Kentico CMS provides a flexible security model that allows you to configure granular access permissions for content and modules.
The security model consists of:
|•||users (shared among websites)|
|•||roles (specific for websites)|
User, role and global permissions can be managed at two levels:
|•||In Site Manager -> Administration, where global administrators can edit all data.|
|•||In CMS Desk -> Administration, where local administrators can edit only data related to the current website (the current website is recognized by the current domain).|
Relationships between users, roles and permissions
The following figure shows how users are assigned to roles and how permissions for documents and modules are granted to users and roles:
Users can be members of any number of roles. Permissions for particular documents in the CMS repository can be granted to them. If you want to grant permissions for some module to a user, you need to make the user a member of some role and grant the permissions to the role (i.e. permissions for modules cannot be granted to users directly).
Roles in Kentico CMS are fully customizable. It means you're not limited to some predefined set of roles. Instead, you can define your own roles with custom sets of permissions.
If a user is a member of multiple roles, their permissions for modules are calculated as a sum of all permissions granted to all roles.
If permissions for documents in the CMS repository are granted to both a user and their roles, document permissions are calculated as a sum of all permissions granted to the user and to all roles. If a user or some of their roles are denied to make some action (such as modify document), then the result is always "denied" for the given permission, even if some of the roles are allowed to perform the action.