Kentico CMS provides a flexible security model that allows you to configure granular permissions to content and modules. The security model consists of:
| • | users (shared among web sites) |
| • | roles (specific for web sites) |
The users, roles and global permissions can be managed at two levels:
- In Site Manager -> Administration, where global administrators can edit all data.
- In CMS Desk -> Administration, where local administrators can edit only data related to the current web site (the current web site is recognized by the current domain).
Relationships between users, roles and permissions
The following figure shows how users are assigned to roles and how users and roles are granted with permissions for documents and modules:
Users can be member of any number of roles. They can be granted with permissions for particular documents in the CMS repository. If you want to grant a user with permissions for some module, you need to make the user a member of some role and grant the permissions to the role (the users cannot be granted with permissions for modules directly).
Roles in Kentico CMS are fully customizable. It means you're not limited to some predefined set of roles. Instead, you can define your own roles with custom set of permissions.
If the user is member of multiple roles, her permissions for modules are calculated as a sum of all permissions granted to all roles.
If the permissions for documents in the CMS repository are granted to both user and her roles, the document permissions are calculated as a sum of all permissions granted to the user and to all roles. If the user or some of her roles is denied to make some action (such as modify document), then the result is always "denied" for the given permission even if the remaining roles are allowed to make the action.