Kentico CMS provides a flexible security model that allows you to configure granular access permissions for content and modules.
The security model consists of:
•users (shared among websites)
•roles (can be defined for particular websites or globally for all sites in the system)
•memberships (collections of roles that can be assigned to users)
Users, roles and permissions can be managed on two levels:
•In Site Manager -> Administration, where global administrators can configure the data of all sites and define global objects.
•In CMS Desk -> Administration, where local administrators can edit only data related to the current website (the current website is recognized by the current domain).
The following figure shows how users are assigned to roles and how permissions for documents and modules are granted to users and roles:
Users can be members of any number of roles. Permissions for particular documents in the CMS repository can be granted to them. If you want to grant permissions for some module to a user, you need to make the user a member of a role and grant the permissions to the role (i.e. permissions for modules cannot be granted to users directly).
Roles in Kentico CMS are fully customizable. It means you're not limited to a predefined set of roles. Instead, you can define your own roles with custom sets of permissions.
If a user is a member of multiple roles, their permissions for modules are calculated as a sum of all permissions granted to all roles.
If permissions for documents in the CMS repository are granted to both a user and their roles, document permissions are calculated as a sum of all permissions granted to the user and to all roles. If a user or some of their roles are denied to make some action (such as modify document), then the result is always "denied" for the given permission, even if some of the roles are allowed to perform the action.