Try our conversational search powered by Generative AI!
AI OnAI Off
All those virtual roles
Normally you create the 2 groups WebEditors and WebAdmins in your Episerver solution. This let's any user that is part of WebEditors into edit mode and WebAdmins into admin mode. This is defined in the location tag in web.config. So far so good.
Episerver then maps a few roles to the CmsAdmins and CmsEditors. If you are part of the WebAdmins or the Administrators role, you will automagically also be part of the CmsAdmins role as well for instance. This is also set up in web.config by using mapped roles.
<add name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="WebAdmins, Administrators" mode="Any" />
Why? Because they use MVC authorization behind the scene and you also want the possibility to let other roles into edit/admin mode.
It's used in the controllers for the edit/admin mode functionality for MVC authorization. Episerver decorates some controllers with
[Authorize(Roles = “CmsAdmins”)]
which will block access for all users except those part of CmsAdmins. Since you can add your own roles that gain access to edit mode, this makes sense if you want to use MVC authorization etc. Then Episerver only needs to have the attribute above for their functionality to block it.
Let's say you want to let the role INTRANET_ADMINS into admin mode. Then you need to change the location tag in web.config
<location path="EPiServer/CMS/admin">
<system.web>
<authorization>
<allow roles="WebAdmins, Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
and then set up a new mapping like INTRANET_ADMINS => CmsAdmins in the virtual role mapping above and MVC authorization will also work...
Oct 28, 2016 12:02
I don't like how the authorization rules are set up in the web.config (in Alloy based projects).
I prefer to use virtual roles, so I don't have to do the double work.
For example
<location path="EPiServer/CMS/admin">
<system.web>
<authorization>
<allow roles="CmsAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Instead of
<location path="EPiServer/CMS/admin">
<system.web>
<authorization>
<allow roles="WebAdmins, Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
The reason is very simple. If I make a change to virtual roles (add more admin groups), I don't have to update the location elements.
Episerver uses these eight virtual roles:
- Anonymous
- Authenticated
- Creator
- Everyone
- Administrator
- CmsAdmins
- CmsEditors
- PackagingAdmins
Edited,
Oct 28, 2016 14:14
Thanks for the answers. So EpiServer uses CmsAdmins internally, not WebAdmins? In that case, I will follow your advice, Dejan. I guess I have to update page access rights also, since WebAdmins/WebEditors is used here.
Oct 28, 2016 16:58
Hmm yeah ideally you have another role for access rights to content. That gives you all possible options if you want to give editors access to only parts of the site.
Edited,
Oct 28, 2016 19:53
When I install a clean site, I get several virtual roles out of the box. Out of the box you get "Administrators", "Everyone", "Authenitcated", "CmsAdmins", "CmsEditors", "Creator" and "PackageAdmins". Most of them are self explanatory. But under the location tag for /episerver/cms/admin there is another role defined in the allow tag: WebAdmins. Same story with /episerver and WebEditors.
So can someone explain the difference between CmsEditors and WebEditors, CmsAdmins and WebAdmins? Is there other virtual roles used by the framework, that is not defined in the config?
The reason I'm asking, is that I'm enabling federated security on a web site, and I need to know wich roles to send from the federation server. See http://world.episerver.com/documentation/developer-guides/CMS/security/federated-security/.