Role management

Roles are objects that define authorization options for users, i.e. which actions they are allowed to perform on the website and within the Kentico administration interface. Roles provide an interface that maps permissions to users in a way that can easily be reused. Each role can be assigned to any amount of users and vice versa – a user can be a member of an unlimited number of roles.

Managing roles

You can find the management interface for roles in the Roles application.

Roles can either be assigned to a specific site or defined as global objects that are available for all sites. In the Roles application, you can select the site context using the Site drop‑down list at the top of the page. To access the list of all global roles in the system, choose the (global) option. Using global roles can save a lot of time when working with a large number of sites that require similar types of authorization options. Global roles may only be assigned by users with the Global administrator privilege level.

You can specify the following properties when adding a new role:

Role display name

Sets a name for the role displayed to users in the administration interface.

Role code name

Sets a name that serves as an identifier for the role.

Role description

Can be used to enter an optional text description for the role.

Is domain role

Indicates if the role was imported from Active Directory.

Code names of global roles

Code names are only checked for uniqueness within the context of individual sites, which means that it is possible for a global role to have the same code name as a site‑specific role.

If you need to specify a global role using its code name in your custom website code or via the API, you can add the period character (“.”) as a prefix. This ensures that only the global role will be selected and any site roles with the same code name will be ignored (for example .Content_admin).

Editing a role

The role editing interface is divided into the following tabs:

General

On this tab, you can edit the basic properties of the role.

Users

Here you can add or remove users to/from the currently edited role. These users will be authorized to perform actions according to the permissions granted to the role on the Permissions tab. Roles can either be assigned to users permanently or only until a specified date and time.

If you wish to add users, click the Add users button and check the boxes next to the appropriate users in the displayed selection dialog.

Only users who are assigned to the same site as the role can be chosen (global roles may be assigned to all users in the system). The Valid to field at the bottom of the dialog can be used to assign users to the role for a limited time only. Using the Calendar () you can easily select the exact date and time when the role should expire for the user. If this field is left empty, the users will be assigned to the role for an unlimited time period.

The Change validity () action that is available for every listed user may be used to prolong or shorten the time interval for which the user should be assigned to the role. This way you can set an expiration date or reactivate expired roles for users.

Memberships

On this tab, you can add memberships to which the role is assigned.

Permissions

On this tab, you can configure which permissions should be assigned to the given role. If you wish to add permissions, select the type of the permission that you wish to assign using the two drop-down lists. The system displays individual permissions for the specified module or page type, which you can enable by checking the corresponding boxes.

UI Personalization

On the two sub-tabs under this category, you can choose which parts of the administration interface will be displayed to the members of the given role. You can also change the settings of the WYSIWYG Editor for this particular role.

Individual interface elements can be configured on the Dialogs sub‑tab. This is where you can select a module from the Module drop-down list and then enable or disable the visibility of individual dialogs by checking the corresponding boxes. Only dialogs that are checked will be displayed to users assigned to the given role.

You can adjust the WYSIWYG Editor settings for the given role on the Editor tab. You can make adjustments in a similar way as with dialogs.

For more information, see UI personalization.

Default dashboard

This tab allows you to configure which applications will the members of the role have on their application dashboard.

See Configuring the application dashboard for more information.

Working with roles on MVC sites

On sites built using the MVC development model, developers can additionally utilize roles in the following ways: