /sitecore/content/Documents and Settings/All users/Start menu/Left/Media Library — this causes the Media Library to appear in the members' menu
    • /sitecore/content/Documents and Settings/All users/Start menu/Left/Publish Site — this causes the Publish Site item to appear in the members' menu
    • /sitecore/content/Applications/Content Editor — this grants members the right to execute the Content Editor application
    • /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Write — this causes the Write ribbon group (which contains the Save button) to appear in the members' ribbon
    • /sitecore/content/Applications/Content Editor/Ribbons/Chunks/Workflow Edit — this causes the Edit ribbon group (which contains the Edit/Check In button) to appear in the members' ribbon

Site Administrator Roles

  • For each site in your Sitecore installation, create new role called "sitecore\My Site Administrator".

  • Make the sitecore\My Site Administrator role a member of the sitecore\Company Administrator role.

  • Within the Master database, grant the sitecore\My Site Administrator role the following permissions
    • Write permission to static content pages, like Terms of Use, Privacy Statement, Help, etc. This will give members the permission to make changes to these "documents".
    • Create Item and Create Descendants permission to content folders that hold a document repository. This will give members permission to create new documents on the site.

ScrewTurn Wiki version Some of the icons created by FamFamFam. Except where noted, all contents Copyright © 1999-2023, Patrick Jasinski.