2.6.1 Predefined Roles
Sitecore comes with a series of predefined roles.
The Client Users Role
The Sitecore Client Users role is required to grant minimal access to Sitecore shell. With this role you should be able to login to Sitecore Desktop, but you will not have access to any applications. All of the other Sitecore client roles are members of the Sitecore Client Users role. Users in any Sitecore client role are automatically members of the Sitecore Client Users role.
The Everyone Role
The Everyone role is not a physical role, it is a virtual role. It mirrors the Windows 'Everyone' construct. It does not exist as a part of the role database but is purely used when assigning and resolving security. The Everyone role can be used to assign access rights to every user or every user in a specific domain. The Everyone role is available as both a global role and a local role in every domain.
This is what we call a “content role”. It provides access to content in the content tree (hence the name “content role”. This role also has two of the Sitecore Client roles assigned to it, so that you can assign just this role to a user and the Sitecore Client Authoring and Sitecore Client Users roles will be automatically assigned to the user. This role provides access to basic item editing features such as the Media Library and the Content Editor with a reduced set of tabs on the ribbon.
This role provides read and write access to the areas of the content tree required when changing layout details for individual items and groups of items via template standard values, as well as items required when configuring the Page Editor Design Pane. This role also has two of the Sitecore Client roles assigned to it, so that you can assign just this role to a user and the Sitecore Client Designing and Sitecore Client Users will be automatically assigned to the user. It should also be noted that the sitecore\Designer role is not a member of the Author and Authoring roles. This role provides access to the Page Editor Design Pane features and the designer options of the Presentation tab of the Content Editor to allow various aspects of the page design to be edited. Again, it should be noted that this roles has no access to manipulating items in any way.
This role is also a “content role” in that users assigned this role have access to manipulation of items within the content tree. This role also provides the access that both the sitecore\Author role and the sitecore\Designer roles have. Also added to this role are the sitecore\Sitecore Client Developing, the sitecore\Sitecore Client Maintaining and sitecore\Sitecore Client Configuring roles to allow access to all the areas of the system that a Sitecore developer would normally require. This role provides access to content manipulation facilities in the Content Editor, plus all the design and authoring roles normally used by client authors and client designers. It also provides access to more functionality on the ribbon of the Content Editor to allow full development features for users assigned to this role. This role also has access to the “Development Tools” menu on the Sitecore menu, giving access to further development tools such as the “Package Designer” and other tools.
Sitecore Client Authoring
This is a “user interface” role which allows users to access to basic item editing features. Most client users should have access to this role to allow access to basic authoring features.
Sitecore Client Designing
This role provides access to Page Editor Design Pane features which allow a user to set layout details associated with items in the Sitecore client.
Sitecore Client Securing
This role allows a user to assign access rights using the Content Editor and other appropriate applications.
Sitecore Client Account Managing
This role allows a user to maintain users, roles, and domains through the use of the Access Manager, the Domain Manager, the Role Manager and the User Manager.
Sitecore Minimal Page Editor
This role limits the amount of functionality provided by the Sitecore Client Authoring role (which is still required for users given this role). This role restricts the amount of functionality provided in the Page Editor to the absolute minimum and users who have been assigned this role do not have access to the Page Editor ribbon.
Sitecore Limited Page Editor
This role limits the amount of functionality provided by the Sitecore Client Authoring role (which is still required for users given this role), but allows more functional access than the Sitecore Minimal Page Editor role. This role restricts the amount of functionality that is available in the Page Editor. However, unlike the Minimal Page Editor role users assigned this role will see a simple version of the standard Page Editor ribbon.
Sitecore Limited Content Editor
This role limits the amount of Content Editor functionality provided by the Sitecore Client Authoring role (which is still required for users given this role).
With they are assigned this role, a content author only has access to the Home, Review and Publish tabs in the Content Editor ribbon and has no access to the copying, moving and sorting facilities on the item “right-click” menu.
2.7.1 Access Rights
Sitecore comes with a series of predefined access rights. These are:
- Read — controls whether an account can see an item in the content tree and/or on the published Web site, including all of its properties and field values.
- Write — controls whether an account can update field values. The write access right requires the read access right and field read and field write access rights for individual fields (field read and field write are allowed by default).
- Create — controls whether an account can create child items. The create access right requires the read access right.
- Rename — controls whether an account can change the name of an item. The rename access right requires the read access right.
- Delete — controls whether an account can delete an item. The delete access right requires the read access right Important The Delete command also deletes all child items, even if the account has been denied Delete rights for one or more of the subitems.
- Administer — controls whether an account can configure access rights on an item. The administer access right requires the read and write access rights. Field Read — controls whether an account can read a specific field on an item.
- Field Write — controls whether an account can update a specific field on an item.
- Language Read — controls whether a user can read a specific language version of items.
- Language Write — controls whether a user can update a specific language version of items.v
- Site Enter — controls whether a user can access a specific site.
- Workflow State Delete — controls whether a user can delete items which are currently associated with a specific workflow state.
- Workflow State Write — controls whether a user can update items which are currently associated with a specific workflow state.
- Workflow Command Execute — controls whether a user is shown specific workflow commands.v
- *— controls all the access rights at once. You can use it to allow or deny all the rights assigned to a specific item at once.
- Inheritance — controls whether security rights can be passed from the parent items to the child items. The security model supports the possibility to choose inheritance on a per account basis (applies to all access rights). The inheritance settings you choose apply to the selected account only.
2.7.2 Access Right Settings
Each access right has one of three possible settings. They are:
- Allow — explicitly permit the associated access right for the selected account.
- Deny — revokes the associated access right for the selected account. Deny access overrides allow access in that a user is denied the access right if the user or any of their roles is denied, or if the access right is never specifically allowed for the user or any of their roles.
- Inherit — neither permits nor revokes an access right. The status of the access right for a given user is determined based on a number of factors, including the complete collection of explicit access rights set on the user and assigned roles for the item in question and items higher up in the content tree.