A clear, hands-on guide to build websites that get the most out of Kentico CMS 5’s many powerful features
(For more resources on CMS, see here.)
Fundamentals of site security
I don’t think anyone can dispute that security management is an essential part of our daily routine. We need to make sure that we protect customer data and guard the site from any unwanted intruders. Security management is the process that we use to decide who has access to the site, what areas they are able to see, and what documents they can view and interact with. Kentico CMS security is managed using the:
- Site Manager Administration tab to edit system-wide data
- CMS Desk Administration tab to edit data related to a specific website
The security model that we use to maintain and administer the system is based on the following:
- Users — This is an individual user who is assigned a system account.
- Roles — Security groups that contain users. Because a user can belong to multiple roles, their permissions are calculated as a sum of all permissions granted to all roles they belong to.
- Document permissions — Document permissions are granted to both users and roles. At runtime, document permissions are calculated as a sum of all permissions granted to the user and their assigned roles.
- UI personalization — UI personalization is used to remove specific portions of the user interface.
Security permissions are calculated at runtime. These are a combination of global settings and individual website settings. It’s important to remember that if the user or any of their roles are denied access to a resource, they are always denied access to that resource, even if one of their roles is allowed access.
Time for action – creating a new role
Now, let’s create a new role and assign it to a user using these steps:
- In CMS Site Manager, select the Administration tab, Roles, and New role, as shown in the following screenshot:
- In the New role dialog, enter the following information and select OK.
- Select the Add users tab, as shown in the following screenshot:
- Select the user Joe Brown from the list and select OK, as shown in the following screenshot:
What roles are there?
Roles are one of the easiest ways to apply security to your users. The system contains a variety of pre-defined roles that are available in the Roles menu item, as shown in the previous screenshot.
Have a go hero – mapping roles
As we just saw, the system contains a default set of pre-defined user roles that can be found in Site Manager, the Administration tab, and Roles. Spend some time studying the roles contained in the Site Manager Administration Roles and understand how they fit into your website security model. Once that is completed, put together a proposal that defines any additions or changes that may be needed.
What just happened?
When you clicked the New role button, you first identified the name of the role used across all system management areas. Once the role was created, you then added the user Joe Brown to the role.
Time for action – adding a user to another role
Users can belong to multiple roles within the system. Let’s add our user Joe Brown to another role using the CMS Desk interface using these steps:
- Log in to CMS Desk as Global Administrator, select the Administration tab, click Users, and select the manage user roles icon ,as shown in the following screenshot:
- Select CMS Basic users, click the move right (>) button and select Close, as shown in the following screenshot:
- Select the edit user icon, as shown in the following screenshot:
- Select the General tab, uncheck the Is global administrator box, and select OK, as shown in the following screenshot:
- Select the Log in as this user link, as shown in the following screenshot:
- Select OK to change the user prompt, as shown in the following screenshot:
- Verify that you are logged in as the User: Joe Brown, as shown in the following screenshot:
Why are we doing this?
If Joe is a Global Administrator, he will automatically have access to all system resources.